cybergate | 3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Size

782KB
MD5

da957e71f1bccec9c5306f6af4949c90
SHA1

4b27f6a6dfe5cc4a10c8aeddd957718d70202a6f
SHA256

3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f
SHA512

6af014467b1e33cca383eda6e333f35ae6c4052b5652e2c4c03d70250140673915ed17c9608f8952bb092c1ff04567eaa0011a3a887e5873c85533ffa9adf899
SSDEEP

12288:GJleeDzwso7HSUoP/ROnLFncCY1jMDe0xaf8eG6MvunVM7ET/lMM:GJleeDzwsomrP/snaPMKDf8HcnWgaM

Score

10^/10

cybergate 28may2 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

28MAY2

diren.no-ip.biz:1011

Mutex

KI-N11R-1837-T4E7-8X45MD3A153H}dfdfd

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
License
install_file
Licenskey.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
osman123
regkey_hkcu
VGE Licence
regkey_hklm
VGE Licence

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}\StubPath = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\License\\Licenskey.exe Restart"	Licenskey.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{516728KI-N11R-1837-T4E7-8X45MD3A153H}\StubPath = "C:\\Windows\\system32\\License\\Licenskey.exe Restart"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Licenskey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Licenskey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Licenskey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Licenskey.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Licenskey.exe

Executes dropped EXE 7 IoCs

pid	Process
824	Licenskey.exe
64	Licenskey.exe
964	Licenskey.exe
4980	Licenskey.exe
3120	Licenskey.exe
1648	Licenskey.exe
1632	Licenskey.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Users\\Admin\\AppData\\Roaming\\License\\Licenskey.exe"	Licenskey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Users\\Admin\\AppData\\Roaming\\License\\Licenskey.exe"	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VGE Licence = "C:\\Windows\\system32\\License\\Licenskey.exe"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\License\Licenskey.exe	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	Licenskey.exe
File opened for modification	C:\Windows\SysWOW64\License\Licenskey.exe	Licenskey.exe
File created	C:\Windows\SysWOW64\License\Licenskey.exe	Licenskey.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 1504	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	84
PID 64 set thread context of 964	64	Licenskey.exe	96
PID 1648 set thread context of 1632	1648	Licenskey.exe	108

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1504-51-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1504-54-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1504-60-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1504-62-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1504-67-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1504-70-0x0000000024160000-0x00000000241C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1600	3860	WerFault.exe	85
3516	1184	WerFault.exe	90
424	812	WerFault.exe	99
3940	1632	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Licenskey.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32\ThreadingModel = "Apartment"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\TypeLib\ = "{438EDB38-282C-435D-8BE3-4AB90B83CEF5}"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\Version	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnVfBeSDc\\OmZnE\x7fYu^IQNi@BAPw\|HeDk\\TSq\x7fD[^~IC@WWtgd@O}LDPJUHy]@n_\|IOsqr_\|roEtAb@\\Krm\x7f"	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32\ = "C:\\Windows\\SysWOW64\\puiobj.dll"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnVfBeSDc\\OmZnE\x7fYu^IQNi@BAPw\|HeDk\\TSq\x7fD[^~IC@WWtgd@O}LDPJUHy]@n_\|IOsqr_\|r\x7fEtAbBlAdmB"	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\ = "PrintersCacheManager Class"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}	Licenskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Licenskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\InprocServer32	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\TypeLib	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\Version\ = "1.0"	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnVfBeSDc\\OmZnE\x7fYu^IQNi@BAPw\|HeDk\\TSq\x7fD[^~IC@GWtgd@O}\\DPJUHy]@n_\|IOsqr_\|r_EtAb@]rOFz"	Licenskey.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}\KQMalymdYnkk = "AnVfBeSDc\\OmZnE\x7fYu^IQNi@BAPw\|HeDk\\TSq\x7fD[^~IC@GWtgd@O}\\DPJUHy]@n_\|IOsqr_\|rOEtAbBmxYFG"	Licenskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F8FF1C9-CB2E-6881-DD36-5322C841A5D4}	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1504	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
1504	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
964	Licenskey.exe
964	Licenskey.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4980	Licenskey.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: 33	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
Token: 33	64	Licenskey.exe
Token: SeIncBasePriorityPrivilege	64	Licenskey.exe
Token: 33	64	Licenskey.exe
Token: SeIncBasePriorityPrivilege	64	Licenskey.exe
Token: SeDebugPrivilege	4980	Licenskey.exe
Token: SeDebugPrivilege	4980	Licenskey.exe
Token: 33	1648	Licenskey.exe
Token: SeIncBasePriorityPrivilege	1648	Licenskey.exe
Token: 33	1648	Licenskey.exe
Token: SeIncBasePriorityPrivilege	1648	Licenskey.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
64	Licenskey.exe
1648	Licenskey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 1156 wrote to memory of 1504	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	84
PID 1156 wrote to memory of 1504	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	84
PID 1156 wrote to memory of 1504	1156	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	84
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1156	2288	da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe	83

