Analysis Overview
SHA256
b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2
Threat Level: Known bad
The file 2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Drops startup file
Enumerates connected drives
Drops file in System32 directory
Drops autorun.inf file
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 10:24
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 10:24
Reported
2024-05-10 10:27
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
101s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3948 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3948 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3948 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/3948-0-0x00000000020E0000-0x00000000020E1000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 6627dea74583c30016d687d35f9af46f |
| SHA1 | c3b9fd9bf76b0ca875e7b9efe21fb68d9ced550d |
| SHA256 | 3f9f2a871895900e0b517584885ec518107fd3ec4a00269b706cb2041e2cd9e3 |
| SHA512 | d654985720840fe6abb56b23c2fc687ffe2a0cee768413b87bbf2618d979cdec581f0c93abd54198fefffa759f206d71d913e70ed110ccbf7c9a8364bdaeab72 |
memory/1096-5-0x0000000000730000-0x0000000000731000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe
| MD5 | c644c521a96b9320dc52eb935f92f62b |
| SHA1 | a5c2a443c1ef55f228ffc24e0338a147f90e1570 |
| SHA256 | a2cd828666d040ff725234303b33fd88990cd419cac7c6c35fd399874e4652b7 |
| SHA512 | 1602f63c4e55bd7b930c23ba0b4c08c97a1f0d91e75e92e1179b27940fdc48de5832e40ab99ebc85bd08da2794af6df4d8b336aad21281123441bfbb56649344 |
C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe
| MD5 | 856effeb006c4145f9dbe83917bec97f |
| SHA1 | b0df43728d42627d5eefb97a8a2c011f905bea96 |
| SHA256 | d1073e854577da9f7e2cfda8ff8753bd588d2037ae171abf2efcbf1d7c1a1893 |
| SHA512 | 005cb1c3ce6554cd12d851db71faa0d4824cf335f9cf1cd66aa7bb03538c8abb1d549a511744c5d6cfcc28ab36097d90bf9994bdb6e8fa60f06731c9fa89e5ca |
F:\AutoRun.exe
| MD5 | 2ea947ef32c34098f5db9a0fb419fde7 |
| SHA1 | 7b31dfff7e9f932fa3e4d47128b0603f94096ebd |
| SHA256 | b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2 |
| SHA512 | 9a58e7ba65eb4b3f2c15b96cf7a1bfe56d0645661d8f21c6f3b1bceedd617f4b333b65e6545e986ae4c171e84a1948ac6e92d8d11ad06496cb9b441dd44fe9d3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1726700623033cb3d6be178e7db6a7be |
| SHA1 | c795a5d55e73ab4571e191748f73140d7ab81b17 |
| SHA256 | 908960bd95a407e53575e077dddf13eb8e24b46d0038a9548affecfa0a573b2a |
| SHA512 | b04b19491d7106bfb6e88af4317dd02ca9d5b6691c48895c5ed96f78af97d97bb8b9bfccc1e7f4d5490cf535792c08bc92aeb1e3ae6aff4625f187cf4e760b8b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 676f3e9c59cbf3667223fecd9a245f17 |
| SHA1 | 082e83afcb6573dbbf2f51720f7885e5bfd4aed8 |
| SHA256 | 53a8e34a32cce7563f3f6f90ea875d4cb5739542395e7bf9ae2ffe0ff5b8517d |
| SHA512 | 2d43259e77cb221ced31087b28c6085b09837c2ff5e7860adad7c02b2bf70af5f5077d4cd26b776e696232edbf4be59624425162db867cd7b6d7fb6479435211 |
memory/3948-48-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-49-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 90cd24667441b7d99adb6fcb2db2583a |
| SHA1 | 05190fd80879037282b4ad74d335597d04ef6d18 |
