ad4c07c455348f22fa282080454dbce00133d4f2aaf11605e132a2a6bf7ec7e5

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
Size

428KB
MD5

ff8770b20777545c9e03bb7532e5771c
SHA1

d641452c62f1262f769a40602d3182b26b48ed85
SHA256

ad4c07c455348f22fa282080454dbce00133d4f2aaf11605e132a2a6bf7ec7e5
SHA512

b8fbecbb856e35b1a09b1aab1f902490677f5a66d04c07c88bd3955961c5b1b1aae8b45da8a4f8825b193b575d34d127e1b7d870e95218e9b0805898fb7970f5
SSDEEP

12288:pu6/DdQHroPTAwpwXQsBPTeoG0HhDtdC2Cp4JSErXD+Kz4:pl7WsPkA8QsBPyoG0HBrC2zJSKD+

Score

10^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	setup.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Executes dropped EXE 3 IoCs

pid	Process
1400	setup.exe
2476	fservice.exe
2864	services.exe

Loads dropped DLL 17 IoCs

pid	Process
2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
1400	setup.exe
2476	fservice.exe
2476	fservice.exe
2476	fservice.exe
2864	services.exe
2864	services.exe
2476	fservice.exe
1400	setup.exe
2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
2680	IEXPLORE.EXE

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
2716	verclsid.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fservice.exe	setup.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	setup.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000019261-446.dat	upx
behavioral1/memory/2676-448-0x00000000076F0000-0x00000000078EF000-memory.dmp	upx
behavioral1/memory/1400-459-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2476-484-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-497-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/1400-519-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2476-516-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-523-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-524-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-525-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-526-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-527-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-528-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-967-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-968-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-969-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-970-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-971-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-972-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-973-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-974-0x0000000000400000-0x00000000005FF000-memory.dmp	upx
behavioral1/memory/2864-975-0x0000000000400000-0x00000000005FF000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File opened for modification	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	setup.exe
File opened for modification	C:\Windows\system\sservice.exe	setup.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	verclsid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000d7e7eef969b2fb10f5c37ba96447704531d93e0cd3f2f1d2d87aaa10b78431fe000000000e8000000002000020000000ffe632c12287964e49d7cced48d0ca842f50f5e7aa85590f22471f7723d0818c20000000015a8208a97f2183ecba71e969983bc73cae51fc57f2e772a44c59a77372773d400000001277a2fcad0898186a82cda3956b97f9babe0e9bde0902e52e0e9edb75c4ac9a9b0d607edbdae1e460354846724f0f7bc4b87b4062028d92a6edc120ce41ba6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e9c5c4ca12db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000663597d13037359d9f8674ba09ff9f76e252e63c481e27830f070902bb201e25000000000e8000000002000020000000265964e925e9594211f8da63fe4889e905147a65fac316ae2bb916f68eba60639000000087fcda5df0614a39402823720ac9ca97c714e5ae76b3bd42f68e572f7503fbf909884f99c584833073aacf62ea1a4cc01eede8bc43384d8b4c81bd26d029311965987af45419823c56dda0bca66e830aaad1ea32a8f68faf8ae9274f63a8d70afae9cedf928eac0e1d9994c1b3240770d56c9c29e66baa20e4532e76c80d5835ebb5b09b1c523e7b7bd9edf9c349ac284000000047487289320b979d69a680466291e0462786f311e6ae17d05360bc4c3300cf2783f56761ff19009f1040854934c2f6312868c98fb1c0795a519efdcbc70aa1fc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433815839"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0558D41-7EBD-11EF-8CD4-527E38F5B48B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe
2864	services.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
2808	iexplore.exe
2808	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2864	services.exe
2864	services.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2716	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2716	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2808	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2808	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2808	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2808	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2680	2808	iexplore.exe	32
PID 2808 wrote to memory of 2680	2808	iexplore.exe	32
PID 2808 wrote to memory of 2680	2808	iexplore.exe	32
PID 2808 wrote to memory of 2680	2808	iexplore.exe	32
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 2676 wrote to memory of 1400	2676	ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe	33
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 1400 wrote to memory of 2476	1400	setup.exe	34
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2476 wrote to memory of 2864	2476	fservice.exe	35
PID 2864 wrote to memory of 1928	2864	services.exe	37
PID 2864 wrote to memory of 1928	2864	services.exe	37
PID 2864 wrote to memory of 1928	2864	services.exe	37
PID 2864 wrote to memory of 1928	2864	services.exe	37
PID 2864 wrote to memory of 888	2864	services.exe	38
PID 2864 wrote to memory of 888	2864	services.exe	38
PID 2864 wrote to memory of 888	2864	services.exe	38
PID 2864 wrote to memory of 888	2864	services.exe	38
PID 1928 wrote to memory of 1512	1928	NET.exe	41
PID 1928 wrote to memory of 1512	1928	NET.exe	41
PID 1928 wrote to memory of 1512	1928	NET.exe	41
PID 1928 wrote to memory of 1512	1928	NET.exe	41
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 1400 wrote to memory of 2576	1400	setup.exe	42
PID 888 wrote to memory of 2804	888	NET.exe	43
PID 888 wrote to memory of 2804	888	NET.exe	43
PID 888 wrote to memory of 2804	888	NET.exe	43
PID 888 wrote to memory of 2804	888	NET.exe	43