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe"
    3⤵
    - Checks BIOS information in registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1504
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 732
        6⤵
        Program crash
        
        PID:1600
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 736
        6⤵
        Program crash
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\da957e71f1bccec9c5306f6af4949c90_JaffaCakes118.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3660
      - C:\Windows\SysWOW64\License\Licenskey.exe
        
        "C:\Windows\system32\License\Licenskey.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\License\Licenskey.exe
        
        "C:\Windows\system32\License\Licenskey.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Windows\SysWOW64\License\Licenskey.exe
        
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 732
        10⤵
        Program crash
        
        PID:424
        
        C:\Windows\SysWOW64\License\Licenskey.exe
        
        "C:\Windows\SysWOW64\License\Licenskey.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\License\Licenskey.exe
        
        "C:\Users\Admin\AppData\Roaming\License\Licenskey.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\License\Licenskey.exe
        
        "C:\Users\Admin\AppData\Roaming\License\Licenskey.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\License\Licenskey.exe
        
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 712
        13⤵
        Program crash
        
        PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3860 -ip 3860
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1184 -ip 1184
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 812 -ip 812
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1632 -ip 1632
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2219A414.TMP

Filesize
62B

MD5
68e3934ed379c48344e7d7bd9f89e832

SHA1
500d03b66211ea803278caa9e7787d4df9917359

SHA256
a4db294b3d4546f44f9b254257a54893e9d2b67f7e53a9f3426004fbc13c5d13

SHA512
be2a6e39a35745901c31db9bc40b9a0bb9ec390497082be2459d52a0b70dc3426c8b55e1e363153aa185432ffc684231c42fb97436aec77685f6545c7a811266

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
230KB

MD5
e52478b431d02e88d03030eef0bbba06

SHA1
637be2fcfb9fdd526076f4f5404200e8c98b30b2

SHA256
c5356cd123dd0e23e0f17db22cd07485c1c9a4b4cebf6674787efea05ba1e088

SHA512
b40cae0733c8d67702b2968350afc22c356c69c10b19fe16a8ad51e2fea8d30665566695736c8537dc6dec2e7e2f29634e90921d2ce258945f098f75653248cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
229KB

MD5
622aa5863de81998274885be3868a9ab

SHA1
392fc56331d2ed92c0492948c9889495c099ac8d

SHA256
9edbc81830ad4e7f440e15b1c2b5eaed6920dc2299a24a478c98df28bbc599ee

SHA512
93396f3c5940c041b5894871e6c5337ebf9e0305f705d47de588ac30852a4707eac43bbac53eb7d5b27c78d89ef1d391024a96f5545d6b9d5822e286df40a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f3aad5f0c8841375db63855b1c64a8df

SHA1
06a3caed4327962e145d462b998d2d88679f2199

SHA256
a8991705899fd69ec64e2339281f097d367a23ae74f909a3edb19a3a4846be4e

SHA512
8e46b922b34bf5629d82ced6ecaa88ab9f10dcf221d2a40792d7c3a0dc680dc90764765e89e8852ef598fcd04bf7b0592de6c89036d9b09ba828ffda4caa5148

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d83ceec34961e38e526abde47b8ee9a2

SHA1
18f9818f477b9c75533b713f88cdfcfeb38824d6

SHA256
0d104b015e6025085b2a56cf399c8d746b43688777264b9044d39b83893c8f07

SHA512
a49a827a24480aab1488f3d7f756b6ce36b770f4c7c5fccf02a28c496aba9fca7923b78448e81fd0084d3ba56baee25aadfc9343cab34248bdc4b79e0c0f22e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
cccd64d41d4fb388ad3b964b53237738

SHA1
2362a9aa7fcbd2eb71a469f730037ad2ecf548bc

SHA256
a23709dc7bbaec4a7831834795545260e9c5bbfb540d35a22ebe03aa7555fe0b

SHA512
59b2e3d65b9c99486a424ea9dc58873c72915bf1a1ddb3d182ddc020517b30b55a7f61bffce4798aa8195b226708f5f392fd1e18513f63a36ce6f5ab0c2302e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
0ab24f69eb62c78d52b1aba15caaa1b2