| SHA256 | 7d22c28cce46c932fef7b588df923d30bb8a2bf143d9578d7d464841cb832396 |
| SHA512 | 9cfb5cc58ed19916ba4dc9739772e136dc04ecb529b7d03c59cd6d437d38a51abd612f7a81293925795caa2e8d318312046c2cf0b155dd1e90dbfd3a34d81968 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 96f786f245bd9ce626248461b544b722 |
| SHA1 | 2b6044d36f1d86ab6911e77864b8fa2be400970a |
| SHA256 | 470e7a68d9f28f067bb8c660997c83a02f8e335b43ae0c0661c8a4bfbe31bed3 |
| SHA512 | 7c29223c728164c77131bfcb44583929eb465d66991ffb5f223453fd88ad02a6747e73a8e1016f5e1e898a95edab487b5834d7291fb7bf770d808834c3f200f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dab2d116961b4253c06982790a402460 |
| SHA1 | 795bfeb752f025cfa94742cda200846be870ae3d |
| SHA256 | 52ae9fec4376e626f236cf1a2d805e9b84a694f9976645ae873245bfd60234be |
| SHA512 | 21ae9728a1d5b3e939105e3cf8a55f6ad6db779b0f9f3a9545dac5796bcf71879ec907a66211702ee209a7bd844887af6c73c4e1c605af76f6ed6a5efec4cf02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 05b1e98f6d9bb67501f27a3de4d91504 |
| SHA1 | 9e5fdc232e5268bf8cd34cade91766f17f9cfc36 |
| SHA256 | 8210624e5df94126ebd9c58dfacbc55977521110c0e5ee5566ae96b512eb61ed |
| SHA512 | 64c3c2cf91c8badb430e839ddbc721c364dfc809f25e88529fdf8f97cef314307e3aeb533c3f9ab6f5d1b365c8f50361b55e4be0a955b3e9ef9ad859502a6012 |
memory/3948-58-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-59-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-60-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f99e7de3d183c2178ad69b84fae88452 |
| SHA1 | 8fee6973b579274b383fc45f70d78005065b823a |
| SHA256 | 22877c61d3515724ad0a6de3cf4b01d3653b0d2ff2a76d3aa5fd59bcb8683fb2 |
| SHA512 | 2d8e1016748deb4edd2dd3afcbeaea391156383c73827a7380ecd96ec8b32fdaddab28e2b124607b43bee0f2712659e54973ab53c5c5586694f549f719e052ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 23220112b43f866506e071a0882277b1 |
| SHA1 | 1a279a9f73811372e0be3781470a89d5c38b7680 |
| SHA256 | ce5b71226e6d25361828a6b30f388e49f327da38d7c770e6eae752d0ced9cb4d |
| SHA512 | 6d15b9e2f4ef9183bc4afda30e02eae0ccf797b6306ad8affdf3f57875a7d77a7448650b43808645fe353853f6eb85a91446bf1666153de15aa5483e9af424bc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 412708dc92ad8bf18dbefff41a4db980 |
| SHA1 | 0cd20a668c0aca85b67a19d4553305cd072107ce |
| SHA256 | e5a6adf5f16b3b2454f8d95ac2c16a4139cbdfe5fca8ff7cd8588c0741682886 |
| SHA512 | 6475548e1910de4243db39261a45477bf677b601de6c1fc629d42bd561f4f977db52079fefaf04903e1ec21c17c0cbda9f9005b891b471ef3c4957add2fcd612 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9ae35dc6b01d10ea6e75d878c264f6bf |
| SHA1 | 5db4522d718a0c107b0f993baf7724baeee197ad |
| SHA256 | 9fff7c87f0d329935fadd4f0e7dd2f50962b22e971ed5e694d9d5722f9ab30cb |
| SHA512 | d4c8e13952120f949216e386f18ac7953fd9c9e9c00d5793c0ac3c1ee487c138f36474147e4a64158e13abc670945358a6bd65a18295057f2fbf12d61abfffb3 |
memory/3948-69-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-70-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b3cca72ac1687a8795f5d42e605a28ba |
| SHA1 | 28ed1505aeba34daaf104344189027400772700e |
| SHA256 | 5319d239dba1f861679b64c5406377bce901fe6722138f130fed4e569e40d8be |
