pony | ee595ff37c7b47dd197d5b7aa5d1c837e8e5b2b91ca1cec8b41b0c09b66da7c1

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
Size

496KB
MD5

2493fda9c64e3d7025bde19d90e8e23e
SHA1

e8d6d470bc54dd06aa0324d5eef8098bb9eeb93c
SHA256

ee595ff37c7b47dd197d5b7aa5d1c837e8e5b2b91ca1cec8b41b0c09b66da7c1
SHA512

af70d3ec531902fa4874fdc91bd6dc0632ec25f25884d05136e1acdbac90977856e2cfb6236ed89702060deb2dbc16b6c1ac6c709e278c89b93ea7d4d8563c0f
SSDEEP

12288:0DCPENnBV5jaHBoFvZstQW012B04Ngjw5qu8jxTQlDrLOM:0EEZBV5jCoFvZsSWG2BdN+w2+O

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

3men.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3men.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	3men.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

j29oAE.execuejim.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	j29oAE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cuejim.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
persistence

Active Setup
T1547.014

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe
Disables taskbar notifications via registry modification
evasion
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

576 cmd.exe
Executes dropped EXE 12 IoCs

Processes:

j29oAE.execuejim.exe2men.exe2men.exe2men.exe2men.exe2men.exe2men.exe3men.exe3men.exe3men.exeC0DF.tmp

pid process

1280 j29oAE.exe
2644 cuejim.exe
2836 2men.exe
2560 2men.exe
2440 2men.exe
2740 2men.exe
2708 2men.exe
1868 2men.exe
1784 3men.exe
3036 3men.exe
1860 3men.exe
2212 C0DF.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

pid	process
576	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exej29oAE.exe3men.exe

pid	process
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
1280	j29oAE.exe
1280	j29oAE.exe
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
1784	3men.exe
1784	3men.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2560-48-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-51-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-47-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-45-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-42-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-40-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2440-59-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2440-56-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2440-54-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2440-63-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2440-62-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2440-61-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2740-74-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2708-83-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2740-81-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2708-79-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2708-77-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2740-71-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2740-68-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2740-66-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2740-73-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2708-85-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2708-87-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2560-101-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/3036-118-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2740-120-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/2708-121-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/1784-122-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1784-249-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1860-251-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cuejim.exe3men.exej29oAE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /m"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /l"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /u"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /a"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /j"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /d"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /c"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /y"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /Q"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /g"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /v"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /X"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /Y"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /R"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /F"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /C"	cuejim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31B.exe = "C:\\Program Files (x86)\\LP\\BB4C\\31B.exe"	3men.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /B"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /p"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /I"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /W"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /h"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /H"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /r"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /k"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /K"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /J"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /s"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /z"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /b"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /U"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /M"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /q"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /D"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /i"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /S"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /E"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /G"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /t"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /P"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /L"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /Z"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /f"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /O"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /o"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /x"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /n"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /w"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /q"	j29oAE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /T"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /e"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /N"	cuejim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuejim = "C:\\Users\\Admin\\cuejim.exe /V"	cuejim.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2men.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2men.exe
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2men.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2men.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2men.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

2men.exe

description	pid	process	target process
PID 2836 set thread context of 2560	2836	2men.exe	2men.exe
PID 2836 set thread context of 2440	2836	2men.exe	2men.exe
PID 2836 set thread context of 2740	2836	2men.exe	2men.exe
PID 2836 set thread context of 2708	2836	2men.exe	2men.exe
PID 2836 set thread context of 1868	2836	2men.exe	2men.exe

Drops file in Program Files directory 3 IoCs

Processes:

3men.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\BB4C\31B.exe	3men.exe
File opened for modification	C:\Program Files (x86)\LP\BB4C\31B.exe	3men.exe
File opened for modification	C:\Program Files (x86)\LP\BB4C\C0DF.tmp	3men.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2640 tasklist.exe
1008 tasklist.exe

pid	process
2640	tasklist.exe
1008	tasklist.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

j29oAE.exe2men.exe2men.execuejim.exe3men.exe

pid	process
1280	j29oAE.exe
1280	j29oAE.exe
2440	2men.exe
2740	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2740	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
1784	3men.exe
1784	3men.exe
1784	3men.exe
1784	3men.exe
1784	3men.exe
1784	3men.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2440	2men.exe
2440	2men.exe
2644	cuejim.exe
2440	2men.exe
2644	cuejim.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1956 explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