SHA1
0ae94659b89bc8c691513c1da7d5b887ce51f7fa

SHA256
df2d44bb4d66b7952c40c06b1416867418c535e60688d36237b5652613c5f6bf

SHA512
b3443ee6ccc0905d7b8229611b14efafea4d9580ad5076d660f0c7fda0fa250c01c1f298ab60a29055aebc25c2f8dc76a8093840165c9ea8251ec2e9659772e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
39801cd5b6e32459a4598b93f5e42329

SHA1
65a92978be2d30fca1160797a25c8f2032c760c2

SHA256
cd3de25e3a85e05d25f29fcba38135ddbac94851dbb4b410defc1d0e5bfec497

SHA512
dc1dbc70521b9addf20cf4c8e8f62e9aa31eea264eca257b88af35226ed44c2d588e2110037cf014e133c811ff1d936c132f646e35b49bf90762ddbadc8ac709

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f33396b52b56d005a065e45a22e502b5

SHA1
747650509d5f7d171f2376c0d21557c5e54025df

SHA256
4e7eb16853d9573d4af4a2dd32bffcce6d7488bc1deb41fe14a72dce4c7e3dfc

SHA512
bc87b073660a0e0711e3403784999421b921c5ae2d5fa4071f6153360df065b3a7741d18d046ec074dfdfa8196415bb4ffced96f7194fe90d193ca5510ca05a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
077e7eeb210339fdc625f4730a0bb7ff

SHA1
b115c3968c6da2c53dcb7bf61980aac6844753ee

SHA256
fa3b7eb19c9c7e5f29685d2499ce5367fc01548079cf0e13cadc03a429fda27f

SHA512
fe2edb962b163125757131e9cde67e1109b2dea249c4c8297e0f9481c19689209d3de4fb224f1c10decec51a871ea69ce45a5b669766d1b4330654cc781d299d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
437b07819bbfa37dd55b6b7a7f81e1df

SHA1
5ac1a9f7793fc5b74cda7ab79f09142d0a4352db

SHA256
9b60679ceeb797fb6f8994c1c74256aa7b68613479bdd11a783e890eb515f921

SHA512
89325f134ec7a4b2db52c1400fab04a9f578ce2fba01210e6eac5f0535ca29f28e5e7db059e5be9de8c106b97892b5ad80a2b72abd007a093194d9196f4a70d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a77612387d385f9e4f87e98acfeaf9f1

SHA1
805d707627f26821b0900bdb679ec5d4637d155e

SHA256
3264f4f0a66f4e0302aa99664815d3b7ae19105e25477fa50c014546eb7132a8

SHA512
cf7be12ecb66005aee55f86189461c499213a24383dc7d1b7f83a045581ba727bd21c8922587a082fa9b363f9fb805d3002e04f3ffd0236028d7972de6f3d4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
5c65f93eebd0e53bb175b81f6c960c01

SHA1
2cb68af742b5b8124081ad91543a51e8a3a7f72b

SHA256
03bfc11343138c9a55e7e1e28cb91a001a6d36d6703172a21f5fbf80140ac5f7

SHA512
66dcca4bd3f9af532550dafacd8ae9010f7b69cd7f80139ca5a2f2b3f454d2a63c735bcdc0d5c86d7c86b3eb60665916bb4efb72afc0d7c8cd35f7ddd74f19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de3782e8cbbc2504e0c38bd9203db9e6

SHA1
beb527c96ceeb30e30abb2ae503605faf32eb6d3

SHA256
7b765f3026d67449d8321f4d41ab1ae07cd192b20df2216389410b7a643e12ca

SHA512
19f3cc9cd8cf6ed7126049635f0b58ba9109e6a2c594046a2363e6dea0749b7546e384ba84578033b9409ec44d2ca2490893fdacc468031268222a9a452c1b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
722cfdd626288d0206d72528f66c6ca2

SHA1
9ffe32af7f7fe433a9b38812af7926684fc7be60

SHA256
a4ee1d2bf0be5f7189204016968333f1252baf197095012d0360c2b2591c1d71

SHA512
f8f7f6dba6c524ced9bd001863c446b780322f8d6ba6f66416aebdcb0988deae0ab476d1522e7a0d7052644244b6c636bbf137a09ad3a3ca0f82a6fa4b84d66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
4eb0371ad19b4369a13b07e49f8465f2

