gcleaner | 106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
Size

3.4MB
MD5

ca48a01552acf9cb77202bf0b77a7a1c
SHA1

1daba5dbab15456462e1ac3e80b782aa867889c2
SHA256

106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4
SHA512

f5942e6a162c2b3e5df3ac14b24350f36e393ddb80400fcd47070e70b6eccaa366ef3406c8452b795c7b28cf2266fd8eb1339f51dcc1910a004c72e14cbe8a55
SSDEEP

49152:Kj4FOCYYcrX7JGwyTL2RhE3IiSKVFGclOt45MaUEr7NSv2opoSH7QirAnN4tSqJS:cRCHCowyTL2RgSWj5WaU28wN4t0N

Score

10^/10

gcleaner lgoogloader onlylogger raccoon vidar 87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a 933 discovery downloader loader stealer

Malware Config

Extracted

Family

vidar

Version

41.4

Botnet

933

https://mas.to/@sslam

Attributes

profile_id
933

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Extracted

Family

raccoon

Version

1.8.2

Botnet

87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a

Attributes

url4cnc
http://telemirror.top/jredmankun

http://tgmirror.top/jredmankun

http://telegatt.top/jredmankun

http://telegka.top/jredmankun

http://telegin.top/jredmankun

https://t.me/jredmankun

rc4.plain

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2144-17-0x0000000000120000-0x0000000000132000-memory.dmp	family_lgoogloader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Lgoogloader family
lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2468-208-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2468-206-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2468-201-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2468-203-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/2672-183-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2784-180-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar

Executes dropped EXE 17 IoCs

pid	Process
2532	DownFlSetup110.exe
2144	inst1.exe
2784	Soft1WW02.exe
2980	4.exe
2988	5.exe
2476	setup.exe
2764	EASS.exe
2672	setup_2.exe
2640	setup.tmp
1640	9.exe
2496	Calculator Installation.exe
1268	setup.exe
1044	Chrome 5.exe
2228	setup.tmp
2468	EASS.exe
832	services64.exe
3000	sihost64.exe

