766e9e0e14e32a95b93163f40c769b2561dd3cb25401cdab194aaed3f9d19573

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 02:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Size

1.9MB
MD5

54f2e5ca39c18570823074d876aa264d
SHA1

d620cf89f3471f114be18bd7a6170e9160e6024d
SHA256

766e9e0e14e32a95b93163f40c769b2561dd3cb25401cdab194aaed3f9d19573
SHA512

36a0860bcd941b68339d49127124d1a002f62b7ce9edf774b77200f208a1ee75c13820fa5df97305c736789d82b83a5262021d0b6890cfc04361af9af1d3c4fa
SSDEEP

49152:s28QbBnW5oGvmx4UJASuA4wDinashps9AzV1pCh9mLsmv:CSBnW5d+lub3asPs9S7pcry

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1340	gamevance32.exe

Loads dropped DLL 3 IoCs

pid	Process
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
1340	gamevance32.exe
3640	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gamevance = "C:\\Program Files (x86)\\Gamevance\\gamevance32.exe a"	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gamevance\gvtl.dll	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevancelib32.dll	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gamevance32.exe	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvun.exe	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\ars.cfg	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Gamevance\ars.cfg	gamevance32.exe
File created	C:\Program Files (x86)\Gamevance\icon.ico	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Gamevance\gvff.tmp	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gamevance32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	gamevance32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	gamevance32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\ = "GamevanceText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\AppID = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\ = "GamevanceText.Linker.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ = "Gamevance Text"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\ = "Gamevance Text"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\ = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\ = "{014C4232-6904-47B9-9144-7E0FB7277444}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\ = "GamevanceText.Linker.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\ = "GamevanceText.Linker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\ = "C:\\Program Files (x86)\\Gamevance\\gvtl.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe
2120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 2256	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	93
PID 5104 wrote to memory of 2256	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	93
PID 5104 wrote to memory of 2256	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	93
PID 2256 wrote to memory of 1340	2256	cmd.exe	95
PID 2256 wrote to memory of 1340	2256	cmd.exe	95
PID 2256 wrote to memory of 1340	2256	cmd.exe	95
PID 5104 wrote to memory of 4888	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	96
PID 5104 wrote to memory of 4888	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	96
PID 5104 wrote to memory of 4888	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	96
PID 4888 wrote to memory of 3640	4888	cmd.exe	98
PID 4888 wrote to memory of 3640	4888	cmd.exe	98
PID 4888 wrote to memory of 3640	4888	cmd.exe	98
PID 5104 wrote to memory of 2120	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	102
PID 5104 wrote to memory of 2120	5104	54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe	102
PID 2120 wrote to memory of 1516	2120	msedge.exe	103
PID 2120 wrote to memory of 1516	2120	msedge.exe	103
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 1580	2120	msedge.exe	104
PID 2120 wrote to memory of 548	2120	msedge.exe	105
PID 2120 wrote to memory of 548	2120	msedge.exe	105
PID 2120 wrote to memory of 4472	2120	msedge.exe	106
PID 2120 wrote to memory of 4472	2120	msedge.exe	106
PID 2120 wrote to memory of 4472	2120	msedge.exe	106
PID 2120 wrote to memory of 4472	2120	msedge.exe	106
PID 2120 wrote to memory of 4472	2120	msedge.exe	106
PID 2120 wrote to memory of 4472	2120	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54f2e5ca39c18570823074d876aa264d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files (x86)\Gamevance\gamevance32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files (x86)\Gamevance\gamevance32.exe
    "C:\Program Files (x86)\Gamevance\gamevance32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Gamevance\gvtl.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gamevance.com/aj/ty.php?p=srKz%2F8T1wsH0srLCtOfU5dX64LL08rS3%2F7bHxsWwu7KxxcXFtcW3sv%2Bj%2F7Ozs7Ozs7Oz%2F8zI
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde12d46f8,0x7ffde12d4708,0x7ffde12d4718
    3⤵
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    PID:548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
    3⤵
    PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
    3⤵
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
    3⤵
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,13066870562782393553,14896413812690074633,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2720 /prefetch:2
    3⤵
    PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
95B

