64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Size

668KB
MD5

c2953e3efeb5e40d514e6b9b77172c80
SHA1

89564191bc6b4fe1c6336fdaf9088a5f14727d08
SHA256

64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f
SHA512

660d4e6fe8b9d4fbdf161bcb3272f98e17ea9b6b69cd9168a701feeaa6a68829ed5a2a710c357f392a3a4f2f4ae94638db05a6b17c7e2a999f8bd9aade776857
SSDEEP

12288:kw1x9pq1SvKxYxMgv0sz001741PymqzV/GwcLQo3wk/LJKCGtqA8Vu8NzWsy:kw1x9pq1SvKxYxMW0sn1E1Prqp/GwaQf

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	.txt
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	.txt

Executes dropped EXE 8 IoCs

pid	Process
1872	.txt
2624	.txt
2932	.txt
1648	.txt
440	.txt
2392	.txt
2140	.txt
2012	.txt

Loads dropped DLL 16 IoCs

pid	Process
2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
1872	.txt
1872	.txt
2624	.txt
2624	.txt
2932	.txt
2932	.txt
1648	.txt
1648	.txt
440	.txt
440	.txt
2392	.txt
2392	.txt
2140	.txt
2140	.txt

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\.txt	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt
File opened for modification	C:\Windows\SysWOW64\.txt	.txt
File created	C:\Windows\SysWOW64\.txt	.txt

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.txt

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmoMNaWe`u{VH\|Gifm^GHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmlmNaWe`uxvH\|Gifm^GHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Mail\\oeimport.dll"	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "IBvMjmn}NaWe`uzfH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\EEFB = "TMWmH[bKBQe\\N_LYDs"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]N[IqryUT\|bXoK`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZIqryUTCzMJu`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{RTKhEs^"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZ}qryUTcnmeL`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmo}NaWe`u{fH\|Gifm]wHZT@xY"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "CLSID_CExchImport"	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{RTKhEs^"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\EEFB = "TMWmH[bKBQe\\N_LYDs"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\qLenrtu = "h}zB^Zn\|hWU^I\\FGfWvBTvm^KhtbmEn"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZqqryUTF[O\x7fO`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NY}qryUTrFNzxP"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\qLenrtu = "h}zB^Zn\|hWU^I\\FGfWvBTvm^KhtbmEn"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]N[MqryUTP`}ODp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zhifceyj = "pXMblZ~^aTCqd{XBj\x7fELxD"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\EEFB = "TMWmH[bKBQe\\N_LYDs"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]N[uqryUTIEjNH@"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\EEFB = "TMWmH[bKBQe\\N_LYDs"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZ]qryUTTJkohp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZUqryUT]}lUd`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]N[]qryUTkR~JVp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\EEFB = "TMWmH[bKBQe\\N_LYDs"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmo]NaWe`u{FH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmn]NaWe`uzFH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmlmNaWe`uxvH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NYqqryUTWsl`{P"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZeqryUTV[B`z`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmo]NaWe`u{FH\|Gifm]wHZT@xY"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{RTKhEs^"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{RTKhEs^"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmoMNaWe`u{VH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZAqryUT}~btM@"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmomNaWe`u{vH\|Gifm^GHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{STKhEUL"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmomNaWe`u{vH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\qLenrtu = "h}zB^Zn\|hWU^I\\FGfWvBTvm^KhtbmEn"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZQqryUTq\x7fIukp"	.txt
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZaqryUTzYg@up"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dbjMwtuyplZz = "rnt_K]lU]ZcKjAV{RTKhEs^"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZYqryUTxHNOg`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZEqryUTQ\|GTBP"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmo}NaWe`u{fH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmo]NaWe`u{FH\|Gifm^GHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\oaibGqv = "YBvMjmnMNaWe`uzVH\|Gifm]wHZT@xY"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]N[UqryUTbeypZ`"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\HvcIpIahFnlxp = "S\x7fa\x7f@vz]NZMqryUToxhjzp"	.txt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tyPzuOQyPW = "k\\^MFU_FMlfgXi@i"	.txt

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File created	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt
File opened for modification	C:\ProgramData\TEMP:C980DA7D	.txt

