Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 08:01

General

  • Target

    fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe

  • Size

    3.6MB

  • MD5

    fe196add855b16dc1b8e80729610a4e0

  • SHA1

    f44efb48cda5958e5603b36d1a59709a847fc0e7

  • SHA256

    1545645f6c5ecc9f14ee924de8ad3dea051e24a8fca9b34beedf958cae0c1b90

  • SHA512

    78285eb98cefe794720d198509e4ccacfead6546dd0d70594bc137a41c99b6db2d8f5db1a5b674283396165b5fda7a970d34dff376dead59ba67c5e583e2075a

  • SSDEEP

    98304:qGk6+Wzyy2Js1c8YlQvtGSpQVYQahXSj68h761:DtZz9msbEbvVY06CQ

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 21 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Gathers network information 2 TTPs 5 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp" /SL5="$400EC,3326047,56832,C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\ex.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2960
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
          4⤵
          • System Location Discovery: System Language Discovery
          PID:896
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2652
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
        3⤵
          PID:2056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2408
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
              5⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1784
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
            4⤵
              PID:2404
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2412
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2120
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
              4⤵
              • System Location Discovery: System Language Discovery
              PID:408
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2272
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
              4⤵
                PID:944
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
                  5⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1284
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:1732
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "WINDOWTITLE eq Process Monitor*"
                4⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1704
              • C:\Windows\SysWOW64\find.exe
                find "PID"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1120
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
              3⤵
                PID:1692
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:792
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
                    5⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2472
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                3⤵
                • System Location Discovery: System Language Discovery
                PID:892
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3032
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
                    5⤵
                    • Enumerates processes with tasklist
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1124
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2172
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
                  4⤵
                    PID:1668
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
                      5⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:700
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:604
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2492
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
                      5⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2212
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1244
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
                    4⤵
                      PID:1752
                      • C:\Windows\SysWOW64\tasklist.exe
                        tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
                        5⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2256
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\cmd.bat""
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1256
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1748
                    • C:\Windows\SysWOW64\NETSTAT.EXE
                      netstat -na
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2068
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /C:":5900 "
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2424
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /C:"ESTABLISHED"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3060
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2352
                    • C:\Windows\SysWOW64\NETSTAT.EXE
                      netstat -na
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2824
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /C:":5901 "
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:3068
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /C:"ESTABLISHED"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:2280
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
                    3⤵
                      PID:2720
                      • C:\Windows\SysWOW64\NETSTAT.EXE
                        netstat -na
                        4⤵
                        • Gathers network information
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2728
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /C:":5902 "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2324
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /C:"ESTABLISHED"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2052
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
                      3⤵
                        PID:2792
                        • C:\Windows\SysWOW64\NETSTAT.EXE
                          netstat -na
                          4⤵
                          • Gathers network information
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2636
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /C:":5903 "
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2780
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /C:"ESTABLISHED"
                          4⤵
                            PID:2828
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
                          3⤵
                            PID:2748
                            • C:\Windows\SysWOW64\NETSTAT.EXE
                              netstat -na
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Gathers network information
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2988
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /C:":5904 "
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2668
                            • C:\Windows\SysWOW64\findstr.exe
                              findstr /C:"ESTABLISHED"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2628
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                            3⤵
                              PID:2684
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:476
                                • C:\Windows\SysWOW64\tasklist.exe
                                  tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
                                  5⤵
                                  • Enumerates processes with tasklist
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2624
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                              3⤵
                                PID:2980
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2656
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1576
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3028
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1948
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1056
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2972
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2960
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
                                    5⤵
                                    • Enumerates processes with tasklist
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2680
                              • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe
                                "C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:1260
                                • C:\Users\Admin\AppData\Local\Temp\is-JVE35.tmp\gentlemjmp_irow.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-JVE35.tmp\gentlemjmp_irow.tmp" /SL5="$1F01EE,2930134,56832,C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
                                  4⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:3036
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\ex.bat""
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2564
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2108

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\ex.bat

                            Filesize

                            786B

                            MD5

                            36cd538e59563dd6dfaaf744a718612e

                            SHA1

                            6c02de74a7ff4db0b3c5cacb5443211147c5427f

                            SHA256

                            3b72290ba3027448f40e3c64d19be827366731ae2369c87989a60269415fcf54

                            SHA512

                            caf38e1ed469201e35e2623d48bde8cad5eae8d6a983fa8afbc42cd3dfa6791e34b48f6eb5a50d730b7fb71749b5fdd621e3f5ad291c82395c3d78347e1cb607