| SHA512 | c82f31ffee5f9947358cf6072bbabf9e0afdb63a581255e38ef6624794fa8df8546355d06d4b5a89373b63881d7b6e3702808ad2be4f1eaec2fff125f478258c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f5ae3cd701440f8f7e73637345f7e57 |
| SHA1 | 8d693666d896bdc0e0d53e36169046dbc6e64377 |
| SHA256 | c517ac1c14e8d4889f4bd9eaf6a110c43950cf421f0f003a064e15a998628eaf |
| SHA512 | a61e22500ce5fff2663b88a4a182ac9f7a5cfdda5a31d7d4331e4c1a338100c3fba9df96a57552e988e77f1b9d5fd32c2e9a7a5606d75c7b287cba8042561b84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 599ca79ea389006a9e77d43c6e0beea7 |
| SHA1 | 6964b529e6c2610035b502ca7053808eb97f93fe |
| SHA256 | 63449c3ceeed1fea5157d41d948ba5099b61459edae932cd618c97ae24e29348 |
| SHA512 | 6aeee1babdbc8a87ac84cac65a97cd6322ec3fa7fda75afab547634110ed55859a5e16aa836e33eb5b915f888bc92a72c16f1ad2b7d5638393eaaf73858800ce |
memory/3948-77-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dd4106ced93e9483bc029cdf329bc80e |
| SHA1 | 9aa6f415a675d734bae8a9b3012cce804c21f1ea |
| SHA256 | 6702c9ec1a7d5a8411a7bf816946fa301b86ee5bb0cc014aa7e4cc3959a8b9ea |
| SHA512 | 69b69c62652f3157aa35cfc2d52d373da0d347ff52644c23d51cf41cd39a4e973347fcd13b613ce862bae72005d108e8f32d0dfeda39a29827329588614fb366 |
memory/1096-78-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6c1012682ba1fff82b70cc36cf7b23d1 |
| SHA1 | e2dbd75903b7bd4acab415bad2d2e0565bd46290 |
| SHA256 | c518dd1444334492e5f39be249f256325d3e3b8745acf3140a009f90e13042a1 |
| SHA512 | ffa69cc17c0976cba4cbcd11c9ef6d5718045a6f50a36153342129bf73ef4b4627c1aa64ba3176feba35e511651b7a4274df0204eed13a3e7d9b6294d30da696 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | de4c3740241e257e4535b42b1979543c |
| SHA1 | e5f9a967fdb593036d6864c9fe9fa55a6a898a97 |
| SHA256 | 21650bde9e648a157889ad0105c285a5274663d42584a3f039b134c6905a15da |
| SHA512 | 37bdda25d88ffa7dfd5bd3b16551accaf6ede29aaa7b7267ab368987049fb2c172e3f48d28a2fe6ebd92c99c6e358f166ef8a0922c7e86fefe0b039fb6c42bb4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 42fd3a839a1e3ababc124eb85b98b055 |
| SHA1 | c5adc72960bff4eb3576e911671463ccf9b9fd8b |
| SHA256 | 644a6bb24c32ea8807f0095e5a8ceafe831e586d84f016b85ba47c6ad1cf32ab |
| SHA512 | 794a59091c2350ca38602613442055e1c4d4224df4f761f93a9efabaab838e80c4e278565724bc7acacd2141a7050493e5dd61ee0eee3538d90dd04c001b7c97 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4d40b9e625f946ae5f8e94bae25ea7c9 |
| SHA1 | 8269588565022d33e187f87cef2eed45a47e1025 |
| SHA256 | 854c0bd4a9cf328ba24ccdf9a614b10095376f9be5409f2e117d60798509fb7c |
| SHA512 | 3e236540af3e2880e9f3ce4348a7587452f359452af48f4488840d37f3dfd41622357a1a59c7948f2e284a554275267719a5415702ac0a0b9385ddb7b4786139 |
memory/3948-89-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-90-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 92b443a10bc5664325274fbceec4495e |
| SHA1 | 360e82e587e5c1b2569e359879f52e4220626468 |
| SHA256 | 983a2e9139026258dc48b85a38e6af782316f86cf253472801c4f357095c477d |
| SHA512 | 97c76427fe36f33fac194598bee3a165945b412c0cbf314ff1165ad5eb97aeb3ed100ea88b4dff4947a66575833a2d8c5549e981b0cef70e249b3e09eaad0d44 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 74876dd3e555b1860c71bf2d370893a7 |