MD5
265aaba5ccfdf44d8c7d7520ce85984f

SHA1
9f668f69220549f0f356d56357aa5d1ecd883741

SHA256
1d103f8d161db1e314a3d885ddfa56f01414fa5cc473749dca432781240aca91

SHA512
bdeae4654485f7da28c2af77f9c328ca68c4a9bc88295bb87d3b9e9522eaaa77430de6a972d1f68915fdd35130df0fca8abbceabed6eecd43e4948ef793464d3

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
107B

MD5
0a7772a6a3ad431f01d85cd7fcd12811

SHA1
521e21b88225a71d28c0768abfa72548e774bf1a

SHA256
c39cd6a2a8ed43e7e81ee95a26d29728f2246a2b4a557f03fb1cd150ce113b6b

SHA512
1f00b32cbcd20638e956df8d50971eddc5ca536e870af22d491779799254b61f5ed66c51dbdc029631e5af8befccbd27841d18403f076de8bd7586b90b654b36

Download Submit
C:\Program Files (x86)\Gamevance\ars.cfg

Filesize
164B

MD5
f13cfc05fa70953ce8f5c24e831e662d

SHA1
b7db4fce11b0a0be2eb6530e5cc37ad8f756f266

SHA256
52dbdfd5a041341621b8552d4405092339d61152875b41e39fbf7923516139c6

SHA512
b9817359aec6a69d349d30d0fb33c701344caa890c4df897128f0b0a7b3b0494ed6167cf32389e55074635b2032f21c35411997f0cc5c525f131242f2369ab04

Download Submit
C:\Program Files (x86)\Gamevance\gamevance32.exe

Filesize
234KB

MD5
a8914792007dd3e672e0807b954acc67

SHA1
9ff0aa7b9da398e3e56db322a5006b3fff1fc6d3

SHA256
09a2498fef11178ac473e323eee86f5b7aec7e4656d0203ca77be3003dce00a9

SHA512
d6b9a27e230e0c64284230fc4a73df68b2c9b32e7a8f0f161dbfedb784a78ba747e38988159ce473a96e7a87b8571a94524383cbd8bf725b9824a80a0a0e0d6f

Download Submit
C:\Program Files (x86)\Gamevance\gamevancelib32.dll

Filesize
223KB

MD5
1d16921e59f55a0703ffce0ba0624638

SHA1
a2c7060f7f8d2e74063a8ca9599e44470d757a0b

SHA256
7e5484c756763e12d5e1befe3a0147a5dd3a9db428d49771836f6f797d872f97

SHA512
dc654fb44b3a1b77e0b575ed6f1014135ba6262fe7dbb1f22cbc9346d11d902591027e3ae85e6127e05ba586cb082be3d4d32f776fe7116973b36288b4ec746b

Download Submit
C:\Program Files (x86)\Gamevance\gvtl.dll

Filesize
154KB

MD5
c6ecec4f180f5cf57a13e338015dc0a2

SHA1
dfab483824956bddd46e61b5f6db3536fcc0ac64

SHA256
ae939f3c64886fe24081c1070e3a7eaf04f2864db451e682efd1ff5cf546d007

SHA512
a878b12487e5062441e2f23c7a72f9eec23e590e80db60c9c6c03e270e7e6283c951663adf7212ecbd649bdabf62b09ce1ae827b4d0b0a54c924aa129ebda72d

Download Submit
C:\Program Files (x86)\Gamevance\gvun.exe

Filesize
256KB

MD5
9ec1de7e9ca5de7ddf4b9f2897f795fd

SHA1
ef65a1b1b97b7cb8bd236774332d36e019df1777

SHA256
10164d1954b6b418c27a174a46b1af62bd0e1e3be257a5f1d16cc7b373fb5f1c

SHA512
3b2c859ac867a8250af40d0fa76c47f2e6592532a992cc3f65e96a272cc0e080aa103ab821de45170033024cc1bf2abb30acfa3f8e177a376fd37e42009affcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
df46dd534f24f1a694c742e13d044dd4

