Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-v7mxvswyhv
Target JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08
SHA256 2edb2dce6837129e1f164f61480a08cb829646f48a62888006fe9d80eb75da7e
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2edb2dce6837129e1f164f61480a08cb829646f48a62888006fe9d80eb75da7e

Threat Level: Known bad

The file JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Ardamax family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:37

Reported

2025-07-04 17:40

Platform

win10v2004-20250502-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax family

ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MigPol.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKDQ Agent = "C:\\Windows\\SysWOW64\\28463\\HKDQ.exe" C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\HKDQ.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\key.bin C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.001 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.006 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.007 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MigPol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\InprocServer32\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\0\win32\ = "%systemroot%\\SysWow64\\wksprt.exe" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\TypeLib\ = "{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\ProgID\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\0\win32 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\Version\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\ = "WorkspaceRuntime 1.0 Type Library" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\FLAGS C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\TypeLib\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\InprocServer32\ = "%SystemRoot%\\SysWow64\\iashlpr.dll" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\0 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\TypeLib C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\Version\ = "1.0" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\VersionIndependentProgID\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB} C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\InprocServer32 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\0\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\HELPDIR\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\HELPDIR\ = "%systemroot%\\system32" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\VersionIndependentProgID C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\VersionIndependentProgID\ = "IAS.IasHelper" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\ = "Adive.Aqofovto Object" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6} C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\0\win32\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\HELPDIR C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\Version C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\ProgID\ = "IAS.IasHelper.1" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8DFA5C8-C55C-D716-52F2-7F5DE05DB7C6}\1.0\FLAGS\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D12251D-700C-4B1D-8881-EB1DE4331DBB}\ProgID C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"

C:\Windows\SysWOW64\28463\HKDQ.exe

"C:\Windows\system32\28463\HKDQ.exe"

C:\Users\Admin\AppData\Local\Temp\MigPol.exe

"C:\Users\Admin\AppData\Local\Temp\MigPol.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\HKDQ.exe

C:\Windows\SysWOW64\28463\HKDQ.exe

C:\Windows\SysWOW64\28463\HKDQ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\@7A7F.tmp

MD5 d73d89b1ea433724795b3d2b524f596c
SHA1 213514f48ece9f074266b122ee2d06e842871c8c
SHA256 8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6
SHA512 8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

C:\Windows\SysWOW64\28463\HKDQ.exe

MD5 b863a9ac3bcdcde2fd7408944d5bf976
SHA1 4bd106cd9aefdf2b51f91079760855e04f73f3b0
SHA256 0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0
SHA512 4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

C:\Users\Admin\AppData\Local\Temp\MigPol.exe

MD5 6341b8be090c334814415ce8708a5388
SHA1 83abdb7364f17c5357fae33aa9ab31a200c67766
SHA256 80f437339788958d1b52858a6e05a8d4e7fafdfe26ea47482e1ea83fd33e85d6
SHA512 69c903fa5fb0de54464fec2a7539094b6758b9de1a54a4c2a9af0dea8b550808e036ec692b1ec12584a0e130133c4b82973862ca8f9711ce8aaec6487f33c112

memory/5512-19-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5512-31-0x0000000002200000-0x000000000225A000-memory.dmp

memory/5512-40-0x0000000003200000-0x0000000003203000-memory.dmp

memory/5512-44-0x0000000003250000-0x0000000003251000-memory.dmp

memory/5512-43-0x0000000003250000-0x0000000003251000-memory.dmp

memory/5512-42-0x0000000003250000-0x0000000003251000-memory.dmp

memory/5512-41-0x0000000003250000-0x0000000003251000-memory.dmp

C:\Windows\SysWOW64\28463\key.bin

MD5 639d75ab6799987dff4f0cf79fa70c76
SHA1 be2678476d07f78bb81e8813c9ee2bfff7cc7efb
SHA256 fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98
SHA512 4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

memory/5512-39-0x0000000003210000-0x0000000003211000-memory.dmp

memory/5512-38-0x0000000002380000-0x0000000002381000-memory.dmp

memory/5512-37-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/5512-36-0x0000000002400000-0x0000000002401000-memory.dmp