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
Token: 33	1872	.txt
Token: SeIncBasePriorityPrivilege	1872	.txt
Token: 33	2624	.txt
Token: SeIncBasePriorityPrivilege	2624	.txt
Token: 33	2932	.txt
Token: SeIncBasePriorityPrivilege	2932	.txt
Token: 33	1648	.txt
Token: SeIncBasePriorityPrivilege	1648	.txt
Token: 33	440	.txt
Token: SeIncBasePriorityPrivilege	440	.txt
Token: 33	2392	.txt
Token: SeIncBasePriorityPrivilege	2392	.txt
Token: 33	2140	.txt
Token: SeIncBasePriorityPrivilege	2140	.txt
Token: 33	2012	.txt
Token: SeIncBasePriorityPrivilege	2012	.txt

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 1872	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1872	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1872	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	30
PID 2640 wrote to memory of 1872	2640	c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2624	1872	.txt	32
PID 1872 wrote to memory of 2624	1872	.txt	32
PID 1872 wrote to memory of 2624	1872	.txt	32
PID 1872 wrote to memory of 2624	1872	.txt	32
PID 2624 wrote to memory of 2932	2624	.txt	33
PID 2624 wrote to memory of 2932	2624	.txt	33
PID 2624 wrote to memory of 2932	2624	.txt	33
PID 2624 wrote to memory of 2932	2624	.txt	33
PID 2932 wrote to memory of 1648	2932	.txt	34
PID 2932 wrote to memory of 1648	2932	.txt	34
PID 2932 wrote to memory of 1648	2932	.txt	34
PID 2932 wrote to memory of 1648	2932	.txt	34
PID 1648 wrote to memory of 440	1648	.txt	35
PID 1648 wrote to memory of 440	1648	.txt	35
PID 1648 wrote to memory of 440	1648	.txt	35
PID 1648 wrote to memory of 440	1648	.txt	35
PID 440 wrote to memory of 2392	440	.txt	36
PID 440 wrote to memory of 2392	440	.txt	36
PID 440 wrote to memory of 2392	440	.txt	36
PID 440 wrote to memory of 2392	440	.txt	36
PID 2392 wrote to memory of 2140	2392	.txt	37
PID 2392 wrote to memory of 2140	2392	.txt	37
PID 2392 wrote to memory of 2140	2392	.txt	37
PID 2392 wrote to memory of 2140	2392	.txt	37
PID 2140 wrote to memory of 2012	2140	.txt	38
PID 2140 wrote to memory of 2012	2140	.txt	38
PID 2140 wrote to memory of 2012	2140	.txt	38
PID 2140 wrote to memory of 2012	2140	.txt	38

C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\.txt
  C:\Windows\system32\.txt 800 "C:\Users\Admin\AppData\Local\Temp\c2953e3efeb5e40d514e6b9b77172c80_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\.txt
    C:\Windows\system32\.txt 792 "C:\Windows\SysWOW64\.txt"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\.txt
      C:\Windows\system32\.txt 732 "C:\Windows\SysWOW64\.txt"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 744 "C:\Windows\SysWOW64\.txt"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 752 "C:\Windows\SysWOW64\.txt"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 712 "C:\Windows\SysWOW64\.txt"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 748 "C:\Windows\SysWOW64\.txt"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\.txt
        
        C:\Windows\system32\.txt 756 "C:\Windows\SysWOW64\.txt"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
483957f5d745f444539ee1e2065aecc9

SHA1
59ba4e7227d7b93c2a9e18bc150fbdf20538980d

SHA256
39b0f9bb34689d93f736dcc1831233139401f9e50184af550d82c8da5f5dc647

SHA512
54a40d60c5e6334e9c67c8660b904cf424d31b10c6475a4f18e9f8feb04dccdd2009ca9ab9f96713f8963efc8822b2d74e6f5d4037c17ef59c16b0ec8800d31e

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
8ef91dfc912eb8257c0d2b6e3c1b837b

SHA1
4754f5d510f60b06933e96e13b6a565bf4552476

SHA256
ca64673218e704421f01ac42fc717848bd78a10745572cfb1e7f6af182754494

SHA512
90d66fa3bf923ab772aec358f5cea41f7989d18c0db44b45b1a4ab542253a093d58ea12710271264cc20b4a5cb4c5199e9ec30c7cae58f7fec56e55ff9222140

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
e8d86c8a64ac6b1ee6f0434a7bdbd3fc

SHA1
d0cd8d2ec04a35c8fee05c2b7a1dd6d20a6fd680

SHA256
2378828d75d024cb0fc07d2d4e7930763d498527087e90cd4cde158bfecd2597

SHA512
378c2eeee5f2c9560defca57a486e15208d5552a3fae7c68a021831f16e4032e3a5e89a2a81b078c2603ab4c61344b0edce21064f5f8eafff8eeb33efcdfaf55

