6115358233527733f29ee9ce90c90c12a4ed470b3e07d7ff7e286b974292ed3b

Analysis

max time kernel
17s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
Size

81KB
MD5

a7eed18c21897e50bbe167b8f438b9af
SHA1

e2dec9aa656feee9a89d0e62fc467b4bab66fe4c
SHA256

6115358233527733f29ee9ce90c90c12a4ed470b3e07d7ff7e286b974292ed3b
SHA512

dffc93cf3a16712e28c6651fb62333c22fd5e87cf5b2d8d910b7d92f661db1f7baac03f7d78d5a62c22f5019a364a1735187a422228f3faf87ece9f8eeb6dc59
SSDEEP

1536:Ue1QGvzacMmHor4Vp6VL/yja4wyYTC6byck+ONb:UaQuyk0VL6ks+Ot

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2516	svchostwin.exe
2424	svchostwin.exe
1572	svchostwin.exe
1636	svchostwin.exe
2912	svchostwin.exe
2280	svchostwin.exe
2720	svchostwin.exe
2828	svchostwin.exe
2824	svchostwin.exe
2812	svchostwin.exe
2444	svchostwin.exe
2336	svchostwin.exe
2712	svchostwin.exe
2800	svchostwin.exe
2640	svchostwin.exe
2776	svchostwin.exe
2368	svchostwin.exe
1224	svchostwin.exe
2972	svchostwin.exe
2928	svchostwin.exe
2932	svchostwin.exe
3056	svchostwin.exe
2308	svchostwin.exe
2580	svchostwin.exe
2940	svchostwin.exe
2900	svchostwin.exe
1344	svchostwin.exe
2392	svchostwin.exe
1140	svchostwin.exe
2384	svchostwin.exe
1308	svchostwin.exe
2344	svchostwin.exe
1512	svchostwin.exe
568	svchostwin.exe
1128	svchostwin.exe
976	svchostwin.exe
2116	svchostwin.exe
2088	svchostwin.exe
664	svchostwin.exe
2320	svchostwin.exe
2136	svchostwin.exe
2540	svchostwin.exe
600	svchostwin.exe
2524	svchostwin.exe
2152	svchostwin.exe
1816	svchostwin.exe
2216	svchostwin.exe
2356	svchostwin.exe
2584	svchostwin.exe
1436	svchostwin.exe
576	svchostwin.exe
732	svchostwin.exe
1632	svchostwin.exe
1524	svchostwin.exe
1000	svchostwin.exe
1540	svchostwin.exe
2184	svchostwin.exe
1708	svchostwin.exe
2260	svchostwin.exe
912	svchostwin.exe
332	svchostwin.exe
1696	svchostwin.exe
2288	svchostwin.exe
1992	svchostwin.exe