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            128B

                            MD5

                            dae8768bbb8a4fddc4dca8eae7c4d65f

                            SHA1

                            385ffb932fcff489392536d62e291ed9e0beea98

                            SHA256

                            ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf

                            SHA512

                            492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            118B

                            MD5

                            f0315949ccc3d22d958503f5735cfbcc

                            SHA1

                            883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0

                            SHA256

                            201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d

                            SHA512

                            aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            144B

                            MD5

                            e902b4bcf5b531d057d091d00be3daee

                            SHA1

                            0cd058fcfab51dbfe91b139dc52245d5a4326f55

                            SHA256

                            9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3

                            SHA512

                            5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            128B

                            MD5

                            6a745081c62a706c014a876f45b5a56b

                            SHA1

                            25f17fcc50dd202d2381c00970e2dc04c2ad9707

                            SHA256

                            e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c

                            SHA512

                            a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            126B

                            MD5

                            110d64c0e450ff59542f81690a2d53b7

                            SHA1

                            7f2e989deb095a0530792989e5fa9d7279d5f3e7

                            SHA256

                            735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e

                            SHA512

                            00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            120B

                            MD5

                            c842d438cebab4b876572a8bc032aabe

                            SHA1

                            e95c7d4e2f6246daba6f0baec8e1b94c91384c4d

                            SHA256

                            ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218

                            SHA512

                            aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            126B

                            MD5

                            8fec1ab28e8ee7394915990458fb85dc

                            SHA1

                            c70e183a783a9621cd64584de99f8163deb40872

                            SHA256

                            b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd

                            SHA512

                            c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            132B

                            MD5

                            410515fbd7d2a2b4fab0fb80c76c2a74

                            SHA1

                            f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893

                            SHA256

                            6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99

                            SHA512

                            f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            132B

                            MD5

                            97cc4c6dda23b9631b8c9185859ad061

                            SHA1

                            5f912a6c094bd918afe5e9f0c70cd45b36dff722

                            SHA256

                            55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8

                            SHA512

                            cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            130B

                            MD5

                            0cbb771b9f9523adb96d5bae77154a05

                            SHA1

                            528330a335047039ab012b01bb7a3f585e6f5a8d

                            SHA256

                            4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e

                            SHA512

                            41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            122B

                            MD5

                            b921f2f9f97a642d513e1307f7685e0f

                            SHA1

                            3489b63a484a6114f1828100908bbbc622b07ed1

                            SHA256

                            953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc

                            SHA512

                            1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            126B

                            MD5

                            b35e8ab65e7f8a4edb3663885f775681

                            SHA1

                            49b66b2e3cff64dd7d8315c53d852c19a46e8609

                            SHA256

                            9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53

                            SHA512

                            3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            118B

                            MD5

                            f1b6aae3dcd94b94aee326517e3dc583

                            SHA1

                            3418fdda1ad30df64d7bac068e1a0c4e305cfd75

                            SHA256

                            a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b

                            SHA512

                            dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            120B

                            MD5

                            d93cc818d32f755945cddfc02b29fb89

                            SHA1

                            fc564e791326d269d005c894cfca674352dae814

                            SHA256

                            c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c

                            SHA512

                            62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            122B

                            MD5

                            660d266764b1952b43431d6c7dc0dfa9

                            SHA1

                            809794738d6ca580d6ec14e77a717e831b0d0e5c

                            SHA256

                            e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5

                            SHA512

                            6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            122B

                            MD5

                            59a8010aab7eb203cd9fda8f6be1beca

                            SHA1

                            b9a07636b921183c88880320294e279c935cddd7

                            SHA256

                            2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba

                            SHA512

                            26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            122B

                            MD5

                            a59dd0f9883ea39c5119831b0eed46cc

                            SHA1

                            8c9354051f7d92310636f0f17e5770aede9d1ad3

                            SHA256

                            ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493

                            SHA512

                            4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            122B

                            MD5

                            32b997a9d994996a4369a580e6541b7d

                            SHA1

                            d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1

                            SHA256

                            39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8

                            SHA512

                            f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            146B

                            MD5

                            f0b99c1273d3787f7769feb4d56e6803

                            SHA1

                            6105232df9585072be8ca04712f8760812943cbf

                            SHA256

                            176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d

                            SHA512

                            73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

                            Filesize

                            138B

                            MD5

                            755c6764b8ecbb83798450705f51510f

                            SHA1

                            deb141c4fc3220f0ff5c16eabf1adf850bf55610

                            SHA256

                            cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016

                            SHA512

                            a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\av.txt

                            Filesize

                            24B

                            MD5

                            f8f8258012893e0a2c957d226bdd7587

                            SHA1

                            ed482b5f912ef2d31e2b231df6b6e3b64967390c

                            SHA256

                            c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

                            SHA512

                            6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\cmd.bat

                            Filesize

                            81B

                            MD5

                            c1a281bc192d835fb5039af1444e4495

                            SHA1

                            41986e235e2004d634ecac3690876cf0bda7083f

                            SHA256

                            97762769b307aaa4f23972f0a9cbb3f143195a868158c7981b58bbe80bf01cd9

                            SHA512

                            0872a60c2d5f9351e88485fb55e51171923c5f3a6af851f04334a849275aa395b5382e6351d6c096d99850b71fc60bad681db35cf4780ab81f54b63abca1121c