| SHA1 | 37413029e650f4d69ed29f39a9f28570ea550baa |
| SHA256 | 3e93a03a435e0136c0f6dc578e03e512a135c40c33a0762b6f9d44daf8106dc0 |
| SHA512 | 41c6d38fa837c519cbd5310cb250959563842b004090c4bacd6488584de9bc9e263c9bb5c3b089d0473d1729d23f3beb2fc72d866b4db35d7617798e67ed76f4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7563604b911d0e1c78243f8ce77d58cd |
| SHA1 | 09c9a38b3780c68e9067faf3d2c50f241099fa68 |
| SHA256 | 52f86e752a401b18cbf48d452e3c77ceae029e8c01553835089694a0ca7e6fd4 |
| SHA512 | 2b40c19b193b8d19d51e7ee22f86999cbeab9026a414d5ef6bfc5f556828efb132efb6e29e129a67e4535feaa61f821c1ee18f1292eb3253d3d06263158948fc |
memory/3948-101-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-102-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 223ef3f79add68cee5193168dbdbbb6d |
| SHA1 | c95ab0da1f14b67d38463c13cd0b76ef7dd11496 |
| SHA256 | 7b8cbe1525faef6c3d057329b9d23c3b3132fbbdc6ef800f022219cedf3331a5 |
| SHA512 | 60df0bf86d390737796f7ede4d454c0ed89eabc6947d28f6526c8aaabeae84c701681fb77e019b1a262277538179b3acec09188e051332de5b7f6633eb32e83e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a4e428d42d45b8efde74dd90c26c3c5c |
| SHA1 | c78f39ff34f1a57634a525eab172a29049281e8e |
| SHA256 | 8f3e688285ca7230ae5743d090741978c5ef360d614206d67a7cdfda13e8fb1a |
| SHA512 | a43cec853dd59e30b51d293e793b56c5ada969b4bc098694cf3eda7b0b838cff4a6457808512b1685b44f4872a95e8b8882b2091e0831257b230fcf8a5478f74 |
memory/3948-109-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-110-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b3de5d468f96f901c754bdee82ecb92b |
| SHA1 | 8a454a810a367bd2a4b286deb0a77726c36ea442 |
| SHA256 | 53e8774d5df19be2dde6a072de6d0f1c77a4d1ea11f8127358fe6adc8dba345d |
| SHA512 | b7e679966a8edd7c1d1b50c1e27105790d249c7c2cde9d08d6f33c6857df5807b250ae924854b0133ef9bd55c61857ff1cfe17043a38f052d068cff08a86199c |
memory/3948-115-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-116-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cf0e4f6c3b4307964941e34dd1c62038 |
| SHA1 | 03534e174b7e97a192da35f7fb94ce107eaa8eaa |
| SHA256 | 9ba34cc863a5b05c57dfb072a92efb20c4aa565054aec0e178b68cc53282c489 |
| SHA512 | 0649f37a0b06a9fd15c66ca14e24a146761e2a7c218836d84de7efb55273c28c52e2b5f94e8e2ef14855a47c0a6c97d2e75255f780b0c486d03b7980ed4b1441 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ec2d28eb6b476f613e88c8e347bc9490 |
| SHA1 | bb7a9c33cb4b4db233c53082cf12b31eaccbd564 |
| SHA256 | 05ac73c80fc0da1d51bb2c06f453640c7bfcfa1913dec105d6a968d5920e3ab1 |
| SHA512 | 214b99e81b176389a3b173c49673d8aeefb2c65086cf8148b297dd32bc26cb8bae21c27af9f16f9a9f1ba0afae96b4f66fc8333d2da2fa1b5f6d38d1a0df5438 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3fd7e6206924197a256a10c8859c3865 |
| SHA1 | 9a10e359661be20c63d8beec5d07c925e1c99739 |
| SHA256 | 99398174a02774bd60b5c0770ada39339e887cd03894c40c36c2ffb0b1994df9 |
| SHA512 | 2ed880bb58e35ff6507cacfa7c4889aabf7436b171cec930e4b9fd2f90b4121ac98afb4c3ffef598254a9b61b10bf9f817a29de9916af617fee55636144960c5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f607826773ceb14e45e5aee31f352a10 |