Loads dropped DLL 64 IoCs

pid	Process
2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
2516	svchostwin.exe
2516	svchostwin.exe
2424	svchostwin.exe
2424	svchostwin.exe
1572	svchostwin.exe
1572	svchostwin.exe
1636	svchostwin.exe
1636	svchostwin.exe
2912	svchostwin.exe
2912	svchostwin.exe
2280	svchostwin.exe
2280	svchostwin.exe
2720	svchostwin.exe
2720	svchostwin.exe
2828	svchostwin.exe
2828	svchostwin.exe
2824	svchostwin.exe
2824	svchostwin.exe
2812	svchostwin.exe
2812	svchostwin.exe
2444	svchostwin.exe
2444	svchostwin.exe
2336	svchostwin.exe
2336	svchostwin.exe
2712	svchostwin.exe
2712	svchostwin.exe
2800	svchostwin.exe
2800	svchostwin.exe
2640	svchostwin.exe
2640	svchostwin.exe
2776	svchostwin.exe
2776	svchostwin.exe
2368	svchostwin.exe
2368	svchostwin.exe
1224	svchostwin.exe
1224	svchostwin.exe
2972	svchostwin.exe
2972	svchostwin.exe
2928	svchostwin.exe
2928	svchostwin.exe
2932	svchostwin.exe
2932	svchostwin.exe
3056	svchostwin.exe
3056	svchostwin.exe
2308	svchostwin.exe
2308	svchostwin.exe
2580	svchostwin.exe
2580	svchostwin.exe
2940	svchostwin.exe
2940	svchostwin.exe
2900	svchostwin.exe
2900	svchostwin.exe
1344	svchostwin.exe
1344	svchostwin.exe
2392	svchostwin.exe
2392	svchostwin.exe
1140	svchostwin.exe
1140	svchostwin.exe
2384	svchostwin.exe
2384	svchostwin.exe
1308	svchostwin.exe
1308	svchostwin.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2508-0-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/files/0x00070000000186ef-7.dat	upx
behavioral1/memory/2516-11-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2424-16-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2516-14-0x0000000000350000-0x00000000003D1000-memory.dmp	upx
behavioral1/memory/2508-22-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1636-24-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2912-29-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2516-28-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2280-34-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2424-32-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1572-37-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2912-44-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1636-41-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2824-49-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2912-48-0x0000000007C80000-0x0000000007D01000-memory.dmp	upx
behavioral1/memory/2280-52-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2812-54-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2720-59-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2444-58-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2336-66-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2828-64-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2824-71-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2712-70-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2812-76-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2800-77-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2444-80-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2712-88-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2336-87-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2368-93-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2800-98-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1224-97-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2640-106-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2972-104-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2928-112-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2776-111-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2368-116-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1224-118-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2972-120-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/3056-121-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2928-123-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2580-126-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2932-127-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2940-128-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/3056-129-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2900-131-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2308-132-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2580-134-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2392-136-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2940-138-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1140-137-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2900-139-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1308-141-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1344-140-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1140-143-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2392-142-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2344-144-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2384-146-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/568-147-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1308-148-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/976-150-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2344-149-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/1512-151-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2088-153-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\svchostwin.exe	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchostwin.exe	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostwin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2516	2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2516	2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2516	2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2516	2508	a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2424	2516	svchostwin.exe	30
PID 2516 wrote to memory of 2424	2516	svchostwin.exe	30
PID 2516 wrote to memory of 2424	2516	svchostwin.exe	30
PID 2516 wrote to memory of 2424	2516	svchostwin.exe	30
PID 2424 wrote to memory of 1572	2424	svchostwin.exe	31
PID 2424 wrote to memory of 1572	2424	svchostwin.exe	31
PID 2424 wrote to memory of 1572	2424	svchostwin.exe	31
PID 2424 wrote to memory of 1572	2424	svchostwin.exe	31
PID 1572 wrote to memory of 1636	1572	svchostwin.exe	32
PID 1572 wrote to memory of 1636	1572	svchostwin.exe	32
PID 1572 wrote to memory of 1636	1572	svchostwin.exe	32
PID 1572 wrote to memory of 1636	1572	svchostwin.exe	32
PID 1636 wrote to memory of 2912	1636	svchostwin.exe	33
PID 1636 wrote to memory of 2912	1636	svchostwin.exe	33
PID 1636 wrote to memory of 2912	1636	svchostwin.exe	33
PID 1636 wrote to memory of 2912	1636	svchostwin.exe	33
PID 2912 wrote to memory of 2280	2912	svchostwin.exe	34
PID 2912 wrote to memory of 2280	2912	svchostwin.exe	34
PID 2912 wrote to memory of 2280	2912	svchostwin.exe	34
PID 2912 wrote to memory of 2280	2912	svchostwin.exe	34
PID 2280 wrote to memory of 2720	2280	svchostwin.exe	35
PID 2280 wrote to memory of 2720	2280	svchostwin.exe	35
PID 2280 wrote to memory of 2720	2280	svchostwin.exe	35
PID 2280 wrote to memory of 2720	2280	svchostwin.exe	35
PID 2720 wrote to memory of 2828	2720	svchostwin.exe	36
PID 2720 wrote to memory of 2828	2720	svchostwin.exe	36
PID 2720 wrote to memory of 2828	2720	svchostwin.exe	36
PID 2720 wrote to memory of 2828	2720	svchostwin.exe	36
PID 2828 wrote to memory of 2824	2828	svchostwin.exe	37
PID 2828 wrote to memory of 2824	2828	svchostwin.exe	37
PID 2828 wrote to memory of 2824	2828	svchostwin.exe	37
PID 2828 wrote to memory of 2824	2828	svchostwin.exe	37
PID 2824 wrote to memory of 2812	2824	svchostwin.exe	38
PID 2824 wrote to memory of 2812	2824	svchostwin.exe	38
PID 2824 wrote to memory of 2812	2824	svchostwin.exe	38
PID 2824 wrote to memory of 2812	2824	svchostwin.exe	38
PID 2812 wrote to memory of 2444	2812	svchostwin.exe	39
PID 2812 wrote to memory of 2444	2812	svchostwin.exe	39
PID 2812 wrote to memory of 2444	2812	svchostwin.exe	39
PID 2812 wrote to memory of 2444	2812	svchostwin.exe	39
PID 2444 wrote to memory of 2336	2444	svchostwin.exe	40
PID 2444 wrote to memory of 2336	2444	svchostwin.exe	40
PID 2444 wrote to memory of 2336	2444	svchostwin.exe	40
PID 2444 wrote to memory of 2336	2444	svchostwin.exe	40
PID 2336 wrote to memory of 2712	2336	svchostwin.exe	41
PID 2336 wrote to memory of 2712	2336	svchostwin.exe	41
PID 2336 wrote to memory of 2712	2336	svchostwin.exe	41
PID 2336 wrote to memory of 2712	2336	svchostwin.exe	41
PID 2712 wrote to memory of 2800	2712	svchostwin.exe	42
PID 2712 wrote to memory of 2800	2712	svchostwin.exe	42
PID 2712 wrote to memory of 2800	2712	svchostwin.exe	42
PID 2712 wrote to memory of 2800	2712	svchostwin.exe	42
PID 2800 wrote to memory of 2640	2800	svchostwin.exe	43
PID 2800 wrote to memory of 2640	2800	svchostwin.exe	43
PID 2800 wrote to memory of 2640	2800	svchostwin.exe	43
PID 2800 wrote to memory of 2640	2800	svchostwin.exe	43
PID 2640 wrote to memory of 2776	2640	svchostwin.exe	44
PID 2640 wrote to memory of 2776	2640	svchostwin.exe	44
PID 2640 wrote to memory of 2776	2640	svchostwin.exe	44
PID 2640 wrote to memory of 2776	2640	svchostwin.exe	44