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
5bba62694c0f609ae90d9fb845e97952

SHA1
8376c1fceff0e2456fcc9f26f4000cef613c5ba6

SHA256
897002bc8026b9c977506c54231549ea75b102084082cd56bf2587999c45de3a

SHA512
1820d03fb79f5814366b3629574ca6a5acfc79b3bcede732fd440cbd4094cc2c039b4167355a7d325e204effe6c6a78995daa092cad8e18a959b5192e9aef7be

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
7a3b0c2df05c67f23a96ff4619f0e285

SHA1
89650d4e25b1491036a33dbf42291c131524caff

SHA256
b1850336663d266f4df177eb15f1032685e84490f6fdae932c5bb5ab593a05ac

SHA512
c134d3f83f9e646f70cdc7f2fa33b761068187bfcf5db8b4620fa1085a47b9d0a11d08339f5912e0a4f2e8210d867c253bfbf714434dabec08a4f89fbfc8f5ce

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
1b2fa1feecc76acb8a61eb34280f2bff

SHA1
3ce1c70bbdbe79ce7c0edfcbe324a12680e57c69

SHA256
2b86c9a8818c025042389cc65343f621601b4ddc17e3c1add2ba93d48d6a8b20

SHA512
86d2075eb060103331ab65ec47f37ae45687b0b87d511ee7cf77506562923c244249adf812772b4af20c693d222852f98898b4f0e8b3610a4cc0369ce76e27e0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
05e6eeed6aa7ff0bc3263802b272cc66

SHA1
cd01396921a618bdbcf08cee8a33fcbd0a279c67

SHA256
faae9422965981b5ca582967b24b240484f0ca4798f68c8457a9ee6ac73f7e23

SHA512
d18b2133cc012108b601c119b29421b5caf434266137cbb545c425f60536854335783dc11bbbd43e05ca963542b7414ba33adadd6b10638e303294e89d8f6785

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
884258a12a74c11c6fcbd6c0101d0148

SHA1
31eb6e5de1325c108ed1de625db8ed8f67ac9974

SHA256
d70bebb310b57f016ca3f49a17d4b07fcc52f7e9b7f82ea036751a6b1ffc9201

SHA512
a63b68ff46ebf945819e4b9ce465802c34120e3d09b59d0329286b934adc87b5fd359ef683478fdf085ef5bf7bb4e2038401aaa092330356cbd85147c10bd0d0

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
74ba7396f325535b0fad66c153866f98

SHA1
1287c3ad7336028c16ae36ccfb822211b33aca26

SHA256
9481dac3ad65214b1063bacd621c5e67401a3b84cca8190caaa754ee77a0474f

SHA512
a8fbcf9ecabfd16ce501e5af9bbc6ff47ece7be7749d8344901b7cb9e531c6f9c5af9fae9674d0c795c4241080547d1bbc3b5738c711d1768401d2dbdb2c7c38

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
e71e62b0ae93ce14eb5718c140961116

SHA1
5db9b1aacf1cadf9b58de4db6adcfe852a7c3884

SHA256
63bbe7e9e652779372dd12cdc03352e1f41fa13eff7c312b9b368363913083c6

SHA512
9f9460010944a22dba5b16547d83b10c7a8b59820109334905c1f4fad6285bd53d3dfb9ee2f4b46d26a454d157fcea17a51a945e5ae89407b9444117d6816e38

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
cc44770a5cae6ea032fa496f5aa6db6d

SHA1
0d4739bc4f5b74c81771d8fdbd1c2754cedfb229

SHA256
2412a74a0c0ace4858330e52a9676fc5e76ed287da2aaedd5fe52ca9ff656f7b

SHA512
23864de02454c787437772db25ae31b6dd0c285aaca3f851f2a615bad2f0b2afa9fa194b1b13b1877f6b4a3db32f7855c1f2a4c5ce2ba5b867f2bb4bf10600c3

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
22e02217543afdf520211b99b969ada2

SHA1
61ec030532b2a81ac7bae05965c89c6be241dc23

SHA256
3063fb0a04147220a733d2daa0582b993409136f335f44ee75b616dcf869b257

SHA512
c1116dcd2a0cebcbd5cb856fe84161e6c40746761a4f40f5288c4a8de21e08667b672f6918d9a7ad43642eec87a5e7899666ff1bd01c85f13d25d3829849fe03

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
715461b50e27922a81cd13402de29ba4

