ramnit | 6e135eba72c1258dd7ccf170cf094c8c3fca5781e03c2caacc9b455ab5cd7607

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Size

157KB
MD5

5220cac3053fb6ba12c133139f8101a3
SHA1

8664551f2182c0c27c5c6143683f924c55edbe88
SHA256

6e135eba72c1258dd7ccf170cf094c8c3fca5781e03c2caacc9b455ab5cd7607
SHA512

06d212d7a69120245503eeefa82c174f66f458d2f594eba613fca017532ede964fbd751aeb3234cca5d0e698c8cac8bd1a393de96f898dade7b46181f3480c33
SSDEEP

3072:TBKwcvdwuxdWikJTkct6FZkGNKCWux1OUD4854cotIhTiA0ChGfvhWTbQ:TBKwcvdn2JtY2s0uDOUD4bc7iA0CKhWQ

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
2708	DesktopLayer.exe
2616	DesktopLayerSrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2888	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
2708	DesktopLayer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000120f6-2.dat	upx
behavioral1/memory/2888-4-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2828-21-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2744-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0008000000015f71-27.dat	upx
behavioral1/memory/2708-41-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2616-40-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2708-37-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2708-26-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2828-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6181.tmp	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px61A0.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6171.tmp	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444282488"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8114F7E1-DDEF-11EF-AE85-F245C6AC432F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81103521-DDEF-11EF-AE85-F245C6AC432F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81175941-DDEF-11EF-AE85-F245C6AC432F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\",1"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wab	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\ = "vcard_wab_auto_file"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\ = "vCard File"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Mail\\wab.exe\" /vcard %1"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vcf\Content Type = "text/x-vcard"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-vcard\Extension = ".vcf"	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
2708	DesktopLayer.exe
2708	DesktopLayer.exe
2708	DesktopLayer.exe
2708	DesktopLayer.exe
2616	DesktopLayerSrv.exe
2616	DesktopLayerSrv.exe
2616	DesktopLayerSrv.exe
2616	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2268	iexplore.exe
2784	iexplore.exe
1556	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2784	iexplore.exe
2784	iexplore.exe
2268	iexplore.exe
2268	iexplore.exe
1556	iexplore.exe
1556	iexplore.exe
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2828	2888	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe	30
PID 2888 wrote to memory of 2828	2888	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe	30
PID 2888 wrote to memory of 2828	2888	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe	30
PID 2888 wrote to memory of 2828	2888	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe	30
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	31
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	31
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	31
PID 2828 wrote to memory of 2744	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	31
PID 2828 wrote to memory of 2708	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	32
PID 2828 wrote to memory of 2708	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	32
PID 2828 wrote to memory of 2708	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	32
PID 2828 wrote to memory of 2708	2828	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe	32
PID 2744 wrote to memory of 2784	2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe	33
PID 2744 wrote to memory of 2784	2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe	33
PID 2744 wrote to memory of 2784	2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe	33
PID 2744 wrote to memory of 2784	2744	JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe	33
PID 2708 wrote to memory of 2616	2708	DesktopLayer.exe	34
PID 2708 wrote to memory of 2616	2708	DesktopLayer.exe	34
PID 2708 wrote to memory of 2616	2708	DesktopLayer.exe	34
PID 2708 wrote to memory of 2616	2708	DesktopLayer.exe	34
PID 2708 wrote to memory of 1556	2708	DesktopLayer.exe	35
PID 2708 wrote to memory of 1556	2708	DesktopLayer.exe	35
PID 2708 wrote to memory of 1556	2708	DesktopLayer.exe	35
PID 2708 wrote to memory of 1556	2708	DesktopLayer.exe	35
PID 2616 wrote to memory of 2268	2616	DesktopLayerSrv.exe	36
PID 2616 wrote to memory of 2268	2616	DesktopLayerSrv.exe	36
PID 2616 wrote to memory of 2268	2616	DesktopLayerSrv.exe	36
PID 2616 wrote to memory of 2268	2616	DesktopLayerSrv.exe	36
PID 2784 wrote to memory of 1160	2784	iexplore.exe	37
PID 2784 wrote to memory of 1160	2784	iexplore.exe	37
PID 2784 wrote to memory of 1160	2784	iexplore.exe	37
PID 2784 wrote to memory of 1160	2784	iexplore.exe	37
PID 1556 wrote to memory of 2068	1556	iexplore.exe	38
PID 1556 wrote to memory of 2068	1556	iexplore.exe	38
PID 1556 wrote to memory of 2068	1556	iexplore.exe	38
PID 1556 wrote to memory of 2068	1556	iexplore.exe	38
PID 2268 wrote to memory of 2336	2268	iexplore.exe	39
PID 2268 wrote to memory of 2336	2268	iexplore.exe	39
PID 2268 wrote to memory of 2336	2268	iexplore.exe	39
PID 2268 wrote to memory of 2336	2268	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3SrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1160
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10fd56bb7134723028a1f86c06b6b2fd