C:\Users\Admin\AppData\Local\Temp\a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7eed18c21897e50bbe167b8f438b9af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- \??\c:\windows\SysWOW64\svchostwin.exe
  c:\windows\system32\svchostwin.exe 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - \??\c:\windows\SysWOW64\svchostwin.exe
    c:\windows\system32\svchostwin.exe 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - \??\c:\windows\SysWOW64\svchostwin.exe
      c:\windows\system32\svchostwin.exe 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1572
    - - \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2972
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2932
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2580
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2900
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1140
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2384
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:568
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        36⤵
        Executes dropped EXE
        
        PID:1128
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:976
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:664
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        42⤵
        Executes dropped EXE
        
        PID:2136
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        43⤵
        Executes dropped EXE
        
        PID:2540
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        44⤵
        Executes dropped EXE
        
        PID:600
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        49⤵
        Executes dropped EXE
        
        PID:2356
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        52⤵
        Executes dropped EXE
        
        PID:576
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:732
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        54⤵
        Executes dropped EXE
        
        PID:1632
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        60⤵
        Executes dropped EXE
        
        PID:2260
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        62⤵
        Executes dropped EXE
        
        PID:332
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        66⤵
        
        PID:992
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        67⤵
        
        PID:2000
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        68⤵
        
        PID:2232
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        72⤵
        
        PID:376
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        74⤵
        
        PID:1664
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        82⤵
        
        PID:1592
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        84⤵
        
        PID:1716
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        87⤵
        
        PID:2240
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        88⤵
        
        PID:2352
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        89⤵
        
        PID:288
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        90⤵
        
        PID:1372
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        94⤵
        
        PID:2552
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        95⤵
        
        PID:2808
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        99⤵
        
        PID:2716
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        100⤵
        
        PID:2748
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        \??\c:\windows\SysWOW64\svchostwin.exe
        
        c:\windows\system32\svchostwin.exe 1
        102⤵
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchostwin.exe