Loads dropped DLL 36 IoCs

pid	Process
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2672	setup_2.exe
2672	setup_2.exe
2476	setup.exe
2672	setup_2.exe
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2640	setup.tmp
2640	setup.tmp
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2640	setup.tmp
2640	setup.tmp
2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
2496	Calculator Installation.exe
2496	Calculator Installation.exe
1268	setup.exe
2228	setup.tmp
2228	setup.tmp
2228	setup.tmp
2496	Calculator Installation.exe
2496	Calculator Installation.exe
1348	WerFault.exe
1348	WerFault.exe
1348	WerFault.exe
1348	WerFault.exe
2764	EASS.exe
1044	Chrome 5.exe
832	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
60	iplogger.org
115	iplogger.org
119	iplogger.org
43	iplogger.org
48	iplogger.org
62	iplogger.org
108	iplogger.org
131	iplogger.org
136	iplogger.org
45	iplogger.org
75	iplogger.org
106	iplogger.org
123	iplogger.org
124	iplogger.org
132	iplogger.org
137	iplogger.org
139	iplogger.org
46	iplogger.org
61	iplogger.org
112	iplogger.org
152	iplogger.org
126	iplogger.org
140	iplogger.org
148	iplogger.org
58	iplogger.org
107	iplogger.org
113	iplogger.org
122	iplogger.org
149	iplogger.org
16	iplogger.org
77	iplogger.org
89	iplogger.org
138	iplogger.org
76	iplogger.org
120	iplogger.org
128	iplogger.org
101	raw.githubusercontent.com
147	iplogger.org
53	iplogger.org
81	iplogger.org
84	iplogger.org
74	iplogger.org
125	iplogger.org
154	iplogger.org
39	iplogger.org
44	iplogger.org
52	iplogger.org
100	iplogger.org
109	iplogger.org
111	iplogger.org
141	iplogger.org
14	iplogger.org
83	iplogger.org
87	iplogger.org
146	iplogger.org
150	iplogger.org
153	iplogger.org
17	iplogger.org
42	iplogger.org
105	iplogger.org
57	iplogger.org
78	iplogger.org
82	iplogger.org
86	iplogger.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2764 set thread context of 2468	2764	EASS.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1348	2784	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownFlSetup110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calculator Installation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Soft1WW02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EASS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EASS.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016dad-97.dat	nsis_installer_1
behavioral1/files/0x0006000000016dad-97.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2360	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	Chrome 5.exe
832	services64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	setup.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	DownFlSetup110.exe
Token: SeDebugPrivilege	2980	4.exe
Token: SeDebugPrivilege	2988	5.exe
Token: SeDebugPrivilege	1640	9.exe
Token: SeDebugPrivilege	1044	Chrome 5.exe
Token: SeDebugPrivilege	832	services64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2532	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	30
PID 2684 wrote to memory of 2144	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	31
PID 2684 wrote to memory of 2144	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	31
PID 2684 wrote to memory of 2144	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	31
PID 2684 wrote to memory of 2144	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	31
PID 2684 wrote to memory of 2784	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	32
PID 2684 wrote to memory of 2784	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	32
PID 2684 wrote to memory of 2784	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	32
PID 2684 wrote to memory of 2784	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	32
PID 2684 wrote to memory of 2980	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	33
PID 2684 wrote to memory of 2980	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	33
PID 2684 wrote to memory of 2980	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	33
PID 2684 wrote to memory of 2980	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	33
PID 2684 wrote to memory of 2988	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	34
PID 2684 wrote to memory of 2988	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	34
PID 2684 wrote to memory of 2988	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	34
PID 2684 wrote to memory of 2988	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	34
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2476	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	35
PID 2684 wrote to memory of 2764	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	36
PID 2684 wrote to memory of 2764	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	36
PID 2684 wrote to memory of 2764	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	36
PID 2684 wrote to memory of 2764	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	36
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2684 wrote to memory of 2672	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	37
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2476 wrote to memory of 2640	2476	setup.exe	38
PID 2684 wrote to memory of 1640	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	39
PID 2684 wrote to memory of 1640	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	39
PID 2684 wrote to memory of 1640	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	39
PID 2684 wrote to memory of 1640	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	39
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2684 wrote to memory of 2496	2684	JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe	40
PID 2640 wrote to memory of 1268	2640	setup.tmp	41
PID 2640 wrote to memory of 1268	2640	setup.tmp	41
PID 2640 wrote to memory of 1268	2640	setup.tmp	41
PID 2640 wrote to memory of 1268	2640	setup.tmp	41
PID 2640 wrote to memory of 1268	2640	setup.tmp	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca48a01552acf9cb77202bf0b77a7a1c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\inst1.exe
  "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
  "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 916
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\is-0OAVF.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0OAVF.tmp\setup.tmp" /SL5="$20230,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1268
    - - C:\Users\Admin\AppData\Local\Temp\is-HNS3R.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HNS3R.tmp\setup.tmp" /SL5="$4017C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2228
- C:\Users\Admin\AppData\Local\Temp\EASS.exe
  "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2468
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2720
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2360
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2192
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a8e0f32f001b61fef78a0064970bdb0c

SHA1
33c93bdb202663be74e3ec0504216412d45db850

SHA256
b26bfb252f676294058ea006243d5962382997260ed8d065e4ca07311f759ff9

SHA512
eb069cf447b1d888d4751cb1ef142554ff9e50b0b0bea34832d8dd355a557fbb2a6071aa0067e8dac10f010ab2756ee21a80a7fc30acf67bb1e0d8a32fa4154c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
8KB

MD5
320681737aca2a42ef41a7a802e7e395

SHA1
bc6974316d2668a7d0e92cb1ab61a8a758cbd76b

SHA256
5e40c7686d99670b996cae8582dcf3aef6885f87934273f03d7bf10a232e0b33

SHA512
01e25cfb81095a7b0f37d1f69a35be63e6df8c428a0a2a37610c49fb3516dba69d91a6e98738fe7aefe77fd71a3978221817e20dd9dd1bfffe2b09c0deca1bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
8KB

MD5
f37e479ee64ec5b9d75689a12aa79cd2

SHA1
d6b2c01e90a1488cab24063e29bed1a22de5ca9b

SHA256
8127fa63cb781d32e4f0f91dde38c2c9d0307e9267c721922c6b8d9a31c915f0

SHA512
468245b2b9237de8cd9800da7881770525d14462faa95c0b608b3c972f70c6306851be7a41d92447f4dba9450f462be9328f7c867844fe42a8e7be123be13c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
8KB

MD5
3c7203aee224472579c502ad5adb8fb6

SHA1
f4ae3519f99431a4fb8130e929c94d89824b29fe

SHA256
f82dbb015721f197b206f377d1b0676c52c9725ad463a5ad09e12ca1cfc798e2

SHA512
9eae3f0db67cc1597d018203c9a0f53291fe08a3892c404e07093e658ef989cc77765669c19884e362ec0452946d75cb38749d74d7fa23b618e6dc021bd5c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE18.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EASS.exe