SHA1
feaa7ee37ff612e3df32b35a4502ebc25baab171

SHA256
2429751f466cf623687db4a234f39baf325a6a7492d5a2196ded5b136e542797

SHA512
0c68c334294568be81f6ad64415ac316aa2c71af5e52ed618f23c178a037cd2b6811a67f5e7eb1e8a43f3d5612a35da8443ce65199a5c10e64e6a79a87e33942

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
c1a9ac9253e3d17774ab3412ff400af1

SHA1
4b89e3790d9410ed93441dd0b7ce33f922abb234

SHA256
92570c9a75b0e1b87658e9ae83a723a3565c86b6adf85cb0be03b6c01b867a26

SHA512
0ea2d21dc0ed5c2d965acf4b35a8301a9661b73d616b20cffd7bbd95b5249270d46c490d18979c2580163a371e7d0997bfc2547ff06ceb0aa979d5623c5e9812

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
065a77488b1645176e69537c3e22589b

SHA1
7fcaf065ae1dfa8e9b0650372707fb661f541c94

SHA256
1310fecf25b3b756c42e398d86cebcb9064a8ee8aadf1173a34a96058e0e76b6

SHA512
462959f0c489e8551c55df36952ec2f265cc7fd71f256db6af8b69bfaa03afa5434542ed0accbf99007e2ef7db2da868c9fd2099f3e6a73baf6cec89f09ac723

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
fb0d8398e4ca6abcc88579b83c03376a

SHA1
823c9032c4cc900276226dc191fe399ef360ee88

SHA256
ee22dbd5659bef3dd647f523bd6f4f93874e6e51bd1df98ed101d17e3d2493de

SHA512
36ce38bdd3687b4b525f23db4755c4cc35cb8fdeae0f37dc114d66e411a9729948a39b822a994351ca1c86b8342455c1ecd5b3286f7adb34709cfc95c1903cc4

Download Submit
\Windows\SysWOW64\.txt

Filesize
668KB

MD5
c2953e3efeb5e40d514e6b9b77172c80

SHA1
89564191bc6b4fe1c6336fdaf9088a5f14727d08

SHA256
64d52e0c184cb3db319bfd9c5b52d88021b0f98e3da163d467505b37e719605f

SHA512
660d4e6fe8b9d4fbdf161bcb3272f98e17ea9b6b69cd9168a701feeaa6a68829ed5a2a710c357f392a3a4f2f4ae94638db05a6b17c7e2a999f8bd9aade776857

Download Submit
memory/440-158-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/440-161-0x0000000003FB0000-0x000000000412A000-memory.dmp

Filesize
1.5MB

Download
memory/1648-132-0x0000000003F50000-0x00000000040CA000-memory.dmp

Filesize
1.5MB

Download
memory/1648-129-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-39-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-45-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-41-0x0000000000710000-0x000000000075C000-memory.dmp

Filesize
304KB

Download
memory/1872-42-0x0000000000710000-0x000000000075C000-memory.dmp

Filesize
304KB

Download
memory/1872-36-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-57-0x0000000000710000-0x000000000075C000-memory.dmp

Filesize
304KB

Download
memory/1872-35-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-40-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-24-0x0000000000710000-0x000000000075C000-memory.dmp

Filesize
304KB

Download
memory/1872-37-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/1872-38-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2140-219-0x0000000003FF0000-0x000000000416A000-memory.dmp

Filesize
1.5MB

Download
memory/2140-216-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2392-190-0x0000000003E20000-0x0000000003F9A000-memory.dmp

Filesize
1.5MB

Download
memory/2392-187-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-71-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/2624-73-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-65-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-66-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-88-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/2624-67-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-68-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-70-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/2624-69-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-64-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2624-50-0x00000000003A0000-0x00000000003EC000-memory.dmp

Filesize
304KB

Download
memory/2640-22-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-12-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/2640-1-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/2640-6-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-10-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-0-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-11-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-32-0x0000000000220000-0x000000000026C000-memory.dmp

Filesize
304KB

Download
memory/2640-9-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-8-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2640-7-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-98-0x00000000003B0000-0x00000000003FC000-memory.dmp

Filesize
304KB

Download
memory/2932-97-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-96-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-93-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-95-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-92-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-94-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-78-0x00000000003B0000-0x00000000003FC000-memory.dmp

Filesize
304KB

Download
memory/2932-77-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-101-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2932-99-0x00000000003B0000-0x00000000003FC000-memory.dmp

Filesize
304KB

Download