Filesize
81KB

MD5
a7eed18c21897e50bbe167b8f438b9af

SHA1
e2dec9aa656feee9a89d0e62fc467b4bab66fe4c

SHA256
6115358233527733f29ee9ce90c90c12a4ed470b3e07d7ff7e286b974292ed3b

SHA512
dffc93cf3a16712e28c6651fb62333c22fd5e87cf5b2d8d910b7d92f661db1f7baac03f7d78d5a62c22f5019a364a1735187a422228f3faf87ece9f8eeb6dc59

Download Submit
memory/288-212-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/332-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/376-229-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/568-155-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/568-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/664-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/664-158-0x0000000000330000-0x00000000003B1000-memory.dmp

Filesize
516KB

Download
memory/868-225-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/872-226-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/912-245-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/976-150-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/976-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1128-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1140-145-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/1140-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1140-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1176-230-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1224-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1224-103-0x0000000003040000-0x00000000030C1000-memory.dmp

Filesize
516KB

Download
memory/1224-119-0x0000000003040000-0x00000000030C1000-memory.dmp

Filesize
516KB

Download
memory/1224-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1308-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1308-148-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1372-211-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1472-215-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1512-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1512-152-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/1544-231-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1564-220-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1572-37-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1592-219-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1636-43-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/1636-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1636-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1644-216-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1664-227-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1676-232-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1680-228-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1716-217-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2028-210-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2052-221-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2088-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2088-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2116-160-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/2116-159-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2148-203-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2200-208-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2220-222-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2232-233-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2240-214-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2280-52-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2280-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2308-133-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2308-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2328-218-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-66-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2336-87-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2340-209-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2344-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2344-149-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2352-213-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2368-93-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2368-116-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2384-146-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2392-136-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2392-142-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2408-224-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2424-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2424-32-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2444-58-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2444-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2444-62-0x0000000002F20000-0x0000000002FA1000-memory.dmp

Filesize
516KB

Download
memory/2480-223-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2484-204-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2508-8-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2508-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2508-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2516-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2516-14-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2516-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2540-162-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2540-163-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download
memory/2552-207-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2580-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2580-126-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2580-135-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2640-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2700-205-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2712-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2712-70-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2716-202-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2720-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2748-201-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2752-200-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2776-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2776-92-0x00000000001E0000-0x0000000000261000-memory.dmp

Filesize
516KB

Download
memory/2800-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2800-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2800-83-0x0000000003000000-0x0000000003081000-memory.dmp

Filesize
516KB

Download
memory/2800-82-0x0000000003000000-0x0000000003081000-memory.dmp

Filesize
516KB

Download
memory/2800-105-0x0000000003000000-0x0000000003081000-memory.dmp

Filesize
516KB

Download
memory/2800-102-0x0000000003000000-0x0000000003081000-memory.dmp

Filesize
516KB

Download
memory/2808-206-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2812-76-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2812-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2824-74-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2824-71-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2824-49-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2828-65-0x0000000000E90000-0x0000000000F11000-memory.dmp

Filesize
516KB

Download
memory/2828-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2840-199-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2900-131-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2900-139-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2912-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2912-44-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2912-48-0x0000000007C80000-0x0000000007D01000-memory.dmp

Filesize
516KB

Download
memory/2928-123-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2928-124-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2928-125-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2928-117-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2928-112-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2932-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2940-130-0x0000000002EF0000-0x0000000002F71000-memory.dmp

Filesize
516KB

Download
memory/2940-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2940-128-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2972-109-0x0000000002FF0000-0x0000000003071000-memory.dmp

Filesize
516KB

Download
memory/2972-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2972-122-0x0000000002FF0000-0x0000000003071000-memory.dmp

Filesize
516KB

Download
memory/2972-104-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3056-129-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3056-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download