Malware Analysis Report

2024-08-06 17:11

Sample ID 240504-1bakjsbg6z
Target 148da8473a260935979977ade797e718_JaffaCakes118
SHA256 a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61
Tags
darkcomet guest16 persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a29e150b2ff91da057487b87d420e394347f3e0364742705705b103a2d518f61

Threat Level: Known bad

The file 148da8473a260935979977ade797e718_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 persistence rat trojan upx

Modifies WinLogon for persistence

Darkcomet

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-04 21:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 21:28

Reported

2024-05-04 21:30

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer" C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer" C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 set thread context of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1636 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2516 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 2492 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 768 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 768 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 2432 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE

"C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE"

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp

Files

memory/1636-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

memory/1636-1-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/1636-2-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2516-21-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-24-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-34-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-32-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-30-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-35-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2516-36-0x0000000074A60000-0x000000007500B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab12A6.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/1636-46-0x0000000074A60000-0x000000007500B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 192728619f78efb972ec5e202d64e6a9
SHA1 3a422dfe3c888d9b78599cc9d31122b971c9dcca
SHA256 f24f556810a44fafdc3b55530194d5740b871cd97c12cd1f5fc2e7f0c687daf0
SHA512 1553e280341bf520516d0cb7d693cc754cf496c45418a00bf974813877406ec31fd131fa1008805309f895a393f64ef42d2820297f65cc83c17a6befbdd1e2f8

memory/2516-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2516-26-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2516-22-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar1393.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2492-56-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-68-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-70-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-66-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-71-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/2492-62-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-60-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2492-58-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a59afeb397e77a51c973f2a6f7f3211
SHA1 47bdd384fd496f43803710bc81d66c0d2eab7b0f
SHA256 dcf08b1d47e0bbda9e85e2f7888d608712de69b8b4e80c5fdf2b083262aae16c
SHA512 955771827761f1c3d52ec78a7a93be7d728198fb9a53055a40be592bd5ae1dee5ab268b3baedbf5b3e9c965bf9dc598a4ec7d1d9077d9396690d916f7e467b46

memory/2516-89-0x0000000074A60000-0x000000007500B000-memory.dmp

memory/768-98-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-93-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-90-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-103-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-104-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-100-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-96-0x0000000000400000-0x000000000046B000-memory.dmp

memory/768-94-0x0000000000400000-0x000000000046B000-memory.dmp

memory/2492-106-0x0000000074A60000-0x000000007500B000-memory.dmp

\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7cd2da0120e9b08e0a81d4bc8efef66f
SHA1 850d6c6fd6c308526381fd3445e4836dd7a0e1f0
SHA256 4750f78dd654a8b02cc5c0f10569f364673f03b407e2291279e30cae449c6f8b
SHA512 c2333eb54e5ce17dc2fd7ce25803fe0fb8b7e8d41be0ea6b57bba5e0fe73f8956f0867e78537c2c2f8f3581d83e67b6cd5ed8706beddcaf1c6654cbe2d7331f4

\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE

MD5 211945ebdfe62b019a73cfba4e15592c
SHA1 33a9822aa4a68379c5e50950bce5946a9bd6b4ac
SHA256 27cbae331070b3643799b7d6143f7e7d3e8492b2c743d7771e5331c78d0eccaf
SHA512 1bf2f4096ea79ab7bd5a6759b8f83623d789002d0ccf32ae9e0d45a9ec15a55cc619abf2ee2baa91251b8c7af2ad810098363387ff43def19ebe0edd66451b4d

memory/2432-123-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/768-122-0x0000000002D50000-0x0000000002E07000-memory.dmp

memory/1556-125-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1752-164-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

memory/2432-167-0x0000000000400000-0x00000000004B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 21:28

Reported

2024-05-04 21:30

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer" C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\pG07ARK2K01Z\\Windows/Explorer" C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1388 set thread context of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 set thread context of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 set thread context of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1388 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 1228 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 736 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe
PID 4516 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4516 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4516 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 4516 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 4516 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 4516 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe
PID 3220 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\148da8473a260935979977ade797e718_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE

"C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE"

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 leifstresser.ddns.net udp
N/A 127.0.0.1:1604 tcp

Files

memory/1388-0-0x0000000074732000-0x0000000074733000-memory.dmp

memory/1388-1-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/1388-2-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/1228-3-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\148da8473a260935979977ade797e718_JaffaCakes118.exe.log

MD5 c19eb8c8e7a40e6b987f9d2ee952996e
SHA1 6fc3049855bc9100643e162511673c6df0f28bfb
SHA256 677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512 860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

memory/1228-6-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/736-7-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1228-10-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/1228-9-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/1388-8-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/736-12-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4516-14-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4516-18-0x0000000000400000-0x000000000046B000-memory.dmp

memory/736-19-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4516-16-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 7cd2da0120e9b08e0a81d4bc8efef66f
SHA1 850d6c6fd6c308526381fd3445e4836dd7a0e1f0
SHA256 4750f78dd654a8b02cc5c0f10569f364673f03b407e2291279e30cae449c6f8b
SHA512 c2333eb54e5ce17dc2fd7ce25803fe0fb8b7e8d41be0ea6b57bba5e0fe73f8956f0867e78537c2c2f8f3581d83e67b6cd5ed8706beddcaf1c6654cbe2d7331f4

C:\Users\Admin\AppData\Local\Temp\UDP FLOODER 1.EXE

MD5 211945ebdfe62b019a73cfba4e15592c
SHA1 33a9822aa4a68379c5e50950bce5946a9bd6b4ac
SHA256 27cbae331070b3643799b7d6143f7e7d3e8492b2c743d7771e5331c78d0eccaf
SHA512 1bf2f4096ea79ab7bd5a6759b8f83623d789002d0ccf32ae9e0d45a9ec15a55cc619abf2ee2baa91251b8c7af2ad810098363387ff43def19ebe0edd66451b4d

memory/3220-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4516-15-0x0000000000400000-0x000000000046B000-memory.dmp

memory/736-13-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/1228-11-0x0000000074730000-0x0000000074CE1000-memory.dmp

memory/4516-42-0x0000000000400000-0x000000000046B000-memory.dmp

memory/5036-43-0x0000000001230000-0x0000000001231000-memory.dmp

memory/3932-44-0x0000000000710000-0x0000000000730000-memory.dmp

memory/3932-45-0x0000000004FE0000-0x000000000507C000-memory.dmp

memory/3932-46-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/3932-47-0x0000000005080000-0x0000000005112000-memory.dmp

memory/3932-49-0x0000000005180000-0x00000000051D6000-memory.dmp

memory/3932-48-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

memory/3220-50-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-51-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-52-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-53-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-54-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-55-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-56-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-57-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-58-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-59-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-60-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-61-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-62-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3220-63-0x0000000000400000-0x00000000004B7000-memory.dmp