nullmixer | 76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe
Size

3.6MB
MD5

f6336737452a7a106dde9be8ba468a0c
SHA1

19b4f742ad0beb3bd2306b8e8b1d989e52a01365
SHA256

76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
SHA512

8df61530106e314cc78f82907ae89896b3281721bfe440565219c5fcebf01a90ef0bfeb55d6c7069ee68a9a1711dbca28fb9060d1ffc6026f706a2744ed539de
SSDEEP

98304:ysevup9c1bf8FmhU3sXZi1ZsarTqLpRgj+uMeCm6:yI9wBhJYZsATqYCuBC

Score

10^/10

nullmixer privateloader redline sectoprat smokeloader vidar 706 pub2 aspackv2 backdoor dropper infostealer loader rat stealer trojan

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub2

185.92.73.84:80

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-159-0x0000000002CE0000-0x0000000002D04000-memory.dmp	family_redline
behavioral1/memory/1504-162-0x0000000002FB0000-0x0000000002FD2000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-159-0x0000000002CE0000-0x0000000002D04000-memory.dmp	family_sectoprat
behavioral1/memory/1504-162-0x0000000002FB0000-0x0000000002FD2000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2952-170-0x0000000002860000-0x00000000028FD000-memory.dmp	family_vidar
behavioral1/memory/2952-171-0x0000000000400000-0x0000000002400000-memory.dmp	family_vidar
behavioral1/memory/2952-283-0x0000000000400000-0x0000000002400000-memory.dmp	family_vidar

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x00070000000162c9-61.dat	aspack_v212_v242
behavioral1/files/0x002a000000015d4c-55.dat	aspack_v212_v242
behavioral1/files/0x00070000000160cc-53.dat	aspack_v212_v242

Executes dropped EXE 12 IoCs

Processes:

setup_installer.exesetup_install.exeWed12f234a21660d.exeWed12b86e03fc.exeWed12ff8f9303069a13.exeWed12691e8dbf.exeWed122efa49d386.exeWed1258b9cb39.exeWed127454568dab5787.exeWed12ff8f9303069a13.exeWed120d4de2378.exeWed122efa49d386.exe

pid	Process
2196	setup_installer.exe
2324	setup_install.exe
2944	Wed12f234a21660d.exe
2952	Wed12b86e03fc.exe
2756	Wed12ff8f9303069a13.exe
2428	Wed12691e8dbf.exe
2760	Wed122efa49d386.exe
1036	Wed1258b9cb39.exe
2552	Wed127454568dab5787.exe
2272	Wed12ff8f9303069a13.exe
1504	Wed120d4de2378.exe
2076	Wed122efa49d386.exe

Loads dropped DLL 47 IoCs

Processes:

f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exesetup_installer.exesetup_install.execmd.execmd.execmd.exeWed12b86e03fc.execmd.exeWed12ff8f9303069a13.execmd.exeWed1258b9cb39.execmd.exeWed127454568dab5787.execmd.exeWed120d4de2378.exeWed12ff8f9303069a13.exeWerFault.exeWerFault.exe

pid	Process
2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe
2196	setup_installer.exe
2196	setup_installer.exe
2196	setup_installer.exe
2196	setup_installer.exe
2196	setup_installer.exe
2196	setup_installer.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2324	setup_install.exe
2920	cmd.exe
2124	cmd.exe
2796	cmd.exe
2796	cmd.exe
2124	cmd.exe
2952	Wed12b86e03fc.exe
2952	Wed12b86e03fc.exe
2996	cmd.exe
2756	Wed12ff8f9303069a13.exe
2756	Wed12ff8f9303069a13.exe
2264	cmd.exe
2264	cmd.exe
1036	Wed1258b9cb39.exe
1036	Wed1258b9cb39.exe
2844	cmd.exe
2552	Wed127454568dab5787.exe
2552	Wed127454568dab5787.exe
2756	Wed12ff8f9303069a13.exe
2820	cmd.exe
2820	cmd.exe
1504	Wed120d4de2378.exe
1504	Wed120d4de2378.exe
2272	Wed12ff8f9303069a13.exe
2272	Wed12ff8f9303069a13.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
328	2324	WerFault.exe	29
2536	2952	WerFault.exe	42