memory/5512-35-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/5512-34-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/5512-33-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/5512-50-0x0000000003260000-0x0000000003261000-memory.dmp

memory/5512-49-0x0000000003220000-0x0000000003221000-memory.dmp

memory/5512-48-0x0000000000500000-0x0000000000501000-memory.dmp

memory/5512-47-0x00000000004E0000-0x00000000004E1000-memory.dmp

C:\Windows\SysWOW64\28463\AKV.exe

MD5 97eee85d1aebf93d5d9400cb4e9c771b
SHA1 26fa2bf5fce2d86b891ac0741a6999bff31397de
SHA256 30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24
SHA512 8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

C:\Windows\SysWOW64\28463\HKDQ.007

MD5 a8e19de6669e831956049685225058a8
SHA1 6d2546d49d92b18591ad4fedbc92626686e7e979
SHA256 34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564
SHA512 5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

C:\Windows\SysWOW64\28463\HKDQ.006

MD5 35b24c473bdcdb4411e326c6c437e8ed
SHA1 ec1055365bc2a66e52de2d66d24d742863c1ce3d
SHA256 4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617
SHA512 32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

C:\Windows\SysWOW64\28463\HKDQ.001

MD5 1d30eab3bfc9b5615887e26e3517c245
SHA1 79853846a1e0cc2e45689047130e3a756fcde3ff
SHA256 e612023a86d87025e48488dd31c1610ff1299b99a41a61d846bdeb72e1eea09b
SHA512 e232852673492aa4b338f52ae2e0860e94f7c300d94aa2c54ee8fa4b1467ba8efc800294288c52d2ed5a52eb0aeeb08982c01299ed3eaa206420993a691c9806

memory/4120-63-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5512-64-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5512-65-0x0000000002200000-0x000000000225A000-memory.dmp

memory/5512-66-0x0000000003250000-0x0000000003251000-memory.dmp

memory/5512-70-0x0000000000400000-0x00000000004DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:37

Reported

2025-07-04 17:40

Platform

win11-20250610-en

Max time kernel

141s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax family

ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MigPol.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKDQ Agent = "C:\\Windows\\SysWOW64\\28463\\HKDQ.exe" C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\key.bin C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.001 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.006 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.007 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
File created C:\Windows\SysWOW64\28463\HKDQ.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MigPol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib\ = "{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID\ = "IMEAPI.CImeRequestSenderJK" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS\ = "0" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\ = "Microsoft Office 16.0 Object Library" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32\ = "C:\\Windows\\SysWOW64\\IME\\shared\\imjkapi.dll" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSO.DLL" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\TypeLib\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\Win64 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\VBA\\VBA7.1\\" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags\ = "0" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win32 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\VersionIndependentProgID C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\InprocServer32 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID\ = "IMEAPI.CImeRequestSenderJK.15" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D} C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\ = "Microsoft Vbe UI 7.1 Object Library" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\Flags\ = "0" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\Office16\\MSO.DLL" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\FLAGS\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ = "Zofeleqo Jehov Lidonoho Object" C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9}\ProgID C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\0\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.6\HelpDir\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.7\0\win32\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0 C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\0\Win64\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE4FE7C0-7314-8BEA-4F8C-D25C0AF6938D}\2.8\Flags\ C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B63F13D0-522D-491D-54B8-1566E4E6C0D9} C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HKDQ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c71a0edb69e73f69f83dcd36adcfa08.exe"

C:\Windows\SysWOW64\28463\HKDQ.exe

"C:\Windows\system32\28463\HKDQ.exe"

C:\Users\Admin\AppData\Local\Temp\MigPol.exe

"C:\Users\Admin\AppData\Local\Temp\MigPol.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\HKDQ.exe

C:\Windows\SysWOW64\28463\HKDQ.exe

C:\Windows\SysWOW64\28463\HKDQ.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\@4343.tmp

MD5 d73d89b1ea433724795b3d2b524f596c
SHA1 213514f48ece9f074266b122ee2d06e842871c8c
SHA256 8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6
SHA512 8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

