Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:02
Static task
static1
Behavioral task
behavioral1
Sample
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe
-
Size
100KB
-
MD5
1b39fdf3a6e694cf0f46adf49df2a347
-
SHA1
d52d09ca89326ebdb6b1187361aac45e9335625b
-
SHA256
884f7c13b4afdfdecc063f0b9345b399566321a082f8736737d5bc04cf0423df
-
SHA512
18eae686e31aa18553ad761b6f7b328737c36a82472e2b8f9388183917114badd453da476139d2d357783605c3fa51028db8b93af294ae8aa96edc3292710090
-
SSDEEP
3072:sqk39Yin25UcYMSD6hg4FxaZq6fo6eNmDtsiV:sj9Yw25Ud0FAZBBts0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msedge.exepid process 2824 msedge.exe -
Processes:
resource yara_rule behavioral2/memory/1364-1-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-3-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-5-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-7-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-4-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-6-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-13-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-14-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-12-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-16-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-15-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-17-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-18-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-19-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-21-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-22-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-23-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-24-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-26-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-28-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-30-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-32-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-35-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-36-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-39-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-41-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-44-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-45-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-47-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-49-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-56-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-57-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-59-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-61-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-64-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-66-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-67-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1364-69-0x00000000022E0000-0x000000000336E000-memory.dmp upx -
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process File opened (read-only) \??\O: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\U: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\V: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\W: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\I: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\M: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\N: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\S: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\Z: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\E: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\G: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\H: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\Q: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\T: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\X: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\J: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\K: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\L: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\P: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\R: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened (read-only) \??\Y: 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process File opened for modification C:\autorun.inf 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification F:\autorun.inf 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Drops file in Program Files directory 12 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exepid process 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Token: SeDebugPrivilege 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription pid process target process PID 1364 wrote to memory of 800 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 808 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 64 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe dwm.exe PID 1364 wrote to memory of 2408 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe sihost.exe PID 1364 wrote to memory of 2440 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 2524 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe taskhostw.exe PID 1364 wrote to memory of 3348 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Explorer.EXE PID 1364 wrote to memory of 3624 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 3864 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe DllHost.exe PID 1364 wrote to memory of 3968 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1364 wrote to memory of 4072 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 784 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe SearchApp.exe PID 1364 wrote to memory of 4148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 5056 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 1116 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe TextInputHost.exe PID 1364 wrote to memory of 2984 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 3148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1616 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 728 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 496 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1088 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1384 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 800 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 808 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 64 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe dwm.exe PID 1364 wrote to memory of 2408 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe sihost.exe PID 1364 wrote to memory of 2440 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 2524 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe taskhostw.exe PID 1364 wrote to memory of 3348 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Explorer.EXE PID 1364 wrote to memory of 3624 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 3864 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe DllHost.exe PID 1364 wrote to memory of 3968 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1364 wrote to memory of 4072 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 784 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe SearchApp.exe PID 1364 wrote to memory of 4148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 5056 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 1116 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe TextInputHost.exe PID 1364 wrote to memory of 2984 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 3148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1616 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 728 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 496 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1088 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1384 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 800 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 808 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe fontdrvhost.exe PID 1364 wrote to memory of 64 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe dwm.exe PID 1364 wrote to memory of 2408 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe sihost.exe PID 1364 wrote to memory of 2440 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 2524 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe taskhostw.exe PID 1364 wrote to memory of 3348 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe Explorer.EXE PID 1364 wrote to memory of 3624 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe svchost.exe PID 1364 wrote to memory of 3864 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe DllHost.exe PID 1364 wrote to memory of 3968 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1364 wrote to memory of 4072 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 784 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe SearchApp.exe PID 1364 wrote to memory of 4148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 5056 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe RuntimeBroker.exe PID 1364 wrote to memory of 1116 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe TextInputHost.exe PID 1364 wrote to memory of 2984 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 3148 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 1616 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 728 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe PID 1364 wrote to memory of 496 1364 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b39fdf3a6e694cf0f46adf49df2a347_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe83262e98,0x7ffe83262ea4,0x7ffe83262eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2896 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5284 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5480 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
3.9MB
MD5faf79a48399d502194e87a5ad1ba7b8e
SHA109cd9d783ac126d33ec37de781beedce9ce6aa51
SHA2563d1266025af95bdb7b92d17debbf88a1386b19b7f7c2eeb9ced77debb9748e14
SHA512d84f8e25179e2cee6f95dc95c94a4a70dc56814aaf7f95e38f24f9828e64629cab0c184f5fddd67d834f419703f65d9d0e3a93e54d2730ed63d3d89644babb84
-
F:\otohe.pifFilesize
100KB
MD5779bdf41be769d9654101ddac542a184
SHA137798f67c8929c1a21da7f084f67f5bc53f99f27
SHA256565dc3054060956229171330c6fd293de825ba2359ba4746661b6a849d2dae28
SHA512ed69dc4550a2e9489d480f55ad94a770ee0379dd4844fb2746c9c4f7b4e99bcea28e24d71a9af8a1eab0d750cf1bb87db7d0051332dc704f14bef48b5a36d046
-
memory/1364-24-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-4-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-7-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-26-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-6-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-9-0x0000000003F50000-0x0000000003F51000-memory.dmpFilesize
4KB
-
memory/1364-8-0x00000000034F0000-0x00000000034F2000-memory.dmpFilesize
8KB
-
memory/1364-10-0x00000000034F0000-0x00000000034F2000-memory.dmpFilesize
8KB
-
memory/1364-11-0x00000000034F0000-0x00000000034F2000-memory.dmpFilesize
8KB
-
memory/1364-13-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-0-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1364-12-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-28-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-15-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-17-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-18-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-19-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-21-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-22-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-23-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-14-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-5-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-16-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-30-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-32-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-35-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-36-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-39-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-41-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-44-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-45-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-47-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-49-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-56-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-57-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-59-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-61-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-64-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-66-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-67-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-68-0x00000000034F0000-0x00000000034F2000-memory.dmpFilesize
8KB
-
memory/1364-69-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-3-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB
-
memory/1364-1-0x00000000022E0000-0x000000000336E000-memory.dmpFilesize
16.6MB