SHA1
af6e7d4890b81111cb93a02893b9c19ce8b2c5d9

SHA256
defc4b2c097164bd749cbc6c7545d071162029f6639ef63e6fcefe3a804a8e3a

SHA512
86a3a4e88419062e6c8c7c5adb5e226b8446b75bda704392530ddbb40c474863a13ca18ce0db9a1352769df161a97700032b9e7c839a0c84f59145dd9072c71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
f618a30fc56878aec6716a77b014ca5e

SHA1
3d2716c074975faf28af030ea5ff4dbed578e49a

SHA256
b17365a32ce04cbd0a54b2d4134526932bb720341dac5e830a4436bbc431e5a3

SHA512
fb928c0cd5618c1d05d7b319c64cd357b9185f357ae4959a8c7f287be791af180239fcea14f5f089b9fe6510793701b22631060209bc4e2da6b70bd41d61fb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
73bddabf79f54f5c7c859d87900550c9

SHA1
da3a3482ea8114ab343debdaa5d64ae2e604548f

SHA256
7ac63d270d28830600bc4565fd9b4e51e61fc5b4e654f3d36bd8921dab834d0e

SHA512
2f53f242ee1b2f1ba7c1d5e35764822209a679f0e971c658c2202a0beb60d64dc9bce78d728d3de6560c1e1dfcc48d3bb8f6d75c74e0f4b61821bc22843785e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
04b3e536f540ca565228cf0b673a26fb

SHA1
4f5e3d8aa1f048a2a52ee93f0d348a93155d20ee

SHA256
5ef832ed92eadcd714515bc1b49c16de57c3f4e42992bacb3c335f5a3fd600d6

SHA512
da2557ea2ba231499b75b53542d705c7836ced6776caa06f58f8525923bc7b683f3b03d14885dbdbe78e404c36beed7ed1dcd2786906175ff7c81d60fe096151

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2fac6cd14698b327e1eb68a48597e74b

SHA1
f8904acaba28bc6ac6387ac7fb487c67fd8a9645

SHA256
cfbc660a3008150da1543d89b28c11ec9526a38d6f0eb9916790ec71636d8d45

SHA512
07957588ca372824ce2288df12d4c6c5618246bab167024103d6572f643b76a178ccfd5317a7c7db0d6fcbd08afa4ab2fb0dbecbd6ebad7af921d2110bdd7b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9302b5393d5bf5fb6a9bbb0204751b96

SHA1
802a3b0a4e38eacbcfaf88b4ba091d52101b40ec

SHA256
c193c49fe5aefb804d7175f532594534771a38dfe6b8ab24ff13289a15bf4054

SHA512
ae00fd91fc12f5b8a79eae31eabd3e3bd02da7ca9d2595125162c8dcbe04d6ea4df4e0b0952a51e2e54e3386afedcb4ec7f40735d624a8f87dbbfc6b1449367f

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
e21bd9604efe8ee9b59dc7605b927a2a

SHA1
3240ecc5ee459214344a1baac5c2a74046491104

SHA256
51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

SHA512
42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

Download Submit
C:\Windows\SysWOW64\License\Licenskey.exe

Filesize
782KB

MD5
da957e71f1bccec9c5306f6af4949c90

SHA1
4b27f6a6dfe5cc4a10c8aeddd957718d70202a6f

SHA256
3c661019453cf93635be2e5d07d2c843c93418ea1bdaf79b4fd24146fa1c4a9f

SHA512
6af014467b1e33cca383eda6e333f35ae6c4052b5652e2c4c03d70250140673915ed17c9608f8952bb092c1ff04567eaa0011a3a887e5873c85533ffa9adf899

Download Submit
memory/824-183-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1156-45-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1156-2-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1156-4-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1156-9-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1156-10-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1156-13-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1156-12-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1156-16-0x0000000003C10000-0x0000000003C29000-memory.dmp

Filesize
100KB

Download
memory/1156-11-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1156-17-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1156-18-0x00000000020F0000-0x0000000002139000-memory.dmp

Filesize
292KB

Download
memory/1504-60-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1504-70-0x0000000024160000-0x00000000241C2000-memory.dmp

Filesize
392KB

Download
memory/1504-22-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1504-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1504-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1504-51-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1504-54-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1504-67-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/1504-62-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/2288-46-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2288-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3120-331-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3660-199-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3860-55-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3860-56-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download