| SHA1 | df77095c1521819a2b8b4251dd3dbcfed36886f8 |
| SHA256 | 1ba69f936e3d982525312d00603beca7154069f664d1ff01b41a0dc0735a3dbc |
| SHA512 | 64b1a9aa5398a0c9104b6fab1e180b596c31c3e697f0f6adaa020736c36250efcff03e7029ac1537f5be6657664ea8b207f36392c084f1bea3fd9959918373e7 |
memory/3948-128-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-129-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 26f01584a1c4a9576aa931fba93dcb69 |
| SHA1 | ea2ce7ab889a56b0e3f86efa2a248ded0797db9f |
| SHA256 | 5ca8f352bbc99d405e71ddaf991b9c0ee30045feb93a0671f282787ff35b1a91 |
| SHA512 | 1cb3a633bf649557dd0ea883bee682fbb9f22b0fa999fa14ac19307f77b56b0621c93c8c53953e14018cdd10f3a793af827e5f093ea61a3b5246947ba4eef88f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f725029f462ffe6190d8f434d08b0ca |
| SHA1 | 6528527331e27a0827975356360560a7faac3fe4 |
| SHA256 | 2fa0094a194240c7baf7d894947634cad4ae7cb1384fbfe9d9827d3f938d8cec |
| SHA512 | 0ca09eac28392b62990f2cef5d3979d39bc0eb3ed460f42b2e562281b8dca7b53af12b1300a88adbf40ea9acd1fa53340dc4467ae200c697a9aaa632e568f060 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 40a4ed39143a088595b9089c8f24a898 |
| SHA1 | a425bc89fabc21db9ed87776575c42acafccf606 |
| SHA256 | 0f2b3eb2e01ed22fc65492b155a0e9110045fe730b6bf417d2dbc87b9a01bdb7 |
| SHA512 | e722de191896c0f6a197157fea42fdfebd626463387f37563da354928257ff808459ac9b30706db562fbc5e7dad5578f7023a5ca91809f8714a9de17f0c5086e |
memory/3948-137-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-138-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 54b1117ef8fbb9be32798922c646f989 |
| SHA1 | d6cf7bbdd53925a599037143f5b01c1f18d5dd54 |
| SHA256 | a2ca502099a8d4e6c3874f31e87c61f4de080f1a24391ba0846a2eff84d6b353 |
| SHA512 | a808e34f49cc7e4abde15ef51b72b82cc8fb09fe69f803fafeaf7892dee6baf89821f752a29b5e470543b384bfd0640b2fcaedd3cde40e439cfdd8533ffba617 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bd36f3994a23bcfb2b5afaab47dbf3e8 |
| SHA1 | 362d69b9dd10a5a898ace7b4e6ce2a439bcaac28 |
| SHA256 | 299d4a5ad49f6e5bf1b0c3d97fc7d4cc7363baa0edb8e7a441e4687d47ac9dc1 |
| SHA512 | e34a0ddbf288eb32821a216f9d89524971059fe8d91e33a556ed3e2a2cf21c88ef4e1498285c27c42daa09293ef0cc072ab616766c1d2a3298296db2d3cdba96 |
memory/3948-147-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-148-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f3ae4aaaa3cb476ad69a9175be12e308 |
| SHA1 | 275d60a3825a4a842fed9d2940038655f00da74a |
| SHA256 | d98cc1ba1923d4b02a087b03e3bfeb704921ae6643a38fdffb675486c975d1c4 |
| SHA512 | 5f911079e08a402cbda553cd513edb33b72b9b22dbdbfd20d5bd3080d0d7fa5bb8e5bb1704eefec4bcae979ba0074abb15662727748e4ceb857cd8c319a3020b |
memory/3948-153-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7bf045907ca44c51ef72c1231157bf03 |
| SHA1 | e966cc4617c2139f25919e19bf7c94c9bca4e97f |
| SHA256 | f38ab2404efc1bae4563a33685ea30c6195c1eb846dbd63d6744df6046f31109 |
| SHA512 | 1a5234492673ee68a7f0f5da2c777125c6609b5ba5ffdb69c47aba257d1958e736515d3dfa98318b2d64dec7f2e3fb41fdaa86eb33bee4751cc2fce4d9566a0f |
memory/1096-158-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 259d582df5b0e086163b0a12c4cc255c |