C:\Users\Admin\AppData\Local\Temp\ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff8770b20777545c9e03bb7532e5771c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\verclsid.exe
  "C:\Windows\system32\verclsid.exe" /S /C {25336920-03F9-11CF-8FD0-00AA00686F13} /I {00000112-0000-0000-C000-000000000046} /X 0x5
  2⤵
  - System Binary Proxy Execution: Verclsid
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\x3bxj8ey.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\setup.exe.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d4e0e62f922f66afa9c78537d09c2d

SHA1
9c88c3b7fd16878c12e8afedf4523bcdba22eabd

SHA256
430c8eaded50d5f235625eb69521056f86aecd14f2a0ad35e5e2238e3f9b7dc4

SHA512
4c4a73a25c9acb336e66351b63fef1c212e9b1310f32fd8d405c917f97e9a5c00e6263df96ce07f30407ac804593b2fc293e4148c603c9bb07e6981e2fcc3052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e71441697b7bdce44d8e3c65822617

SHA1
b9473e780944719011f43e155fe9672f4acc4a47

SHA256
31dfb7a288845e0d40ec1edd896bc718ad65048d809fee72204941f0cabb06c4

SHA512
5a0916ca0f98e893dec12fe798ed434642aafb4c4beef408fb8aaf05a2a9e93ddd8473c649aa9687c847834bf06a9a737cbeb01fdbd99dea0f619033f7ec6be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7419c9ceee83b63a67a0ef6cb2346e57

SHA1
4188322535c2f9f4da3a5044a7440c0eb1da4434

SHA256
690feeaadf2ca4f73cf383ee1c7c06eb2a46d92b6a522889d425a6db5245f08c

SHA512
01c4d66dbe74fbb0ed5f16f6940ec763495f5d84e5b91a0b82167e5fad68bc4edf3d29b66aeeed3052b71bc133aa38c385237410da8daafbc0cdc24bd422eb17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
321700fa4c7a5954495b65e987b6e715

SHA1
c71e1bbcc77709683778df8be890eb7fb3a3b1dd

SHA256
91aaacdc0f9f9a54d0f954c8b6a251b9a970d1b5cd61368b0764ae5a5a3f3a42

SHA512
b3985d6a96e0ea7451be16acdb7199dbd7ee434599846ce32a021ccaa88d9062558e8eeb6bec200cfaf47a7a619f00d6fc76406feb4918274d345942d1d37b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66cd8033c757c1aae1e44301c4a11854

SHA1
5df607556bf3186f13e1cd3b589dac49403af454

SHA256
2bd12db21b9b3b2345d8570e61ff2c13713a8464885091fc8c610946d2accecd

SHA512
d367202c0e3acb4f61bd5f9deb63719d439706a3045a06c7821d9b6e280d85b479d0f82260f3c0314c35ced8747a5448c354f94e05a44a84e6d9dfe33eae0643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07bc2fe648b1b572032cb720e09113de

SHA1
953cf7736c8fb07a3d9a372bcac53c5ec538a617

SHA256
556508e528809d08115bb6a66115a96a157349461211237e25da8f56197d2f14

SHA512
2101ed78303dc442cd9225bbf4c2a86581d5e5aee2f60fa9c682fe77a37887bbcaa521101a91193e8807fe835cc300c4deb6a8cdb9a6eec181a70d1c69abdd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6409da4ae9886d2600d29935160ff3a0

SHA1
d43c70f6bb8b2573b5b35917741436c2142f625f

SHA256
e334b347320b44fac55374a2dfb90d7e926071ab7a834e55748700b94cdf57c7

SHA512
87d31e6260cf784e3363032cc7ad07480bc2cb499d47623fd792e872f10f3fabdc8e3737587c3c5b981d1609d9c9472f02c4f8b73b6ba286c5fbdb2bc3c314c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3376690c29fc4fbd3346c8cc9aa8a663

