079f4448507e2236bf53cc9f3f23f0e773c74c6f6f77ca459bbab16d0f27102a

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Size

252KB
MD5

95ca811952cd61f9d46c46383d98143c
SHA1

b60fb03e9886e946400ac2f203bfd326617d99d5
SHA256

079f4448507e2236bf53cc9f3f23f0e773c74c6f6f77ca459bbab16d0f27102a
SHA512

1b9b1d0baf4812b6daa9ae91e30bea9cb691ae06a07693a3b3ee3bed881f40c89c7a074b79510b93dd5ef29ea443fd1f137f5ecb7dea6e917d0da886d815f1a4
SSDEEP

3072:2tybd59fYRw/BoDWfwpsjrSc3XzfMHX7/RzviC0RsOspWqgzGB:gyxKgayg8Sc3DUHr/RzviC0Ibgm

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2044	attrib.exe
740	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	smap.tmp

Executes dropped EXE 2 IoCs

pid	Process
3688	sampe.tmp
860	smap.tmp

Loads dropped DLL 1 IoCs

pid	Process
4228	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\resd.bin	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url	cmd.exe
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\2.inf	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\3.bat	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}	attrib.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp	attrib.exe
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	rundll32.exe
File created	C:\Program Files\FreeRapid\1.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\2.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\4.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\1.inf	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	sampe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smap.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sampe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125048"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125048"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125048"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "641787282"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f000000000200000000001066000000010000200000009236b4c646f189f1c252e67e0663a47ebb5c9ee6817c5b5def4cf14cde1031b3000000000e800000000200002000000008ed7441ee5b8358063934a9dabc22671295f6f367f76360ea985b129cb41ee120000000c6338b7b98f626b436e25f9102d65f6e0efb040485eb71279a7d0605d5f4e92c4000000097ff3e3191fe7ccb282da9e7d72e40542fb482d9dd838fe83af03284cf21802c3c4a8dae8748712dcfe3b0dcc0bb93f3ffa58114919f8558abc8ff90d43f5577	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "641787282"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e0cc3c38eeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{51E0E476-5A2B-11EF-AC6B-562BAB028465} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "650849880"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a025c83c38eeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430397733"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f000000000200000000001066000000010000200000006943f0104b208f4d777ab4ab9430ed58ebc21fedbb27db877c3ea1cb4a9f9d08000000000e8000000002000020000000ca6994aefcd957d2835bb486a794da19caeaf486ede6ff15862bb6fe6e75e17b20000000f02d5eeaa16617c402eded7848dea71888174e1bb737f44c4746f5d62cb5ad73400000000ef36024c6c299b0da3d54f0416cbc974711246895070d38c1c5aa150cba68502c3e0e7c77bb64cb735cc482eafdf75c21f56c2d46c76e84c623ce5ce889bcb6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?r"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?r"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	sampe.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	sampe.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	sampe.tmp
3688	sampe.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3688	sampe.tmp
Token: SeRestorePrivilege	3688	sampe.tmp
Token: SeIncBasePriorityPrivilege	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	860	smap.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4168	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4168	iexplore.exe
4168	iexplore.exe
904	IEXPLORE.EXE
904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3688	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	94
PID 3680 wrote to memory of 3688	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	94
PID 3680 wrote to memory of 3688	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	94
PID 3688 wrote to memory of 2788	3688	sampe.tmp	95
PID 3688 wrote to memory of 2788	3688	sampe.tmp	95
PID 3688 wrote to memory of 2788	3688	sampe.tmp	95
PID 3680 wrote to memory of 4584	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	97
PID 3680 wrote to memory of 4584	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	97