SHA1
b5a15a60b5ad15fe1a5b6e08947c45dd0364d146

SHA256
9e3bf2d128a8563884a99682e315ff22fa42600f55178676d7eabc334bcd6c98

SHA512
5bf9d5430ac487cbff916f13f0626bc195e44a217e89de70dbde4ff4893175e02e4aa495ed24da1cd9c905612045a5de48ac86bf84b61c7f31effa0cce7aa713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dac6e71f2f06d3bb2fd8e75189044caa

SHA1
c2110dc42fb1179002179000b529ff5942d17606

SHA256
b7940b586f2dd8e587d6f9267bed4d07a6b2bf4f0010748b83f5a5c14a448b96

SHA512
30a8f5ab268d7e6552eb7211c6336ea5d8e67b8dbe26d1a6e862bbee8b95987bfafc5352c0f0e0038c4b44948a1796e267b07deea3060185c634a528c48a5bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3b2d61fcbcbc82d5b7390110c800fd2

SHA1
a8d3e409cd3fda76d6f4c4641af2d85b669cfda7

SHA256
0fbfeba056a53409e1f1e49e05e8cbb04d44a24231e2bc59094f4536d4d25013

SHA512
d7ab8bdc347341fa2f1298be22512059e6ba8da30b7727ddb7b9244576c74748e7d29a420591f854d9d95f8e8dac03c3eec37225b5647f2964bcd0f7964f001d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9a46a2bdbe04c4f82d1fe3a2cfec1a

SHA1
7e7247f32b5bf06b04b64d3f3d5a2b6c724ad129

SHA256
5f7f6beca21be42e11477285d53ae7ea5461e50268b8be177527197a8c002983

SHA512
e8e1352098390e64e3ed1bc96d2948696a6bd72a3fdd9f7296f789c490a977ef1433ffabc171f99cd9d95ca2e0322acd46994aa727bad98dd7ced607467e3f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e15c1eff243d393bb2488a61852182

SHA1
2dd67b567ed893c9b48cdb6afb3dbbd386d6d941

SHA256
ebd8d0fec5153448453b2e9e4baf765961872e15753c73a6ab557eeeb8015312

SHA512
9a4aa439113cdfe3dfccd64272314bf8b0d08ec7607c209d0e2e646f06945c5334d08c5783f5e8bbb42fdb2dd84615c1b3e21d11b158ae17052c511392fc55e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e470dca0b7ee8331b6009acf9dff825

SHA1
321ad4d223ff7a1d4822cdc6667588ac570eb057

SHA256
cafc38cd786ab650bbdcc70f3165a62f98517d0ad33b9e22214a4748705fcaf9

SHA512
1b21821a4e2b9bc2cb29e75f02a8c3200e64cb045a40c977791ed64a927443c95c9530b75066843affb5780bda1fd5d4301807dc3cc2f491ebd02b29664b3004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c727b875f6b4b5f1e6e367fc7915065b

SHA1
08f7bab8602bfc7418fbfd2684128326a156c76c

SHA256
90f0993ca2acac17d2a48b0d44902e4287fe574c1d5ff372786d91158a99a410

SHA512
7b3c26830a7cc3feaf953226c16aa55be012e8eee7b469e52719fa9138ac8b72c154a85868547f6e81f01405a5abf3f7cee656851c045991902a1cb9d4c30650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
585442e8969e5e8ae970e948dd6d6130

