Malware Analysis Report

2025-01-03 08:04

Sample ID 240420-crcg3seg8z
Target fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118
SHA256 2f4e4271679970807947b1c1bd3d8c8281f1bfbc6a15a1e1dfcfeef5e30b77ca
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f4e4271679970807947b1c1bd3d8c8281f1bfbc6a15a1e1dfcfeef5e30b77ca

Threat Level: Known bad

The file fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 02:18

Reported

2024-04-20 02:21

Platform

win7-20240221-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\csrs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File created C:\Windows\SysWOW64\csrs.exe C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A
File opened for modification C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2184 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2184 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2184 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe C:\Windows\SysWOW64\csrs.exe
PID 2156 wrote to memory of 576 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2156 wrote to memory of 576 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2156 wrote to memory of 576 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2156 wrote to memory of 576 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 576 wrote to memory of 3000 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 576 wrote to memory of 3000 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 576 wrote to memory of 3000 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 576 wrote to memory of 3000 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3000 wrote to memory of 3012 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3012 wrote to memory of 1980 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3012 wrote to memory of 1980 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3012 wrote to memory of 1980 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 3012 wrote to memory of 1980 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1980 wrote to memory of 2264 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1980 wrote to memory of 2264 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1980 wrote to memory of 2264 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 1980 wrote to memory of 2264 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2264 wrote to memory of 276 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2264 wrote to memory of 276 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2264 wrote to memory of 276 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2264 wrote to memory of 276 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 276 wrote to memory of 2324 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 276 wrote to memory of 2324 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 276 wrote to memory of 2324 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 276 wrote to memory of 2324 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2324 wrote to memory of 928 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2324 wrote to memory of 928 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2324 wrote to memory of 928 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 2324 wrote to memory of 928 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 928 wrote to memory of 2628 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 928 wrote to memory of 2628 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 928 wrote to memory of 2628 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe
PID 928 wrote to memory of 2628 N/A C:\Windows\SysWOW64\csrs.exe C:\Windows\SysWOW64\csrs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 700 "C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 684 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 692 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 688 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 696 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 708 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 712 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 716 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 724 "C:\Windows\SysWOW64\csrs.exe"

C:\Windows\SysWOW64\csrs.exe

C:\Windows\system32\csrs.exe 720 "C:\Windows\SysWOW64\csrs.exe"

Network

N/A

Files

memory/2184-0-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2184-15-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/2184-14-0x0000000003D80000-0x0000000003D82000-memory.dmp

memory/2184-13-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

memory/2184-12-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2184-11-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2184-10-0x0000000003D00000-0x0000000003D02000-memory.dmp

memory/2184-9-0x0000000000960000-0x0000000000961000-memory.dmp

memory/2184-8-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2184-7-0x0000000003C90000-0x0000000003C91000-memory.dmp

memory/2184-6-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/2184-5-0x0000000003D40000-0x0000000003D41000-memory.dmp

memory/2184-4-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2184-3-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/2184-2-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

memory/2184-1-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2184-19-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2184-20-0x0000000003D60000-0x0000000003D61000-memory.dmp

\Windows\SysWOW64\csrs.exe

MD5 fbb58548bfeccd6a4527afe7c54dfb40
SHA1 f405d936bfb4765a9dbfcf4f658b097aafdeef6e
SHA256 2f4e4271679970807947b1c1bd3d8c8281f1bfbc6a15a1e1dfcfeef5e30b77ca
SHA512 9e55ae83a08b12da9cd17cdcf01f2cd12ae9064c4d899f9086bd049764a83a21ce5d18274eb612fea357eca652c44b85ab1996c537b34809884bac4375490db1

memory/2156-28-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2184-29-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2156-36-0x0000000003E10000-0x0000000003E11000-memory.dmp

memory/2156-45-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/2156-44-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/2156-43-0x0000000003D90000-0x0000000003D92000-memory.dmp

memory/2156-42-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

memory/2156-41-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2156-40-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2156-39-0x0000000000720000-0x0000000000721000-memory.dmp

memory/2156-38-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2156-37-0x0000000000730000-0x0000000000731000-memory.dmp

memory/2156-35-0x0000000003D60000-0x0000000003D61000-memory.dmp

memory/2156-34-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

memory/2156-33-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/2156-32-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

memory/2156-31-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2156-46-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2156-48-0x0000000003D80000-0x0000000003D81000-memory.dmp

memory/2156-50-0x0000000004AF0000-0x0000000004CC8000-memory.dmp

memory/2156-52-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/576-54-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2156-53-0x0000000004AF0000-0x0000000004CC8000-memory.dmp

memory/576-56-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/576-57-0x0000000003DD0000-0x0000000003DD2000-memory.dmp

memory/576-60-0x0000000003D80000-0x0000000003D81000-memory.dmp

memory/576-59-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/576-61-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/576-58-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

memory/576-62-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/576-64-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/576-63-0x0000000003D50000-0x0000000003D51000-memory.dmp

memory/576-70-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/576-69-0x0000000003D00000-0x0000000003D01000-memory.dmp

memory/576-68-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

memory/576-67-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

memory/576-66-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

memory/576-65-0x0000000003D40000-0x0000000003D42000-memory.dmp

memory/576-71-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/576-74-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

memory/576-76-0x0000000004950000-0x0000000004B28000-memory.dmp

memory/576-77-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3000-78-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3000-79-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3000-81-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/3000-80-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

memory/3000-82-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/3000-85-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/3000-84-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/3000-83-0x0000000003D90000-0x0000000003D91000-memory.dmp

memory/3000-94-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3012-118-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3012-124-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/1980-141-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/1980-148-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2264-164-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/276-186-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/276-192-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/2324-207-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/928-230-0x0000000000400000-0x00000000005D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 02:18

Reported

2024-04-20 02:20

Platform

win10v2004-20240412-en

Max time kernel

122s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fbb58548bfeccd6a4527afe7c54dfb40_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3988-0-0x0000000000400000-0x00000000005D8000-memory.dmp

memory/3988-1-0x0000000000400000-0x00000000005D8000-memory.dmp