xtremerat | 4ccc6951e5854e0c9d844ce47ceba7fda7b22d34a6f27e90cd0091b3baa64297

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Size

390KB
MD5

2777eb2068f8c7400315a9d4e8f16459
SHA1

5e65cfcecb77e6deef0760b3bbd7268c0ee1121c
SHA256

4ccc6951e5854e0c9d844ce47ceba7fda7b22d34a6f27e90cd0091b3baa64297
SHA512

e10d87ddc7674e58046ff79ef743d21ea9b8b4e7358b1dac893e35bac32b62db413f7a549f4a6625c996a6f80b727b8dcf2bbe8984c8318edc6db1142457c79b
SSDEEP

12288:zF4HINhCuu2lL/kDES/7bwmuq9ec4Vsty:iHKhgOLW/nvc3u

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 14 IoCs

resource	yara_rule
behavioral2/memory/3040-8-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3040-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3040-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3040-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4888-24-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4888-25-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4888-23-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4888-29-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4180-39-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4180-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4180-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4180-43-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4032-84-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4032-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 4136 set thread context of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 2628 set thread context of 4180	2628	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	104
PID 2308 set thread context of 4848	2308	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	122
PID 4912 set thread context of 5100	4912	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	136
PID 4584 set thread context of 4928	4584	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	148
PID 4988 set thread context of 4032	4988	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	159
PID 4920 set thread context of 4648	4920	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	169
PID 4104 set thread context of 1644	4104	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	179
PID 3616 set thread context of 3724	3616	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	189
PID 2892 set thread context of 1908	2892	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	199
PID 3436 set thread context of 2908	3436	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	209
PID 1500 set thread context of 4744	1500	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	219
PID 4844 set thread context of 1920	4844	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	229
PID 3672 set thread context of 4184	3672	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	239
PID 3244 set thread context of 4440	3244	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	249
PID 4880 set thread context of 3756	4880	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	259
PID 1868 set thread context of 3532	1868	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	269

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-2-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-1-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-7-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-8-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3040-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4888-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4888-24-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4888-25-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4888-23-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4888-29-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4180-39-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4180-38-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4180-35-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4180-37-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4180-43-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4032-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4032-84-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4032-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4648-93-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 2024 wrote to memory of 3040	2024	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	83
PID 3040 wrote to memory of 3948	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	85
PID 3040 wrote to memory of 3948	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	85
PID 3040 wrote to memory of 3948	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	85
PID 3040 wrote to memory of 4448	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	86
PID 3040 wrote to memory of 4448	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	86
PID 3040 wrote to memory of 4448	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	86
PID 3040 wrote to memory of 3772	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	87
PID 3040 wrote to memory of 3772	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	87
PID 3040 wrote to memory of 3772	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	87
PID 3040 wrote to memory of 2592	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	88
PID 3040 wrote to memory of 2592	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	88
PID 3040 wrote to memory of 2592	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	88
PID 3040 wrote to memory of 1388	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	89
PID 3040 wrote to memory of 1388	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	89
PID 3040 wrote to memory of 1388	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	89
PID 3040 wrote to memory of 2016	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	90
PID 3040 wrote to memory of 2016	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	90
PID 3040 wrote to memory of 2016	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	90
PID 3040 wrote to memory of 2952	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	91
PID 3040 wrote to memory of 2952	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	91
PID 3040 wrote to memory of 2952	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	91
PID 3040 wrote to memory of 2712	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	92
PID 3040 wrote to memory of 2712	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	92
PID 3040 wrote to memory of 4136	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	93
PID 3040 wrote to memory of 4136	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	93
PID 3040 wrote to memory of 4136	3040	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	93
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4136 wrote to memory of 4888	4136	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	94
PID 4888 wrote to memory of 3060	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	95
PID 4888 wrote to memory of 3060	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	95
PID 4888 wrote to memory of 3060	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	95
PID 4888 wrote to memory of 4476	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	96
PID 4888 wrote to memory of 4476	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	96
PID 4888 wrote to memory of 4476	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	96
PID 4888 wrote to memory of 4876	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	97
PID 4888 wrote to memory of 4876	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	97
PID 4888 wrote to memory of 4876	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	97
PID 4888 wrote to memory of 772	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	98
PID 4888 wrote to memory of 772	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	98
PID 4888 wrote to memory of 772	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	98
PID 4888 wrote to memory of 3308	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	99
PID 4888 wrote to memory of 3308	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	99
PID 4888 wrote to memory of 3308	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	99
PID 4888 wrote to memory of 3512	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	100
PID 4888 wrote to memory of 3512	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	100
PID 4888 wrote to memory of 3512	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	100
PID 4888 wrote to memory of 2424	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	101
PID 4888 wrote to memory of 2424	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	101
PID 4888 wrote to memory of 2424	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	101
PID 4888 wrote to memory of 3292	4888	JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        14⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:5108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:4048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:3156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        15⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        16⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:3176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        17⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        17⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        18⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:2544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        19⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        19⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        20⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:4964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        21⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        21⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        22⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:4584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:2088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        23⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        23⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        24⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:1000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:5076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        25⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        25⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        26⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:1916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:4812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:3540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:2308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        27⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        27⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        28⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:4100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        29⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        29⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        30⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:3140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        31⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        31⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        32⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:3556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        33⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        33⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        34⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:2304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        35⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        35⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        36⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:1644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:2880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:1004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        37⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2777eb2068f8c7400315a9d4e8f16459.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Kwbz0.cfg

Filesize
1KB

MD5
f52be3956b22f6b5668c5ba805ae2131

SHA1
61f7fa30d064a6fd34327c42ab5364fdf6aada8a

SHA256
9f27210b26df2acd4f7e45669db357a72ed9d59b21c39fbbceb35f8b50e1a4c0

SHA512
eb974b48950d9e46bd4d5e6cbfbd212663b008397e71208a8409ddd88b736651db4be70c4d56b03903ccec3fc4489f7c954578dc731b88ace02f402f413a7283

Download Submit
memory/2024-0-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/2308-49-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/2628-36-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/2628-30-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/3040-14-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-8-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-1-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-3-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3040-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4032-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4032-84-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4032-83-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4136-21-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/4136-15-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4180-37-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4180-38-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4180-35-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4180-43-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4180-39-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4584-71-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/4648-93-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4888-25-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4888-23-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4888-24-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4888-22-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4888-29-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4912-59-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/4920-92-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download
memory/4988-81-0x0000000000010000-0x0000000000071000-memory.dmp

Filesize
388KB

Download