SHA1
1c159d772d406ae9864e0783a2e8ba1a37c43c4b

SHA256
995e4731cb411f84becba35c2a23cd2cdb8e5d8d72aaa006f5f2db641275505e

SHA512
4c8034839aa151299e473ac69cc61a40b64572255b6117c5e62c2fcc65c63c5b774fd8af0fc223ad35f1987dd3ff413cbf4456460707998dfa857836fb549993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335e7fa495548b279dbeb06bfe9e8daa

SHA1
39a877ccb7d9cc3022f0dca4139ff71ec5618da7

SHA256
0839b6b7c492f80662d62f7650d9dc5e72289e4d2f3257cd23769ed1debac092

SHA512
a202a7a873005732049da2be0e24df2ac6102e6135a397b061a71c0bbcae2574ec9302cb67755e6dc2abb8bf21bea9c30faaf6218c7d33ec88e2ef1302f87d87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbfabb77dba8fe062a5aa5084f43be45

SHA1
7d22e8d5586963deb8b7d88dfd7ad9287313fc6a

SHA256
296aeea159d7bf6174d9b69d54290d550667c18b85b66d0cb0add3b280bf8cb7

SHA512
22fe66622847d62d370095127624f2dab86c8397eaa5478f20a71f361d526fe25c832593a64f8777d262bf4e1c82bf7c6967fe7e3633b54cbd898341b4701cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3ca6c2b611c0319ac0740373ad13ec

SHA1
fb8d523dc2cafe99cca2f2a7f77188331289beb3

SHA256
69317faef55e3d05b2594fa3b73e41710bac9dea77333619e5692fae920253b7

SHA512
dd793270fa0cf20bd5e4aceabbc7b3eb12bb4a396bb3d0b047af7dea355fab3c511909599cadd992d7e90aae3621dd122a38aa259a5279b66ec6fea9345c9180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fb45b20f565af387825419eab029a32

SHA1
969f5ec04432073bd3a3597bce9cfe1ec36c9da5

SHA256
b15d6e6c7c505c1a29aac4cfc86755619b3206cccda67f78d7656a0a4f26120d

SHA512
f6bdc5e2bb72152ed28601c4808ba600bbb6af8236510a2694f37cc460b742fdfdc1cdad8f6d6429c87ab7612f8b290faa37b3981349beab125ba7f8f4ecbdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a1a2184b5abef752a0629cccdc74046

SHA1
b00ee33d122e0172469be91fba95f85c01dd6a42

SHA256
58902c72248328212b1ac41eb0b798cb39abf0b5f2d2309a9e88e71ee717ce41

SHA512
50319a2e50281a4a19eae625a47239175703b1de72748a21262493f6b17214805f2a2971d9caeaea875cc90198100c0aca887d5e9bb553744e49acc8a541aa81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c760ae445db9761c7581e3b2788cd2e6

SHA1
511a9da53fda42e1fef75fcf56d7b48d50c1bc44

SHA256
ba1a841911f60e5c985ae0455e5acf8fdd7e72fd462996bb24fdd4d2e9448a04

SHA512
7bbbdb12389e7f936099e594a32a5561ee796599429583e9c671d3b2f5d96cc4c23f73dba1beff7d27664183dad4358d175cb79aa499cfb29e2ac3f6fad71f1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8db796716bd549511f008b7fffecb251

SHA1
5e3fb2df1a0ebea380ef05345cb31cb899758993

SHA256
db4965384cc10a8f22ae37dbdca64762a4395ef47b09e87bf7797045a060648b

SHA512
cc9b30f0567253bbf02cc6b29835e9b12864ab15a16ce6699b9d95e37c2e3e3c215c3756bcb1c3ce2040a84cd7abb95030a11fb6d22d6eeb168b25c2c7250fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8684c05c1b07dc0fe5d951445a953bf