tasklist.exemsiexec.exetasklist.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeSecurityPrivilege	1580	msiexec.exe
Token: SeDebugPrivilege	1008	tasklist.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe
Token: SeShutdownPrivilege	1956	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe
1956	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exej29oAE.execuejim.exe2men.exe2men.exe2men.exe

pid process

2424 2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
1280 j29oAE.exe
2644 cuejim.exe
2836 2men.exe
2560 2men.exe
2708 2men.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exej29oAE.execmd.exe2men.exe

description	pid	process	target process
PID 2424 wrote to memory of 1280	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	j29oAE.exe
PID 2424 wrote to memory of 1280	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	j29oAE.exe
PID 2424 wrote to memory of 1280	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	j29oAE.exe
PID 2424 wrote to memory of 1280	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	j29oAE.exe
PID 1280 wrote to memory of 2644	1280	j29oAE.exe	cuejim.exe
PID 1280 wrote to memory of 2644	1280	j29oAE.exe	cuejim.exe
PID 1280 wrote to memory of 2644	1280	j29oAE.exe	cuejim.exe
PID 1280 wrote to memory of 2644	1280	j29oAE.exe	cuejim.exe
PID 1280 wrote to memory of 2784	1280	j29oAE.exe	cmd.exe
PID 1280 wrote to memory of 2784	1280	j29oAE.exe	cmd.exe
PID 1280 wrote to memory of 2784	1280	j29oAE.exe	cmd.exe
PID 1280 wrote to memory of 2784	1280	j29oAE.exe	cmd.exe
PID 2784 wrote to memory of 2640	2784	cmd.exe	tasklist.exe
PID 2784 wrote to memory of 2640	2784	cmd.exe	tasklist.exe
PID 2784 wrote to memory of 2640	2784	cmd.exe	tasklist.exe
PID 2784 wrote to memory of 2640	2784	cmd.exe	tasklist.exe
PID 2424 wrote to memory of 2836	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	2men.exe
PID 2424 wrote to memory of 2836	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	2men.exe
PID 2424 wrote to memory of 2836	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	2men.exe
PID 2424 wrote to memory of 2836	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2560	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2440	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2740	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 2708	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 1868	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 1868	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 1868	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 1868	2836	2men.exe	2men.exe
PID 2836 wrote to memory of 1868	2836	2men.exe	2men.exe
PID 2424 wrote to memory of 1784	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	3men.exe
PID 2424 wrote to memory of 1784	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	3men.exe
PID 2424 wrote to memory of 1784	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	3men.exe
PID 2424 wrote to memory of 1784	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	3men.exe
PID 2424 wrote to memory of 576	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 576	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	cmd.exe
PID 2424 wrote to memory of 576	2424	2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

3men.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3men.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3men.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\j29oAE.exe
C:\Users\Admin\j29oAE.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\cuejim.exe
"C:\Users\Admin\cuejim.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del j29oAE.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\2men.exe
C:\Users\Admin\2men.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\2men.exe
"C:\Users\Admin\2men.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Users\Admin\2men.exe
"C:\Users\Admin\2men.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Users\Admin\2men.exe
"C:\Users\Admin\2men.exe"
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Users\Admin\2men.exe
"C:\Users\Admin\2men.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Users\Admin\2men.exe
"C:\Users\Admin\2men.exe"
3⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\3men.exe
C:\Users\Admin\3men.exe
2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1784

C:\Users\Admin\3men.exe
C:\Users\Admin\3men.exe startC:\Users\Admin\AppData\Roaming\CF6D3\856BB.exe%C:\Users\Admin\AppData\Roaming\CF6D3
3⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\3men.exe
C:\Users\Admin\3men.exe startC:\Program Files (x86)\D3FA5\lvvm.exe%C:\Program Files (x86)\D3FA5
3⤵
- Executes dropped EXE
PID:1860

C:\Program Files (x86)\LP\BB4C\C0DF.tmp
"C:\Program Files (x86)\LP\BB4C\C0DF.tmp"
3⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 2493fda9c64e3d7025bde19d90e8e23e_JaffaCakes118.exe
2⤵
- Deletes itself
PID:576

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2men.exe
Filesize
132KB

MD5
945a713b037b50442ec5d18d3dc0d55e

SHA1
2c8881b327a79fafcce27479b78f05487d93c802

SHA256
2da470571a64bcdeb56f62c916ee2bffa87ccc6c028b7c8cb0132d09bceedd2f

SHA512
0eab4bb5d04725cc20e463ae6959f71064674602f8ee7b3c9b2db75e928b9a0b1bdc94233dc261f6277d02e54a443b42a59b12aaebb8bbf243f0940344fbf385