C:\Windows\SysWOW64\28463\HKDQ.exe

MD5 b863a9ac3bcdcde2fd7408944d5bf976
SHA1 4bd106cd9aefdf2b51f91079760855e04f73f3b0
SHA256 0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0
SHA512 4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

memory/5132-18-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5132-20-0x0000000002400000-0x000000000245A000-memory.dmp

memory/5132-31-0x00000000025B0000-0x00000000025B1000-memory.dmp

C:\Windows\SysWOW64\28463\key.bin

MD5 639d75ab6799987dff4f0cf79fa70c76
SHA1 be2678476d07f78bb81e8813c9ee2bfff7cc7efb
SHA256 fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98
SHA512 4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

C:\Users\Admin\AppData\Local\Temp\MigPol.exe

MD5 6341b8be090c334814415ce8708a5388
SHA1 83abdb7364f17c5357fae33aa9ab31a200c67766
SHA256 80f437339788958d1b52858a6e05a8d4e7fafdfe26ea47482e1ea83fd33e85d6
SHA512 69c903fa5fb0de54464fec2a7539094b6758b9de1a54a4c2a9af0dea8b550808e036ec692b1ec12584a0e130133c4b82973862ca8f9711ce8aaec6487f33c112

memory/5132-44-0x0000000003410000-0x0000000003411000-memory.dmp

memory/5132-43-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-42-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-41-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-40-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-39-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-38-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-37-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-36-0x0000000002590000-0x0000000002591000-memory.dmp

memory/5132-35-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/5132-34-0x0000000002610000-0x0000000002611000-memory.dmp

memory/5132-33-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/5132-32-0x0000000002600000-0x0000000002601000-memory.dmp

memory/5132-49-0x0000000003460000-0x0000000003461000-memory.dmp

memory/5132-48-0x0000000003410000-0x0000000003413000-memory.dmp

memory/5132-47-0x0000000003410000-0x0000000003411000-memory.dmp

memory/5132-54-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/5132-56-0x0000000003470000-0x0000000003471000-memory.dmp

memory/5132-55-0x0000000003430000-0x0000000003431000-memory.dmp

memory/5132-52-0x0000000003420000-0x0000000003421000-memory.dmp

memory/5132-53-0x0000000000D20000-0x0000000000D21000-memory.dmp

C:\Windows\SysWOW64\28463\AKV.exe

MD5 97eee85d1aebf93d5d9400cb4e9c771b
SHA1 26fa2bf5fce2d86b891ac0741a6999bff31397de
SHA256 30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24
SHA512 8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

C:\Windows\SysWOW64\28463\HKDQ.001

MD5 1d30eab3bfc9b5615887e26e3517c245
SHA1 79853846a1e0cc2e45689047130e3a756fcde3ff
SHA256 e612023a86d87025e48488dd31c1610ff1299b99a41a61d846bdeb72e1eea09b
SHA512 e232852673492aa4b338f52ae2e0860e94f7c300d94aa2c54ee8fa4b1467ba8efc800294288c52d2ed5a52eb0aeeb08982c01299ed3eaa206420993a691c9806

C:\Windows\SysWOW64\28463\HKDQ.007

MD5 a8e19de6669e831956049685225058a8
SHA1 6d2546d49d92b18591ad4fedbc92626686e7e979
SHA256 34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564
SHA512 5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

C:\Windows\SysWOW64\28463\HKDQ.006

MD5 35b24c473bdcdb4411e326c6c437e8ed
SHA1 ec1055365bc2a66e52de2d66d24d742863c1ce3d
SHA256 4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617
SHA512 32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

memory/1544-65-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1544-70-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5132-71-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/5132-72-0x0000000002400000-0x000000000245A000-memory.dmp

memory/5132-73-0x0000000003410000-0x0000000003411000-memory.dmp

memory/5132-74-0x0000000003460000-0x0000000003461000-memory.dmp

memory/5132-78-0x0000000000400000-0x00000000004DF000-memory.dmp