Filesize
1.3MB

MD5
c32404b0c8f851f345c1c48692ebc017

SHA1
41d93e106962f20ad85b70dd525a1c3475496a33

SHA256
175a43161c32ae6f4f66e777411304d07e0196156251c9756e61432cd577c70c

SHA512
30c837fa76ed4c3eeab7289db8115ba792131caf325ce9192be7d0bd2dc7669ee1ba1b1596ae40185e27716e65b9f8f7d3ee3dddd4308f5706b8e055e28923ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

Filesize
765KB

MD5
dd505d9dbf82b624095781c1a01e4dbb

SHA1
2c0d3d6e6b70435e8e5608ad8a3c20db7d76b23e

SHA256
bb1ad922f27d0bb3b41988829a5716bce113ac947f6ba9d66ef12876b7af78fe

SHA512
7668c2ce458d96b9e0a6f8ab9d72799582dfd316e2e28b293f3697f3d1cf47f2fb0fd9cd3e0b99f92d44aa91df6dbcaaa24a348baa3f1a62f07d93922ecff0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEF6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0OAVF.tmp\setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

Filesize
328KB

MD5
7c4dd7df0090fafa88ea953ebf7e82c6

SHA1
587b32f765393a33aac665d2ead53012840ccb75

SHA256
bcc5b73bd77beae3ff24c384562c0902f90b212f4c345b99f97cae8452111f65

SHA512
8ab5dfd7ed4654e3f738a74ba3ec2c31ef79ea463edc81b5c781411401fac6982b6436ae668476f2a50ae88006379a57c85fec2f98c886bbb77a4d749969cdf1

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
978582a03929afba9f50b7d149dfdb25

SHA1
fd27dfbd0ffec108b3c2ab648993817592010bbc

SHA256
7f413eeaf2db3ec6c7f94d3a5d06644fe5406afdde27e3552a736eaec373f283

SHA512
b37d706c64c15b6aec33d8c104ad18de335cb08dc831103669fd58995ef174f5306a0b5a083790a0f724d5cd9c5c0b7e384d243604e931a1f347521a863b7eaa

Download Submit
\Users\Admin\AppData\Local\Temp\inst1.exe

Filesize
221KB

MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AVRI2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-AVRI2.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC841.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC841.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
379KB

MD5
429d0e06d7add76fdbfeb404a7bf4469

SHA1
11dedd36c146ae82f6a46360a6c5019284cc86f2

SHA256
32dccba4478d58b4e41bbf18f9d7532fd7d49ba6429b460b377f01e3f9bab736

SHA512
1443c7fc5a07ea82bb1a19211ee73a14e17961dd275e0d9118196ae99fae0de47a67e3ca74e50e90248923691d816aa50acb88329407f6128a2fe30bf405bee4

Download Submit
\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
376KB

MD5
571f9ac1a144d07f5f8e5054ebd737d9

SHA1
6aebb0894669814622bf9417e91870e0c81e0fc1

SHA256
8760d706dffea96fd453a150ba18a3110518fbdc7dfa8c48f84b94a06d7ab47c

SHA512
13ef865efd4c61cbc95c570e956a9bc70ee3a261d60ac6ef138c8c285bb093859e499f92e5f8ac7180b9c017e4ed362f2b1c40ba567f179d658d5978751f4ba8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
memory/832-216-0x000000013FFC0000-0x000000013FFD0000-memory.dmp

Filesize
64KB

Download
memory/1044-209-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/1044-118-0x000000013F530000-0x000000013F540000-memory.dmp

Filesize
64KB

Download
memory/1268-184-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1268-114-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1640-86-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2144-17-0x0000000000120000-0x0000000000132000-memory.dmp

Filesize
72KB

Download
memory/2144-16-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2228-185-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2468-208-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-195-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-197-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-199-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-201-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-205-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-206-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2468-203-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2476-121-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2476-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2532-45-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-46-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-186-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-182-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-181-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-40-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2532-13-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/2640-110-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2672-183-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/2684-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x00000000010F0000-0x0000000001460000-memory.dmp

Filesize
3.4MB

Download
memory/2764-193-0x0000000005820000-0x00000000058FA000-memory.dmp

Filesize
872KB

Download
memory/2764-64-0x0000000000020000-0x0000000000168000-memory.dmp

Filesize
1.3MB

Download
memory/2764-147-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/2784-180-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-48-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/2988-47-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/3000-232-0x000000013F790000-0x000000013F796000-memory.dmp

Filesize
24KB

Download