SHA1
4941d5843f2afb4c7d49c585c54b75699620a4a8

SHA256
05404f53622c5fe089dd76e338abb9acc48a806e6e8906a1a9eddb8952112dfb

SHA512
9f1135c28d38ba9d6b6eed20a2e0f4a1479670f3c9eec0d41e4ac16d684298c5dec7521c54677178e9e5ebbfb009ba1f1a66b6ef2eeafeedf76c97d4e5edd91d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0511a715c9f34ef6d94325443e0aa3d0

SHA1
dad824ee0755c2759b29c8c21f8a58c18e687f9b

SHA256
b2a8a394f6883b27172c8f954fdeaf416044fceab9e3ab9bb5ff756c6b77593a

SHA512
cf075a9c1fcd8f9ee22ad76a7b7678d57ab8720b770ef24a9005dc588c6998371638eaa28470404c826a412d7c0965c0118b3ad020eb52d1b109bb3ae11f290b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d81b259ee37f06f0011679569cb5d69

SHA1
24be7fb8c3ba21f25247c5f6f93ee0ffee5420a3

SHA256
e7c54dee389949b21cb017f268698e880eaea45f6cbf12e8c897b92a66aa8828

SHA512
9f561f000bef82ced4d08c27f7032a9b3890297d2a2eb1a5d25acc54de671608db5764d9c655b62a339cac71bab1e45ab4ecd4a2b0263e46769b8991c26c1a8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9324d8ed448c6255a395d57f7ec90bde

SHA1
5f357600d664c7a23b13ca3ac57c99db58aeeeed

SHA256
56f1f163fb7b14025f6cfef0cf5567dca1ebf45d530342c9c855ef67cbd4aaa8

SHA512
72f9adfe0bee6605ab8a44b05a3f4e0bd0714cd60d2251cd57a49734daecca8a55cdb861004ffb68793894f7a68d53323744941ddbfa2ab223cc3ca2a5fb8a1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90c3e6ed3068d24d1a894ace99a0218c

SHA1
8e13c1350dd436d9f07a3a8f587a89141b668e6e

SHA256
a314d28a559072b7853a60146087fb649c38943e154c297b22fd95e4d7b1b186

SHA512
8b0913cb6d6f110e00554e2fb98b626a0547c599bf454eb01b5bd2d30730c21e78f1646f8c2194bfa6879fffb47fbfa34a07a7f6cb8e55b051c298d84a86651a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3fad37e8304c6e00206d87e2bea15ba

SHA1
a6550803f276eced82711e672531848ed767cb19

SHA256
7caa999702a8f787b40f3ba2604d9738b3015d06eea6b8a8125db2b9eb18deea

SHA512
3d01be82846f793af7bcbfb55fbe57827bad73ede2fdba5dc2639669cea67228519eedc6c60270e1b499a1e621e800086eeba8324e454abf4bec75a3c0575638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e43af8f45564bfd1b20403b46e6fc384

SHA1
8c883ea42db9f85745a11fae5520a69e468bb1b7

SHA256
37265cb9c00bb905ce902bd63cdfe75232e3fdc5a0980db3bc851b29c1abfb24

SHA512
fb82482e7ccb5e5342e339a0b2254d1d44c967afffa38e0a4dd862aef8ab973a3dfe3cd0754f554fab575ec73b9099e064befaf10fe194c7adb593a2412b4e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20ed4d3cb74e40e4e16cc81af9fd6620

SHA1
68f6453d6017c95af55bd78aed8530e3d9f10f6b

SHA256
f561a7c7ff78f63d954c29ffd6f67a900f2b6744879ee468a8182212a857dcfa

SHA512
fcc45022788f25f5c4690e8597b219e78ba4f5b846200099f58f6227d8f8497e0097f74002516e4a7ad5de75aa404c7e98b7ee4bef973fb60a63eeeabf2a3946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
490eac1c385f75dedf0021af72978b1e

SHA1
031562c54295a7f8973b9257a8e559575c1ec77d

SHA256
013a291dccabf8da741f2ac1df350567c157fb491f322d1cd582552ffd04750c

SHA512
bd419275e7c295df2d79520957c57e830d5ca8683796de284b38ecb630b519af0ab266b6fbd1c6179eda7437da2ce033fe04e1ee24280e0474022172f35e327d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe6bfb8dbb357b03773c481957680dd

SHA1
72a11e81e8f269129f45afbba4e83c60db8e25e7

SHA256
e9bc45122f40199e3085a014833a9663a856b25b5221dcc55878efd48314b112

SHA512
e8d5ced0b9b6c79816b2335b0aed404a6f1d0255f71e84a26e3c21acd178242c0ac0824eb59e0bf2b14214974d19358583f541b5f26810abb107643a566ade44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f75c12bc79254003c45a5a66654d13aa