SHA1
ad6703bac5f33442c8ddd396e66a771487248c17

SHA256
8667a38e23ef22daf532e98d027da2ae094ff258833e65b58054535748773aaf

SHA512
1bcaf4be7308511c05d4d90478609081f604c88de6dd683abd3568541ac7bdf9b53eaf7d0d9e78e5acae73ac0026886d526bbb932b349d115c91fe5a4f2336f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
686B

MD5
8671073dc70eb7c2c8344376ff9c825f

SHA1
3c230efd98cf242e4fe9a242b2300e1236e0736d

SHA256
9b4632a3c13469674f8557b932eff2c5484683568db13ff0a6eec22b070d3563

SHA512
27cbbfb9019ed7f5a0ca80420b4314013aa4872765fe6172e337ecf6fbabb46a5ba5572e89bea5183bfb9ba223019e61837e1136d09f10d8cf795897d01b045a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ac3d24fbb13d65ec3204f039270f06c

SHA1
a94c90264381bbd096e1f148b172bbc87546c6a7

SHA256
f7fa844f4c4aafc9b09aca3fedff9050b1b815a8df615ee9dcddeea7a3361b70

SHA512
630e48a54911eb6c22e550afa64c44cfd3d3f6b7abdab32a1f994eb4ff215762d415f863e274c9926b536c7e5069b8b23ee12b1749c5116c4c0638d3f0355431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
504aacc44984cbeaf9e8df8517710674

SHA1
e08d56ee885f47b35f6c64064e3512ee4836eab3

SHA256
751ea8bb859f7f42f0e6ca25f650052c7487f6daceddc4a990cb487e3384393d

SHA512
4474b50a2b5f98b61fcb35e2ee14139a0621100c305171caaf72c4d67d43925922513433066344ae69c92cee8f2805484fe27b07b34c4cd43bda33f7a03b2ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
6edf4fed9e804b7b8df3fdb7e6c2b73b

SHA1
97371236859f949b9e481fd67f345a1780f6ee5f

SHA256
273028d93b828fff3e0d3dce557b04aeffcb63d1ef8482242b9ae37a5f387fc8

SHA512
695358d657ff58d6035ca545395529ad5c4cb39c4234015d997e2649d00dfb0ea697683b40bb7a3484ed4cfd96db2ae5a8a936e78fda25e266e7b8dbc233218f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581fc8.TMP

Filesize
704B

MD5
8e34c665c405e4134e27fb6f4a62238a

SHA1
1dd830e6b27c330d7cea045ef9ce2c786de0bf9d

SHA256
36c0ce82d3a645ca5b18633b32090e2b08fc2bd8b9c605e6d44a29e41a571244

SHA512
c71def100d29a9252dcd8b5fa3f66cfca028785f41c4fee3d8c2e84daa4ea7882858c10c80fbf6469665e7257af9accec70fe77ce97709b2288d017c39f82bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c6e60f3e80f1250d38bf9fb6d28a6c31

SHA1
a16b631a73de590dcd6666adb740c276f30d3821

SHA256
9e2bd61dc8a0f5d2949c771e071cea5dcecf6ca755907f51dff2c51e914a5cc0

SHA512
ca621d94aa6d97cb9bc459d3efa0dc0c81d2ecc9d578bbf9b009a32bbdfb201f9e1b24840d71b1cfead725c98bb8b5dd217ac04a6fd90f7782d9636f403dec41

Download Submit
memory/1340-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1340-39-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/1340-40-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5104-167-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/5104-0-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/5104-10-0x0000000067000000-0x0000000067044000-memory.dmp

Filesize
272KB

Download
memory/5104-82-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/5104-62-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/5104-1-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download