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Wed1258b9cb39.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed1258b9cb39.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed1258b9cb39.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed1258b9cb39.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Wed12b86e03fc.exeWed12f234a21660d.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Wed12b86e03fc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Wed12b86e03fc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Wed12b86e03fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Wed12f234a21660d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Wed12f234a21660d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Wed12f234a21660d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Wed1258b9cb39.exepowershell.exe

pid	Process
1036	Wed1258b9cb39.exe
1036	Wed1258b9cb39.exe
1632	powershell.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Wed1258b9cb39.exe

pid	Process
1036	Wed1258b9cb39.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Wed12691e8dbf.exepowershell.exeWed12f234a21660d.exe

description	pid	Process
Token: SeDebugPrivilege	2428	Wed12691e8dbf.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2944	Wed12f234a21660d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exesetup_installer.exesetup_install.exe

description	pid	Process	procid_target
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2196	2416	f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe	28
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2196 wrote to memory of 2324	2196	setup_installer.exe	29
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2496	2324	setup_install.exe	31
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2124	2324	setup_install.exe	32
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 2264	2324	setup_install.exe	33
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 1652	2324	setup_install.exe	34
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2796	2324	setup_install.exe	35
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2820	2324	setup_install.exe	36
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2844	2324	setup_install.exe	37
PID 2324 wrote to memory of 2920	2324	setup_install.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6336737452a7a106dde9be8ba468a0c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS49869D06\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12ff8f9303069a13.exe
      4⤵
      Loads dropped DLL
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12ff8f9303069a13.exe
        
        Wed12ff8f9303069a13.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2756
      - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12ff8f9303069a13.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12ff8f9303069a13.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed1258b9cb39.exe
      4⤵
      Loads dropped DLL
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed1258b9cb39.exe
        
        Wed1258b9cb39.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed122efa49d386.exe
      4⤵
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed122efa49d386.exe
        
        Wed122efa49d386.exe
        5⤵
        Executes dropped EXE
        
        PID:2760
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed122efa49d386.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed122efa49d386.exe"
        5⤵
        Executes dropped EXE
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12b86e03fc.exe
      4⤵
      Loads dropped DLL
      PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12b86e03fc.exe
        
        Wed12b86e03fc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 944
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed120d4de2378.exe
      4⤵
      Loads dropped DLL
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed120d4de2378.exe
        
        Wed120d4de2378.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed127454568dab5787.exe
      4⤵
      Loads dropped DLL
      PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed127454568dab5787.exe
        
        Wed127454568dab5787.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12f234a21660d.exe
      4⤵
      Loads dropped DLL
      PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12f234a21660d.exe
        
        Wed12f234a21660d.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed12691e8dbf.exe
      4⤵
      Loads dropped DLL
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12691e8dbf.exe
        
        Wed12691e8dbf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 424
      4⤵
      Loads dropped DLL
      Program crash
      PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed122efa49d386.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar284F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed120d4de2378.exe

Filesize
300KB

MD5
953d93e24956822e11d1ff9e433731d4

SHA1
3f45bcca182046fa8957821089d804200227985d

SHA256
f4eb31de9302b29f94e951cd77159b29ad6f36dc48dff1df573d13be632a0c16

SHA512
c3791ebb2a90a82c4b937b58daa979a6e33d14606a5e89f398d56c8093d6582c76287576486c9292f0af00f7c7823147ef9d3993f47bb582b6f91c6fd9461137

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed1258b9cb39.exe

Filesize
267KB

MD5
0d09277405cb84cd4e0b465759b9b73f

SHA1
b98be57eeee56ad576656b554d22069422e20f89

SHA256
5e3ee0b5954c435e10c41a144ffb9e17e02898fd3a2b074943ad7d202e4ae4f3

SHA512
8a6bbcf38db54e585cdf6a0179392b37d4b69352f650e017eb264109b6b337bed1ecd1135e7fe3013e76421bba1886441ec4e1df22e8c10799a27f6e0b8f20d9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12691e8dbf.exe

Filesize
8KB

MD5
d640812863d65d90669e5b9194649f83

SHA1
dc2ec2d486ffeb8008c9dd9cfb91a100a3127b48

SHA256
2906cff26bce67c4a6c12d1f1d1691ab0f8ce7f98b8c5876c9385887fa7f021e

SHA512
f3078d3c2a63eff17eba10513c216be9a760b79a9dc7c06de7a47715c4c368275269d33b3bdb04b27c696796ee612f753a0c309b296c7fd63138bff8bb87e09d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed127454568dab5787.exe