SHA1
7ba88a53f0ac0a744c14d0ea96198465c66a8b17

SHA256
6b1c0be8a474afb1de8e02c03d8eeb32e6b2a995c61760aab5a9d37abf01dfcc

SHA512
0a6f80032222f06f642233bdfb81de2f5bb793180829b07069608d6f68c4e28c9cbf2141f7a19cb1b009a301369f0a2928ea5ee7e9a501126822ac6c8ea93193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9da4b92d29d8ba1d899321e7af6fce5b

SHA1
4bad2b69b01208e3f0ab2133cc147e8ec7ae289d

SHA256
652e2d275fc519c88370ecd10523de2babe435f2c85fdc84c62c4295b1297c95

SHA512
89d0edd5a77c426c7b9527f104f8e00f7da36d80e45a4fba67be827f6f2ffb3ea95befaf709d01b7b60694006e13958a4492d1d944f0dfcf3b6759517a6a1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar430F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe.bat

Filesize
127B

MD5
8731a5ead9e105684694761850511a80

SHA1
7c24a5045f328099d0a3b369c22d9d88cdd1995c

SHA256
c0d426fafde676aa3232a837ae86651dbc1859227b494c28f33c7d3163589bfe

SHA512
8a7cf7e2e341df98686a57aa69282d390745bda8fd7126db7e99a11c1ed2fde47d82de2f7223fef7c0ccce81b630c6ebd2f85af64bf4a5a28a3ef229b6d04ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x3bxj8ey.gif

Filesize
55KB

MD5
d2992e9ac1afd60e7d81134ad77e1116

SHA1
065f272d630d4af67e0c8d8db657c257a848dd81

SHA256
3c4eb8a1747a819bbd26f14273d3022603b8c66b2650fe1be6b67e03a8bbfc5f

SHA512
08a67bbf62144519eff40816e1e4dd281a0fd7cce3a168d0311f7b9930fce6337edc458e26240911bcc41c0646f4e11d154faee6863203e73ea7eff58aa86ea0

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
341KB

MD5
f15212fed6518991e9b437736f9709d5

SHA1
b6c457b6d3658d06b02339e92f3ae4fa0a91e194

SHA256
a9700be839fe8b8a4a8d6ef075d9d79a078566748558c139bd43ae028f55a95d

SHA512
9cb220aba6215a02d43c8990cf9f23db02533c4af6a4e3b0ad0319f9832632ecfa54f51ad6074cfb22dbacf68e37892ceb231af3385c09645b6ba95a4234d9c0

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
d4a3f90e159ffbcbc4f9740de4b7f171

SHA1
0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

SHA256
2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

SHA512
5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
24KB

MD5
43e7d9b875c921ba6be38d45540fb9dd

SHA1
f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

SHA256
f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

SHA512
2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

Download Submit
memory/1400-459-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1400-519-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1400-466-0x0000000000D70000-0x0000000000F6F000-memory.dmp

Filesize
2.0MB

Download
memory/1400-465-0x0000000000D70000-0x0000000000F6F000-memory.dmp

Filesize
2.0MB

Download
memory/1400-483-0x0000000003320000-0x000000000351F000-memory.dmp

Filesize
2.0MB

Download
memory/1400-464-0x0000000000D70000-0x0000000000F6F000-memory.dmp

Filesize
2.0MB

Download
memory/1400-478-0x0000000003320000-0x000000000351F000-memory.dmp

Filesize
2.0MB

Download
memory/2476-485-0x0000000000B00000-0x0000000000CFF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-516-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-486-0x0000000000B00000-0x0000000000CFF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-487-0x0000000000B00000-0x0000000000CFF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-484-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2476-496-0x00000000031C0000-0x00000000033BF000-memory.dmp

Filesize
2.0MB

Download
memory/2676-499-0x00000000076F0000-0x00000000078EF000-memory.dmp

Filesize
2.0MB

Download
memory/2676-11-0x0000000004970000-0x0000000004972000-memory.dmp

Filesize
8KB

Download
memory/2676-15-0x0000000006B30000-0x00000000075EA000-memory.dmp

Filesize
10.7MB

Download
memory/2676-448-0x00000000076F0000-0x00000000078EF000-memory.dmp

Filesize
2.0MB

Download
memory/2676-457-0x00000000076F0000-0x00000000078EF000-memory.dmp

Filesize
2.0MB

Download
memory/2676-456-0x00000000076F0000-0x00000000078EF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-497-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-967-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-527-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-526-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-525-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-524-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-523-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-528-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-968-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-969-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-970-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-971-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-972-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-973-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-974-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/2864-975-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download