PID 3680 wrote to memory of 4584	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	97
PID 3680 wrote to memory of 4116	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	99
PID 3680 wrote to memory of 4116	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	99
PID 3680 wrote to memory of 4116	3680	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	99
PID 4584 wrote to memory of 3144	4584	cmd.exe	101
PID 4584 wrote to memory of 3144	4584	cmd.exe	101
PID 4584 wrote to memory of 3144	4584	cmd.exe	101
PID 3144 wrote to memory of 4168	3144	cmd.exe	104
PID 3144 wrote to memory of 4168	3144	cmd.exe	104
PID 3144 wrote to memory of 3788	3144	cmd.exe	105
PID 3144 wrote to memory of 3788	3144	cmd.exe	105
PID 3144 wrote to memory of 3788	3144	cmd.exe	105
PID 3144 wrote to memory of 4408	3144	cmd.exe	106
PID 3144 wrote to memory of 4408	3144	cmd.exe	106
PID 3144 wrote to memory of 4408	3144	cmd.exe	106
PID 4168 wrote to memory of 904	4168	iexplore.exe	107
PID 4168 wrote to memory of 904	4168	iexplore.exe	107
PID 4168 wrote to memory of 904	4168	iexplore.exe	107
PID 4584 wrote to memory of 860	4584	cmd.exe	103
PID 4584 wrote to memory of 860	4584	cmd.exe	103
PID 4584 wrote to memory of 860	4584	cmd.exe	103
PID 4408 wrote to memory of 2748	4408	cmd.exe	109
PID 4408 wrote to memory of 2748	4408	cmd.exe	109
PID 4408 wrote to memory of 2748	4408	cmd.exe	109
PID 4408 wrote to memory of 5064	4408	cmd.exe	110
PID 4408 wrote to memory of 5064	4408	cmd.exe	110
PID 4408 wrote to memory of 5064	4408	cmd.exe	110
PID 4408 wrote to memory of 5024	4408	cmd.exe	111
PID 4408 wrote to memory of 5024	4408	cmd.exe	111
PID 4408 wrote to memory of 5024	4408	cmd.exe	111
PID 4408 wrote to memory of 3412	4408	cmd.exe	112
PID 4408 wrote to memory of 3412	4408	cmd.exe	112
PID 4408 wrote to memory of 3412	4408	cmd.exe	112
PID 4408 wrote to memory of 1840	4408	cmd.exe	113
PID 4408 wrote to memory of 1840	4408	cmd.exe	113
PID 4408 wrote to memory of 1840	4408	cmd.exe	113
PID 4408 wrote to memory of 2044	4408	cmd.exe	114
PID 4408 wrote to memory of 2044	4408	cmd.exe	114
PID 4408 wrote to memory of 2044	4408	cmd.exe	114
PID 4408 wrote to memory of 740	4408	cmd.exe	115
PID 4408 wrote to memory of 740	4408	cmd.exe	115
PID 4408 wrote to memory of 740	4408	cmd.exe	115
PID 4408 wrote to memory of 3492	4408	cmd.exe	116
PID 4408 wrote to memory of 3492	4408	cmd.exe	116
PID 4408 wrote to memory of 3492	4408	cmd.exe	116
PID 3492 wrote to memory of 1208	3492	rundll32.exe	117
PID 3492 wrote to memory of 1208	3492	rundll32.exe	117
PID 3492 wrote to memory of 1208	3492	rundll32.exe	117
PID 1208 wrote to memory of 2696	1208	runonce.exe	118
PID 1208 wrote to memory of 2696	1208	runonce.exe	118
PID 1208 wrote to memory of 2696	1208	runonce.exe	118
PID 860 wrote to memory of 1628	860	smap.tmp	133
PID 860 wrote to memory of 1628	860	smap.tmp	133
PID 860 wrote to memory of 1628	860	smap.tmp	133
PID 4584 wrote to memory of 4228	4584	cmd.exe	135
PID 4584 wrote to memory of 4228	4584	cmd.exe	135

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2044	attrib.exe
740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Roaming\sampe.tmp
  C:\Users\Admin\AppData\Roaming\sampe.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmzzmzwbd12.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4168 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:904
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:5064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:740
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
- - C:\Users\Admin\AppData\Roaming\smap.tmp
    C:\Users\Admin\AppData\Roaming\smap.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resd.bin,MainLoad
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\95CA81~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FREERA~1\1.bat

Filesize
3KB

MD5
2b99b7f66b8ebba3071330bcbaccc022

SHA1
1a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52

SHA256
3ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09

SHA512
03671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671

Download Submit
C:\PROGRA~1\FREERA~1\1.inf

Filesize
478B

MD5
4725d77ff3bf9bff49eaeece2bce6f64

SHA1
4c4f59f914f18b57bd65bf8269b1fe9a422ebd0a

SHA256
f7a5b23de9ec24d53b1b2847a2de9c2940a56c0bff8e5b292b24373bd1dde4ea

SHA512
66782f65c373dd0f270d044a844359e1417ee5251eaeac19c0cd37206be295dc4c87eada8a8d72011cc2e31c077cd90118bbd766e6459f7bae058b0345730fcd