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\ex.bat

                            Filesize

                            786B

                            MD5

                            ee9522d27f49ed7147090bf8df0e2523

                            SHA1

                            efde2595427165f15ec21db1cff9855ec4233204

                            SHA256

                            0e00f23568eec284372ef9dfc6b426f903b7d436e71037ef12cae76313c5a350

                            SHA512

                            bc206f483396674fd4973ae5b85c72bf3abc01d7ca639d52255e0464f75f2caf5386710f5d0fd1c2fdb21d5d13c583324e980c4946764156cc9461e95c892595

                          • C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\favicon.ico

                            Filesize

                            10B

                            MD5

                            f0b81e3ecd1b5d144558da07bece8803

                            SHA1

                            9ee5bf12a207859d89dc893b8d02bd5c739edb52

                            SHA256

                            dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1

                            SHA512

                            774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                            Filesize

                            7KB

                            MD5

                            8b6af927c2382693c72a0cdfada13697

                            SHA1

                            1e1475132b56e71d45e108f28fff39d8d73233c6

                            SHA256

                            8fc3646aa6d6aec5874004005a7e6e2c423517f46662a0e6a0aa15f0052415a8

                            SHA512

                            af17135e38537dc71e4a4ca11e87e68d7c6da2313d83feec7f695f37b0e41319c0ed8baada5c5ecf0cb58b404f0ffb622fdb995822d671eb767c90edec67ba5e

                          • \Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\innocallback.dll

                            Filesize

                            63KB

                            MD5

                            1c55ae5ef9980e3b1028447da6105c75

                            SHA1

                            f85218e10e6aa23b2f5a3ed512895b437e41b45c

                            SHA256

                            6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

                            SHA512

                            1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

                          • \Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\isskin.dll

                            Filesize

                            385KB

                            MD5

                            92c2e247392e0e02261dea67e1bb1a5e

                            SHA1

                            db72fed8771364bf8039b2bc83ed01dda2908554

                            SHA256

                            25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68

                            SHA512

                            e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5

                          • \Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\itdownload.dll

                            Filesize

                            200KB

                            MD5

                            d82a429efd885ca0f324dd92afb6b7b8

                            SHA1

                            86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

                            SHA256

                            b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

                            SHA512

                            5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

                          • \Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp

                            Filesize

                            691KB

                            MD5

                            9303156631ee2436db23827e27337be4

                            SHA1

                            018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

                            SHA256

                            bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

                            SHA512

                            9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

                          • \Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\_isetup\_shfoldr.dll

                            Filesize

                            22KB

                            MD5

                            92dc6ef532fbb4a5c3201469a5b5eb63

                            SHA1

                            3e89ff837147c16b4e41c30d6c796374e0b8e62c

                            SHA256

                            9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                            SHA512

                            9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                          • \Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe

                            Filesize

                            3.1MB

                            MD5

                            73c268bbbcf0210b4d1934f7825cac9e

                            SHA1

                            3fda7eaf519a812cff0dd096237791a54287ba57

                            SHA256

                            5ccf34bc8359ab18d938a4deada58b03138849340e9f30424d578b2b2bdc2e54

                            SHA512

                            ecb28b96b032581a69b7738b1a9531a2a0409d35f39a422bfcbb62912cb30538372bc698c3603889a6bf884e3c63d021db896d60b7e2fc12abd2b362b1a6bc37

                          • memory/1260-70-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                          • memory/1260-108-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                          • memory/1644-109-0x0000000000400000-0x00000000004BD000-memory.dmp

                            Filesize

                            756KB

                          • memory/1644-10-0x0000000000400000-0x00000000004BD000-memory.dmp

                            Filesize

                            756KB

                          • memory/2420-3-0x0000000000401000-0x000000000040B000-memory.dmp

                            Filesize

                            40KB

                          • memory/2420-0-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                          • memory/2420-111-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                          • memory/3036-106-0x0000000001ED0000-0x0000000001EE5000-memory.dmp

                            Filesize

                            84KB

                          • memory/3036-105-0x0000000003940000-0x000000000397C000-memory.dmp

                            Filesize

                            240KB

                          • memory/3036-104-0x0000000000400000-0x00000000004BD000-memory.dmp

                            Filesize

                            756KB

                          • memory/3036-93-0x0000000001ED0000-0x0000000001EE5000-memory.dmp

                            Filesize

                            84KB

                          • memory/3036-89-0x0000000003940000-0x000000000397C000-memory.dmp

                            Filesize

                            240KB