81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f

Analysis

max time kernel
147s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Size

760KB
MD5

aad91b80b63a0cb9307e981a566370ea
SHA1

6e9e741b70639207f598248e1563be40ddcf9b33
SHA256

81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f
SHA512

5a0c05fa3201ff7a054a161aac0828267ffc3be730cb662fee88e9e52c6802f3218351b450bb3881f915c21070f7371b8751c564c21dd1d9f312f53e8bb22b5d
SSDEEP

12288:8Iyv5dgpTH+ESb2os6HnOPo0VdfG1mIn0sSelRnlUZrHQcyDBCZfv:8Iyv5dgpTH+ESios6WJH6m0hl9lUtwzO

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe

Executes dropped EXE 8 IoCs

pid	Process
2828	mirc.exe
1040	mirc.exe
2492	mirc.exe
2968	mirc.exe
1764	mirc.exe
236	mirc.exe
1684	mirc.exe
2288	mirc.exe

Loads dropped DLL 16 IoCs

pid	Process
2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
2828	mirc.exe
2828	mirc.exe
1040	mirc.exe
1040	mirc.exe
2492	mirc.exe
2492	mirc.exe
2968	mirc.exe
2968	mirc.exe
1764	mirc.exe
1764	mirc.exe
236	mirc.exe
236	mirc.exe
1684	mirc.exe
1684	mirc.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mirc.exe	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmn]NaWe`uzFH\|Gifm^GHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[MqryUT{jj[^`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZUqryUTvw{A~p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Adegn = "pXMblZ~^aTCqd{XBj\x7f"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmo]NaWe`u{FH\|Gifm^GHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cektpvjcmYnm = "iLxDkW^MFU_FMlfgXi"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmoMNaWe`u{VH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZQqryUTZu^aq`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jml}NaWe`uxfH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmnMNaWe`uzVH\|Gifm^GHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmn]NaWe`uzFH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZaqryUTQSpTo`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jvsPxnuZj = "Wy^KlFLfWZBVFmUK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmoMNaWe`u{VH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Microsoft Multiple AutoComplete List Container"	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jvsPxnuZj = "Wy^KlFLfWZBVFmUK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[AqryUTF^i~Sp"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cektpvjcmYnm = "iLxDkW^MFU_FMlfgXi"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[UqryUTIond@p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[EqryUTj\\L^\\`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmo]NaWe`u{FH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[aqryUTnKeqQ`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KrrrskpFmrq = "sKjAV{RTKhEqnYBvM"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cektpvjcmYnm = "iLxDkW^MFU_FMlfgXi"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jvsPxnuZj = "Wy^KlFLfWZBVFmUK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KrrrskpFmrq = "sKjAV{RTKhEqnYBvM"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZyqryUTdf_QY`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jvsPxnuZj = "Wy^KlFLfWZBVFmUK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmn]NaWe`uzFH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZuqryUTAS}KZ`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmnMNaWe`uzVH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[eqryUTBI@Q^p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]N[YqryUTlZL~Cp"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZ}qryUTHdzqVp"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Adegn = "pXMblZ~^aTCqd{XBj\x7f"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Adegn = "pXMblZ~^aTCqd{XBj\x7f"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmomNaWe`u{vH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jvsPxnuZj = "Wy^KlFLfWZBVFmUK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZIqryUThpZ^op"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KrrrskpFmrq = "sKjAV{RTKhEqnYBvM"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmomNaWe`u{vH\|Gifm]wHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmomNaWe`u{vH\|Gifm^GHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KrrrskpFmrq = "sKjAV{RTKhEqnYBvM"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NYyqryUTuN\|NmP"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmo}NaWe`u{fH\|Gifm^GHZT@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Adegn = "pXMblZ~^aTCqd{XBj\x7f"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NZiqryUT_T\\TK`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\YclekbnKvfstu = "xYUuVVduZ]NY}qryUTYLYnb@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LUtuozwcokKtm = "hXbounynt_KGvGLY"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\OdAMrOgdy = "@iTMWmH[bKBQe\\b_NiDxh}VB\\jnwh"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\jubJkXFiYx = "jmlmNaWe`uxvH\|Gifm]wHZT@"	mirc.exe