Download Submit
C:\PROGRA~1\FREERA~1\2.bat

Filesize
3KB

MD5
66255a9ad2f8d7deaa5577ca57942871

SHA1
8003fcd6cf3edd5b053b2765c7178ae90832f370

SHA256
553e76f0372969152c699aa8f02d0610114492cf1a0386cd425a6b6e861aa197

SHA512
895951abacd29c28e2970096db9e694626952791f4ff84a77c4f584baae80eb9ef7206fa501d671c6983c9c08cce9016a6a572b65d79fc9f5da39cea9e2d4a04

Download Submit
C:\PROGRA~1\FREERA~1\2.inf

Filesize
230B

MD5
f6dcb2862f6e7f9e69fb7d18668c59f1

SHA1
bb23dbba95d8af94ecc36a7d2dd4888af2856737

SHA256
c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

SHA512
eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

Download Submit
C:\PROGRA~1\FREERA~1\4.bat

Filesize
5.8MB

MD5
5fea36134540a5beaa31590b2a3a53d8

SHA1
c8949bde6ea96bee78acbb5ace24372f644dc832

SHA256
ee155d8f83edec0c99a6439e10b8d63b255779db3975be1e2ce04fbd6c82564d

SHA512
72ee4074b066c5879083a200fbbe115d395de2242fe0deba99fcccfbf2fb977561a603212e7d9d57e342849b1fd47b6f1b781bdf6c4b9fee970f32936ef8b2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
0540cd83dcfe13fc8873e80ee631218c

SHA1
bd7f0d1bd11dc2f4f579f0c8c728e609d3df7126

SHA256
3e2d56e382961a72e8f0ec73f9cd914d46baba5d70fbb753a911c73900731f26

SHA512
bd4eee174e4abe8097920c548a8dbeb37c02d0b4550ad72b2f4e70dd2d30504ef7f741a6db05161bdfd12d42f7ab620c8215acaf31bde6e44e1ddf6d5300f25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
631B

MD5
0b92bb1f3b9141d221dfedfcc5a59527

SHA1
8d0a11d39776442b53436490284dc460137d3e7a

SHA256
5ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99

SHA512
e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmzzmzwbd12.bat

Filesize
150B

MD5
3d7ee8e51d09d54e8efe7b4699f8dde4

SHA1
4d397727078e6e1dcf190730a6ccca2e0317cdec

SHA256
3e5ea12a32fd172f1fb119b3b59a6e589765903f45191dc99aa1b37b42b184f9

SHA512
7653dbb3b4b8fa2e3307519fac16eaf1a592400ff1657bd2b7734fe3ef8b07ab28f385acfb5eb0fcd0a270d22141e96b67c728c180ebe6dde1fc66bf7766c40c

Download Submit
C:\Users\Admin\AppData\Roaming\sampe.tmp

Filesize
89KB

MD5
b5b4b1321360fbceac935d215a0db480

SHA1
dc54405e1506d866ef1ff2e0617f3618fedb257b

SHA256
787585a9ec9cabc69b459f44b6bc583ea41534a471e9926e03af354360e8eec4

SHA512
067ca0b4e4d7981073a5a40268658b651d2ab03da41b609eb48cae55e8d2fd3d957c58e868b04dcf835ee186168a924a1bde5ce66ece56a4e4c2809c8382df06

Download Submit
memory/860-123-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/3680-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-95-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-125-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-122-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-121-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-116-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-113-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-111-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-110-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-108-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-106-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-103-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-101-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-100-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-99-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-97-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-96-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-112-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-93-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-91-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-88-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-87-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-84-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-83-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-114-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-128-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-129-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-131-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-104-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-132-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-138-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-134-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-92-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-142-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-148-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-146-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-145-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-143-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-144-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-89-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-171-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-177-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-176-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-175-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-173-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-172-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-90-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4168-86-0x00007FF9A8860000-0x00007FF9A88CE000-memory.dmp

Filesize
440KB

Download
memory/4228-242-0x0000000074E50000-0x0000000074E5A000-memory.dmp

Filesize
40KB

Download