SHA1
05d2990fb17823686a075546aa471f1efc7ef2aa

SHA256
6ece89ac5e7ea97de461cfbe216074bda7a9e0d6f03351ae3e1a04add9e4e29c

SHA512
e98b7da0453c10a09e44941256991e9b3f47f90f9caa669b58310536b9b508db4d7f3dbc3722e1b5950f266df61e071e636fdb878b0fdf097ad4bd9a273e4807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b81f673d5e1808172d2e07638395ce

SHA1
e7cee249c1fa1a25050eb28423a98f03e3f9361c

SHA256
5cb700f7811f580ecd8db999453c7a3628e022f9ff24657204f804d68a92dd74

SHA512
94752631ea90497fdc422635c49e08a4a1e3f07fd8ab0c26e403b19a334e936ce8abea2ae010eec4206e05b236b1cd557c90b0fdbcc0e8e7cb0c4a58af0c20a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d722f4d44874bf92098cc5c5d93ae53

SHA1
eaa612efbbabf0c906d12b931dfc9f05b58ed0ab

SHA256
0b101e909b754774e5454cf73fb0633d4aeba7bf4108b5853679d02ef61b3dd4

SHA512
a1493bbbad2e1a36140cb312b38ef67b77fbe867981f7f3e56ef02d5fc8431609244432577212397c44c473d37306a8978b26de90504325166dfee748c874bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3134bffba3f9963eadd203b5c9723510

SHA1
b785c57089f338b197e3c9a2254f4ff8d042c76d

SHA256
45909ea60a50b1498e97652868e5e6f9506c468fa0dcecb11abb5966ded17a82

SHA512
6d6b08bec1ce40289c8910792aa180ad25465f6af7dd5c671f38bb3ed08a6ca337978476e92ce54913412def8811ab21829b849915e918b5c45fb6acaf444d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81103521-DDEF-11EF-AE85-F245C6AC432F}.dat

Filesize
3KB

MD5
f1856c7fb5e52ac1904d5492278a4d51

SHA1
8d00f9955eaa4e741663564df93b51e8e25f0f2a

SHA256
216d7da745d619bc5bec2859a5e87046046774946bb1883c9deb23cf7e790914

SHA512
6bbc14f799fc951c550fc20b81cae6bc818f4d19b1a2dc080d6b8660bd7c544861820694e84be31dc8066d0bac2e504ddcdecdd80d084771e01659a21337243e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81103521-DDEF-11EF-AE85-F245C6AC432F}.dat

Filesize
5KB

MD5
a4ee4ee761325217244bed79e34570eb

SHA1
e0d4ddbda39412fa7cd6def1e3e9c6dadee84347

SHA256
7afc1b37410b13c8f3b743abe41be0c903a77f53dc50bce250c56452e4b376af

SHA512
7dea144a4ca4fe084d34a492eea8a02524521c8d13b67d5af9635faecf816954a8cfddec5c37a2f576d6287db35cb3f3ae10250d027a72f871e5f89479c14296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8114F7E1-DDEF-11EF-AE85-F245C6AC432F}.dat

Filesize
5KB

MD5
7ba971be64b494f140d2f6bb38ea1451

SHA1
98b167194435a3cdbbd91168a2bf36d89530477c

SHA256
3073714e9aea5e85dd898b68397ba4011043bcadb5e14fad9082447938a8d32b

SHA512
351b9f84f14ee6e5d3de8489c1ec441a06388014d949db8b373c2a72beeb89fa277af1e1775f742b7de3c4cbf4ca225dad76926345a78668f906fe054517e4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7937.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_5220cac3053fb6ba12c133139f8101a3Srv.exe

Filesize
111KB

MD5
feceefcf175fb6a73a1d2dcb876058a5

SHA1
c24ad59ede204aa20df81ede49e5c61c2f018e57

SHA256
414819edc9560efcee28ff9f54e4db6574c0958d209c0c778ab866533bebef35

SHA512
3f74332ca3020c8e63ab5984044f5eb40eed7a362b4e0ae715a2956eae3c2919f8db4d9934e0c52a9292b08dd721d4b50da71108ea3518a824efb2866ef9e27f

Download Submit
memory/2616-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2708-34-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2708-35-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2708-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2708-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2708-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2744-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2744-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2828-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2888-0-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/2888-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2888-475-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/2888-45-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/2888-4-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download