Filesize
1.7MB

MD5
05a0baf55450d99cb0fa0ee652e2cd0c

SHA1
e7334de04c18c241a091c3327cdcd56e85cc6baf

SHA256
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

SHA512
b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12b86e03fc.exe

Filesize
604KB

MD5
1e90790e7d177d29fc32f926a419c534

SHA1
25142c6b5243f09542d28ce75f42f8b1e337bf18

SHA256
859b840ac0113845859e79c66583996665f246ccc6f3ebfe419e2e07e8f515cc

SHA512
667f4c651debd720b8f4c534fd4690a9cc2ddbce98d7577285f6e42b88e71ba209433ad0dcb3dc7d34b79df7a59ad6d1e7c8602365b5501d85a235c3d84d4f6d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12f234a21660d.exe

Filesize
180KB

MD5
b4fc051f0e24474bbdc858ddd81b4572

SHA1
1b7650afe1b152e1a6eca0e9490d3b53c9b273d7

SHA256
d9ad89bed347d1477d54cf99a56cadbb71da8487d3f251769f129fa0d1d85d9a

SHA512
5f9b9981b30bd91dc01cb52655885c0797949f959454560632f5969d8cf7e9743720893bbf4a82b6aea9cf34b30bbc90f324f1524a182c07a1dc37855c4d2818

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\Wed12ff8f9303069a13.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS49869D06\setup_install.exe

Filesize
2.1MB

MD5
fc81ec59e515648eb844e4268b5c24c2

SHA1
5802c0d9af65954716c921ea6df0a867e0606ed1

SHA256
960c3c31011eed2057ccabdf997d5038a32b8a5f2b651aaee11f364be490cc31

SHA512
0dddb9c332531f1850a3af64d6ce4b347644e04481db687efe0fdb0dc56aba9aa1b4ce8bdfdf55bc21d543c2b31070858f7b2dd5551a23c1e9091c1210452855

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.6MB

MD5
1df01ae4f663bbb5bdc2abb2d68a1348

SHA1
bed2b62f36b774a21cb14ee8c1e98363458028fc

SHA256
b1c5d186dc4924256dc9e8f9fad845bdb583f7028c547aa8ca2fe2076e2a081f

SHA512
7cc3faf78ffdaa3ef2327cea4ea22f062934e1029dc4727428cfc4a7dad943a94f0bc39b061dfdec1277f364584f7bf0e92c22aa22c44e6d34e524ac0ad684be

Download Submit
memory/1036-239-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1036-172-0x0000000002550000-0x0000000002650000-memory.dmp

Filesize
1024KB

Download
memory/1036-173-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/1036-174-0x0000000000400000-0x00000000023AC000-memory.dmp

Filesize
31.7MB

Download
memory/1200-238-0x0000000002E60000-0x0000000002E75000-memory.dmp

Filesize
84KB

Download
memory/1504-178-0x0000000000400000-0x0000000002CDB000-memory.dmp

Filesize
40.9MB

Download
memory/1504-159-0x0000000002CE0000-0x0000000002D04000-memory.dmp

Filesize
144KB

Download
memory/1504-180-0x00000000076D0000-0x0000000007710000-memory.dmp

Filesize
256KB

Download
memory/1504-177-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1504-302-0x00000000076D0000-0x0000000007710000-memory.dmp

Filesize
256KB

Download
memory/1504-176-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/1504-162-0x0000000002FB0000-0x0000000002FD2000-memory.dmp

Filesize
136KB

Download
memory/1632-168-0x00000000739F0000-0x0000000073F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2324-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2324-277-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2324-278-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2324-280-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2324-281-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2324-282-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2324-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2324-279-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2324-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2324-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2324-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2324-67-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2324-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2428-169-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-300-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2428-175-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/2428-299-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-113-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/2944-276-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-157-0x0000000000250000-0x0000000000272000-memory.dmp

Filesize
136KB

Download
memory/2944-134-0x0000000000B20000-0x0000000000B52000-memory.dmp

Filesize
200KB

Download
memory/2944-155-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2944-167-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2944-160-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2952-171-0x0000000000400000-0x0000000002400000-memory.dmp

Filesize
32.0MB

Download
memory/2952-283-0x0000000000400000-0x0000000002400000-memory.dmp

Filesize
32.0MB

Download
memory/2952-170-0x0000000002860000-0x00000000028FD000-memory.dmp

Filesize
628KB

Download
memory/2952-179-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2952-301-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download