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File created	C:\ProgramData\TEMP:C980DA7D	mirc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Token: 33	2828	mirc.exe
Token: SeIncBasePriorityPrivilege	2828	mirc.exe
Token: 33	1040	mirc.exe
Token: SeIncBasePriorityPrivilege	1040	mirc.exe
Token: 33	2492	mirc.exe
Token: SeIncBasePriorityPrivilege	2492	mirc.exe
Token: 33	2968	mirc.exe
Token: SeIncBasePriorityPrivilege	2968	mirc.exe
Token: 33	1764	mirc.exe
Token: SeIncBasePriorityPrivilege	1764	mirc.exe
Token: 33	236	mirc.exe
Token: SeIncBasePriorityPrivilege	236	mirc.exe
Token: 33	1684	mirc.exe
Token: SeIncBasePriorityPrivilege	1684	mirc.exe
Token: 33	2288	mirc.exe
Token: SeIncBasePriorityPrivilege	2288	mirc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2828	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2828	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2828	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2828	2540	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	29
PID 2828 wrote to memory of 1040	2828	mirc.exe	30
PID 2828 wrote to memory of 1040	2828	mirc.exe	30
PID 2828 wrote to memory of 1040	2828	mirc.exe	30
PID 2828 wrote to memory of 1040	2828	mirc.exe	30
PID 1040 wrote to memory of 2492	1040	mirc.exe	31
PID 1040 wrote to memory of 2492	1040	mirc.exe	31
PID 1040 wrote to memory of 2492	1040	mirc.exe	31
PID 1040 wrote to memory of 2492	1040	mirc.exe	31
PID 2492 wrote to memory of 2968	2492	mirc.exe	32
PID 2492 wrote to memory of 2968	2492	mirc.exe	32
PID 2492 wrote to memory of 2968	2492	mirc.exe	32
PID 2492 wrote to memory of 2968	2492	mirc.exe	32
PID 2968 wrote to memory of 1764	2968	mirc.exe	33
PID 2968 wrote to memory of 1764	2968	mirc.exe	33
PID 2968 wrote to memory of 1764	2968	mirc.exe	33
PID 2968 wrote to memory of 1764	2968	mirc.exe	33
PID 1764 wrote to memory of 236	1764	mirc.exe	34
PID 1764 wrote to memory of 236	1764	mirc.exe	34
PID 1764 wrote to memory of 236	1764	mirc.exe	34
PID 1764 wrote to memory of 236	1764	mirc.exe	34
PID 236 wrote to memory of 1684	236	mirc.exe	35
PID 236 wrote to memory of 1684	236	mirc.exe	35
PID 236 wrote to memory of 1684	236	mirc.exe	35
PID 236 wrote to memory of 1684	236	mirc.exe	35
PID 1684 wrote to memory of 2288	1684	mirc.exe	36
PID 1684 wrote to memory of 2288	1684	mirc.exe	36
PID 1684 wrote to memory of 2288	1684	mirc.exe	36
PID 1684 wrote to memory of 2288	1684	mirc.exe	36

C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\mirc.exe
  C:\Windows\system32\mirc.exe 768 "C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\mirc.exe
    C:\Windows\system32\mirc.exe 684 "C:\Windows\SysWOW64\mirc.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\mirc.exe
      C:\Windows\system32\mirc.exe 708 "C:\Windows\SysWOW64\mirc.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 712 "C:\Windows\SysWOW64\mirc.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 720 "C:\Windows\SysWOW64\mirc.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 724 "C:\Windows\SysWOW64\mirc.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 764 "C:\Windows\SysWOW64\mirc.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 716 "C:\Windows\SysWOW64\mirc.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
28e8d938cca6969d122f35090ec93a7b

SHA1
9e3685f9b1f9e1f772df600e13b292fb76ec9023

SHA256
5b5ed3303f74e588f0e22440e3505dd5f41be6d14d50fe1ccae7a7bf7c305d67

SHA512
86848a5b94b0a74610d39825a55f6a669e2acc470ebd85f8faa6008b51434acbb8715b1a54714f75f14f729174645de1764cdcf44e9bb4b45bdb27a2e02c79bf

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
4afdf6ab124fc0ea72d3dc6ce7a97b8c

SHA1
5d547e09c448321d0f05daa4f64181867f11877d

SHA256
44ed76d8c3439fb92bfd4e0ad8a070d2b21d1211de443cc1543787b56bc558c3

SHA512
d52110c4758aca7c0fff6b2cafc3ede5020d77363de44341b61d415b39dd47310af5f41e2c0629ec5e7f3e474a9ff44eba4fdc5620bd6e7aacdf8f1d6bf1b53c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
04ebf794aaccf17726f639e9d4d2c994