Download Submit
C:\Users\Admin\AppData\Roaming\CF6D3\3FA5.F6D
Filesize
600B

MD5
ec7351571448d5ed7f789eb1424423a3

SHA1
b8111512cf283ea569b63813ad42a40c3d7a03c5

SHA256
4532dc61d4b4b1d830fca2b912c954fdec746605914f19ece322985252f007f2

SHA512
9282748e3183eaccbfc1974574fe9b290e39b49c779830573d172a1068ee0516fdc85698ff86727e508312144b975406deffd3935f3d6b76e6d7db512f656b2b

Download Submit
C:\Users\Admin\AppData\Roaming\CF6D3\3FA5.F6D
Filesize
996B

MD5
27ed3ee230b76c1931fce669b3d44d72

SHA1
fc20af6085ee585df5d2a6b4f4f041c9767fdefd

SHA256
d2679cf547d5a55baad4daf5cbbead7d03f79760329f5a64d4c7c366ecc05fb8

SHA512
390618d2ebe58600ba23b1befd373b0ba44d5ac724c5ebf2447d583afe2b7e8c27ae3ef6f3d863eac64cdd63b15ece979583fdbf4d685c30e76a7bf62d9df745

Download Submit
C:\Users\Admin\AppData\Roaming\CF6D3\3FA5.F6D
Filesize
1KB

MD5
e285baa6b58cc77d6833dcd127d3cb9d

SHA1
a4b79943b4d0dbba256334aeaac88684fae8932b

SHA256
80c1d8bb53582b63298c93451957cf9cbab6db0893222168fac7710e2ad4ce71

SHA512
104dbbab2da5063fcde6763a929d1803ffb869454e9cf5414cd2f689acb46a2b2bb6fc26ef670c46e6faffe11b6789feb97c9ff2315e915bbc37ebf5d1de70c2

Download Submit
\Program Files (x86)\LP\BB4C\C0DF.tmp
Filesize
96KB

MD5
6b9ed8570a1857126c8bf99e0663926c

SHA1
94e08d8a0be09be35f37a9b17ec2130febfa2074

SHA256
888e4e571a6f78ee81d94ab56bd033d413f9160f1089073176b03c91878aae2d

SHA512
23211a1b71f1d05ad7f003231da826220ac4940e48071135cc3fba14708123fa0292e2e71c294a8086d8dc5f90dd32c4da3b41e6857c56f38cb325d78cb14880

Download Submit
\Users\Admin\3men.exe
Filesize
271KB

MD5
0d668203e24463de2bf228f00443b7bc

SHA1
eacff981d71f6648f6315e508bfd75e11683dba8

SHA256
509d530e99839d7dbc8fccac163420d9dc455fb478fa57fdec1b7a2ef629d7bc

SHA512
3251bb1341bd466e71468d72723bd5cf545dbd232327f343b44c51daae8755ed3caa02f74adbb0304912769346fa90dfa4c7036c211836e5650bdb06993ba803

Download Submit
\Users\Admin\cuejim.exe
Filesize
176KB

MD5
c10e1dbbf9734251c11f3bbe7748f4c9

SHA1
16d29791f0663692d7e2b91fdb057f07d70a46d7

SHA256
a4a51fe232d4394fa4b37927b16026f78e5fdffae69e537d1f33a585eef9531e

SHA512
c98ebf3995609945d9f353dbf8b9f819abcee82800d58302b9bd815d8cf43f3fa721b85970ff40e7b325a6629faecef47d28c205e3274249a284f2d619159b4c

Download Submit
\Users\Admin\j29oAE.exe
Filesize
176KB

MD5
c4a634088e095eab98183984bb7252d8

SHA1
c205f2c1f8040c9205c6c06accd75c0396c59781

SHA256
db345985313397a39cc2817134315c8db71ab4c48680e62c0358db406b0eff6a

SHA512
b6a30f6d5cc30bee9b9d483629f16c80c5338360cec629f9ee2a3307b73b9743fd71396e408ac72008b84f4b8fded26002c910421853253b52b8b4d530df7a8e

Download Submit
memory/1784-249-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1784-122-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1860-251-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2440-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-54-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2440-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-38-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-101-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-48-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-51-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-47-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-45-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-42-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-40-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-121-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-83-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-87-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-85-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-77-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2740-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-120-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2740-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3036-118-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download