Malware Analysis Report

2025-01-18 04:56

Sample ID 241219-1qv5ss1ncp
Target d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118
SHA256 18f4035381c01ac7eba826bf786103b091ce6f0c05943722a2996dbf14744689
Tags
masslogger collection discovery execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18f4035381c01ac7eba826bf786103b091ce6f0c05943722a2996dbf14744689

Threat Level: Known bad

The file d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

masslogger collection discovery execution spyware stealer

Masslogger family

MassLogger Main payload

MassLogger

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies Internet Explorer settings

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-19 21:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-19 21:51

Reported

2024-12-19 21:53

Platform

win11-20241007-en

Max time kernel

66s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main payload

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \Registry\User\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\NotificationData C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\control.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 4220 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 1900 wrote to memory of 4220 N/A C:\Windows\explorer.exe C:\Windows\system32\taskmgr.exe
PID 3864 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 3864 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
PID 4484 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"

C:\Windows\system32\control.exe

"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe'

C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"

Network

Country Destination Domain Proto
GB 2.18.66.177:443 tcp
GB 2.18.66.177:443 tcp
US 95.100.195.140:443 r.bing.com tcp
US 95.100.195.140:443 r.bing.com tcp
US 95.100.195.140:443 r.bing.com tcp
US 95.100.195.140:443 r.bing.com tcp
US 95.100.195.140:443 r.bing.com tcp
US 95.100.195.140:443 r.bing.com tcp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:80 api.ipify.org tcp

Files

memory/3864-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/3864-1-0x0000000000B40000-0x0000000000C10000-memory.dmp

memory/3864-2-0x0000000005C00000-0x00000000061A6000-memory.dmp

memory/3864-3-0x0000000005650000-0x00000000056E2000-memory.dmp

memory/3864-4-0x0000000005580000-0x000000000558A000-memory.dmp

memory/3864-5-0x0000000074E00000-0x00000000755B1000-memory.dmp

memory/3864-6-0x0000000007EC0000-0x0000000007F5C000-memory.dmp

memory/3864-7-0x0000000005940000-0x0000000005952000-memory.dmp

memory/3864-8-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/3864-9-0x0000000074E00000-0x00000000755B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 393738f09c6138bc20ef0edd843d37dc
SHA1 7ebbfb06caa94a853f40eb5afae9c1989b59dc65
SHA256 ce112a6793b0d4bfd42d5065320e720d50852c0f51a0b3d54dae695980b6ef87
SHA512 89da410b4952042d9b0c42b26bf6561679831e6434990355612301341fe32d8d47346d6cff8645c9d5fa8e075e0a906a6792cccfa152f8b3d40c1eec561abec3

memory/4220-11-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-12-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-13-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-17-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-23-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-22-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-21-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-20-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-19-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/4220-18-0x00000242601A0000-0x00000242601A1000-memory.dmp

memory/3864-24-0x00000000080B0000-0x0000000008148000-memory.dmp

memory/3864-25-0x000000000A7B0000-0x000000000A848000-memory.dmp

memory/4484-26-0x0000000000400000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe.log

MD5 7e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA256 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512 de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

memory/3864-29-0x0000000074E00000-0x00000000755B1000-memory.dmp

memory/1452-30-0x0000000005A00000-0x0000000005A12000-memory.dmp

memory/4484-31-0x0000000006740000-0x00000000067A6000-memory.dmp

memory/4484-32-0x00000000071F0000-0x0000000007240000-memory.dmp

memory/1064-33-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/1064-34-0x0000000005860000-0x0000000005E8A000-memory.dmp

memory/1064-36-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/1064-35-0x0000000005E90000-0x0000000005EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bkt3wu0u.ir4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1064-45-0x0000000006100000-0x0000000006457000-memory.dmp

memory/1064-46-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/1064-47-0x0000000006850000-0x000000000689C000-memory.dmp

memory/1064-48-0x00000000075B0000-0x00000000075E4000-memory.dmp

memory/1064-49-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/1064-58-0x00000000075F0000-0x000000000760E000-memory.dmp

memory/1064-59-0x0000000007690000-0x0000000007734000-memory.dmp

memory/1064-60-0x0000000008000000-0x000000000867A000-memory.dmp

memory/1064-61-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/1064-62-0x0000000007A30000-0x0000000007A3A000-memory.dmp

memory/1064-63-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/1064-64-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

memory/1064-65-0x0000000007BF0000-0x0000000007BFE000-memory.dmp

memory/1064-66-0x0000000007C00000-0x0000000007C15000-memory.dmp

memory/1064-67-0x0000000007D00000-0x0000000007D1A000-memory.dmp

memory/1064-68-0x0000000007CF0000-0x0000000007CF8000-memory.dmp