SHA1
86e3e6548a050fb3eb29ffc4457c8c8f327b0b2c

SHA256
c909b140d12080b160a7f946817565b8e4b1692fff5063a574ebd6ef6c8362ef

SHA512
ad012921edadeb9bd3708c46240d6e1ed26f411910fe54b06d03d62d8b7251e52e857735a29b4efd53cb211227737090d6c3f1b701e1e3dacdcdb8f286fed45f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
60b06298fc48e8591d0aa9a8bac17cee

SHA1
8acf9e591a8d1358e67066563c3c9c041112ab57

SHA256
bd5f39ef181d2fbea9a23b61bdcb61485d37232031f1a811c3bb60bb69b256b6

SHA512
f1338fb816fa17a0bdfa22f8e9609d41647e217da6d9e6c30a3451bc1935f524263fa6be8ed4ee054694f9133a160ea06793e420c1d85a9b82168219d0a8b78d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
c9a9ce26b0d9d457dd5da8ffc6db6b03

SHA1
0482da6c9e718e412fd67a5ec2dfb92c150b2571

SHA256
957c712f8e6e32734bbab699288199ca4fb304b7b1fa562b0cfff5b90de07e7a

SHA512
f968ef3b05f0e0ba7b8bb3e9d8bc234bbebbb4f11c900e9942973b31edca659cb17a8e1d12b2d5ee4b8d547268b8c729bd0da16c9b672a08718220426689ceaa

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
668c0ae6b2c220309a94b00b66d9d400

SHA1
f3ec262dc607f6dac60e3520e2176cf28c0e2f8c

SHA256
a99d5ebb41699d807d3fee70f29a295b9eb380e77cf0d6d601e2a8f451f8bd6c

SHA512
80c4acf68b0557170906e6fb73897932a3a4f338ee80216e9301cb29c42d7a29234af6fe26bd74f22ca4b2aa7a48d6c3bd7006955fd98043c6a3992015ed4004

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
75075afdb1787724209995938a2001eb

SHA1
d6152009a442aec1e5d9e47cbf6506874a983585

SHA256
7ad764ac615e93db69ed35fe810ee437253b1e9d84994c50ef0dfcb571365485

SHA512
b95eb72b736cb9d43e9e014bf28cc79bf78e27572faee4caa0669661eeb4b75fe54ca26ec5096f5cd623ebaf9c1077a8f5c0c46938d27a0ce2f8e5feb33b6f1d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
439400c3b3ad02c2fc03ac06c2bde118

SHA1
17c5bf6b69eb6850ae239d0e5d79da94ca4492f4

SHA256
bd30756c99228c42d5f7a369ae9b88361b827be51cc0472beb2c56cccfaf9780

SHA512
44454b5d624d7ddb36782117b81d6a2e4cda7ee2e64783db109993ec4d52f2dfc5f6d95f8fb32ee1d589a41bc0920545d32447b1d85a0b2da9401e266e409449

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
0147bcd6efe9f57796ef293026eb40a3

SHA1
4aaefc01643d7e81ed41c56855da160232cc8c2a

SHA256
a6ce88a200a09a7c4d96cf97f9c63a41cde7786225bab84c316b442c98bc544e

SHA512
43aa480d3cff662a37a91d6ca5fe4861191950d39123c12ccd8218129eb0db78bab1b6aa59012f99f097c5963ab1ef35d052eb66ffd939168b8b79245c00d1a7

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
473b6907522572ef1b74423034803a59

SHA1
4001548a0c8690ba769cab1d96afca56d15f8815

SHA256
e0d88220a23a2934882cfaf264c1cc4deb4d186adaf7b4194f5af3d30589ff1e

SHA512
8fd9e33fffc8d1e09d8ad3b78da96fc1f6a8b97741bbd0a3191ef9fe752d21db29b17460c15968d646e551225f0c7507bee36c0ca3b70d70f1989512258e925c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
374a80b1ff584c57c3743c7d5bd0f30b

SHA1
e34d8b653358dd6bfaef483211008dcaec2771fe

SHA256
8abde5c5d88b56ea5b2a6b623d369f93218cbd076a576d628740c62a55035435

SHA512
a04c22ad0a705c495e8e2a6420bd2d06e4e1cabe7cdb2f0359c56a62aa010a956ff5d8cd4b46e6225380aa9576e09e3f99d668e6c69aa2df41b088470583627f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
91c7f0a5f9a5de95709aae97d4c6af82

SHA1
f0ad6cbf485dd975ff7f7a686951fdc7ad637647

SHA256
e29cc81788763341b4ca9ee79932f469945252572e03b488d5060c5297d85396

SHA512
0f8bc96bcf1d5b1c76820f96250c7d6ba89db0ea3a8c64411422cb38c683f4c26993e6a08131da00de6dec797dcdc07c9b78a819ebc0888525e0b7a95681e7fd

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
aef0631f46bd81c10d0f877ba451a209

SHA1
8f347def714996d6eba6f2440ecc4425c5ad889c

SHA256
3b392be826ce8acc42b4ea6364c60255986f99dc3c2e23bd3d203be75e6260f2

SHA512
1c30df0ca8343f19a2b740bd88d77fa41f76adb1f44494e80b7ce79f68ca54befb3cfd951bf5eb0531c51a573e516a4563dd00245b4e886edab2538c5b901d08

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
e544b06d76b8b656f6297e3135eb2b03

SHA1
46f990a63d6d3fbfea0c121745638c9f6438a80f

SHA256
6ca13e21e867bb7d3715058634b39eda780234f2e512bc7f4ef4f9913165850f

SHA512
66ca169a59701dd97fbc6eae98fcd1253b7c125096e47f6c9935355b1d8ef96471415d47ec3d202466aa02c587fa03eb8caa1ee6fdbcf8bbb4e1dab9cdd80332

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
600176e065bb67adf87820a54975f6e8

SHA1
0c00e2377d48bc7765d820c5dce4e1cb724651ec

SHA256
8791c29ec54c0cfba66a87962db08b48254b28fbc154c6d43074292ff13109c8

SHA512
90364d466d511ce86c903165810b4ead24f4917d18f3df4e56459295b8abb88c62e2781892732e1e87672fa66e05aafd85badd638f8dd09c722a6716cfb13cc2

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
1546143913da0f2770f2160dbc170e7f

SHA1
942feeb6cc2a3999a1adba86c99d83472e37a2ab

SHA256
5a3302bb897b35015e7271d4824dcc5ea8a9beacc8b229a23ea7e2869394e426

SHA512
3b0b922841bb1f9706a1538bcc1dd029570e56dbfcc3e52331deb805a9a9cdb3aea03db44ea90c860da75cc4d4b5275d2957cadd6357fcc85fe00128c6415803

Download Submit
C:\Windows\SysWOW64\mirc.exe

Filesize
760KB

MD5
aad91b80b63a0cb9307e981a566370ea

SHA1
6e9e741b70639207f598248e1563be40ddcf9b33

SHA256
81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f

SHA512
5a0c05fa3201ff7a054a161aac0828267ffc3be730cb662fee88e9e52c6802f3218351b450bb3881f915c21070f7371b8751c564c21dd1d9f312f53e8bb22b5d

Download Submit
memory/236-185-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/236-188-0x00000000047E0000-0x0000000004963000-memory.dmp

Filesize
1.5MB

Download
memory/236-202-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-88-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-64-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-49-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-72-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-70-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/1040-65-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-87-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/1040-66-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-67-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1040-69-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/1040-68-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1684-217-0x0000000004830000-0x00000000049B3000-memory.dmp

Filesize
1.5MB

Download
memory/1684-214-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1684-231-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-156-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-173-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-159-0x0000000004770000-0x00000000048F3000-memory.dmp

Filesize
1.5MB

Download
memory/2492-81-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-98-0x0000000000600000-0x0000000000689000-memory.dmp

Filesize
548KB

Download
memory/2492-76-0x0000000000600000-0x0000000000689000-memory.dmp

Filesize
548KB

Download
memory/2492-115-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-99-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-91-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-95-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-96-0x0000000000600000-0x0000000000689000-memory.dmp

Filesize
548KB

Download
memory/2492-94-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-93-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2492-92-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-30-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2540-33-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-0-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2540-6-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-11-0x0000000000220000-0x00000000002A9000-memory.dmp

Filesize
548KB

Download
memory/2540-10-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-9-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-8-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-7-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2540-26-0x0000000004790000-0x0000000004913000-memory.dmp

Filesize
1.5MB

Download
memory/2540-22-0x0000000004790000-0x0000000004913000-memory.dmp

Filesize
1.5MB

Download
memory/2540-5-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-23-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/2828-61-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-37-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-35-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-39-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-38-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-43-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-40-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/2828-36-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2828-42-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/2828-41-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/2828-60-0x0000000000900000-0x0000000000989000-memory.dmp

Filesize
548KB

Download
memory/2968-127-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2968-130-0x00000000046B0000-0x0000000004833000-memory.dmp

Filesize
1.5MB

Download
memory/2968-144-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2968-103-0x0000000001E00000-0x0000000001E89000-memory.dmp

Filesize
548KB

Download