| SHA1 | 89fa4f0f7a71397fd44a26f2a9152460ac9f36fe |
| SHA256 | 015e1cfecf60cff7aba5cd8a99f8256b4d3daa5ed5145e6f9d4d410d3a386fe0 |
| SHA512 | 4ce55c18048023247317614c287f17d7cd27891eadf152cb20c0020d125629df2e086bd7667744f27f4dfab7222d2152e320575badae6960587a2d2c5d1fbcbc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f6032e1a0b70a7710622a2e3fdef964 |
| SHA1 | b8e1668bd5a5e61457bc49a8cced790b5a4871e7 |
| SHA256 | 245ee570f83eaa589c267f91a51672dd6a17fab7230ea1076d318712a658590a |
| SHA512 | b0e66a2ea43d2e50c2ebe1ab61632fd8bf2b1f51546061609a3eaf55130338ecc7360fadefd4bd1b2478401bbe6e9e64739729c4f2867946b0aee76bc325560d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0c07f2fe86d1571efa139ff86fc9f17d |
| SHA1 | 0f13844977e8c5d2dfd700407bc1f28cb9998158 |
| SHA256 | db36be331f98efa6bb992c1f26af2d369d085e4d17243554de78c96f2ea308d9 |
| SHA512 | 73bde55ed13ba395a6ba363f0d745f6cb092d9f59df5aab52d9669a1a5f80ae0a21740fc2750097ee89f32e7362e6777861fc61a4d0f2a4e12064411caa83c61 |
memory/1096-168-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3948-167-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6d4ec725e6aaef76885c19c2a35b9491 |
| SHA1 | 946ba0c6b601768da0390463669aa91582469a8f |
| SHA256 | 17317fcb72ac8e766e9e7c95f265c8c8ba6afd71335c911155435954a5bdd5ab |
| SHA512 | ae540466db45bffcaa834c7ac3900ad162085a7a59b9bcf7be3fd2a303ed52eb008783af04b0893eb898de861591e4412417655a51204dd9bb10b2a31035d799 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c4411dab45a95bb8e331f95b0d740216 |
| SHA1 | a07ac50f3a1c00f7c4424706a6db8338302df4f0 |
| SHA256 | 21e163bdcdeb892144feba58d8321af45e9d95646d04843ec68c8110cba55f3c |
| SHA512 | efe327c43417ab951551d58c2f5169583dd97ca51b9b9080f1831af894f9839faf54ef1ca28529b6ef74a1ae9df66838c720dddb03c675467f97c4b7ba868d0f |
memory/3948-177-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1096-178-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7e2aeab42e1f6df1c7c4902060867f8a |
| SHA1 | af0157ddf3366d2732bc97468f58382d33b845f0 |
| SHA256 | 05f5de760d653a83ac4d7fed47a1ae44ca9ac7121c8992937fba4d1e0cd0a69d |
| SHA512 | 75d844b9ad7936470087f22510d78e95ab0249945dd1003a995a9fd6c617f29b0b84b030d7c14a9f8b03ffb25d48e4ad872635fd487218023be2fb80ac4ba66b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 10:24
Reported
2024-05-10 10:27
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2000 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2000 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2000 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea947ef32c34098f5db9a0fb419fde7_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2000-1-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 6627dea74583c30016d687d35f9af46f |
| SHA1 | c3b9fd9bf76b0ca875e7b9efe21fb68d9ced550d |
| SHA256 | 3f9f2a871895900e0b517584885ec518107fd3ec4a00269b706cb2041e2cd9e3 |
| SHA512 | d654985720840fe6abb56b23c2fc687ffe2a0cee768413b87bbf2618d979cdec581f0c93abd54198fefffa759f206d71d913e70ed110ccbf7c9a8364bdaeab72 |
memory/1856-10-0x0000000000220000-0x0000000000221000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe
| MD5 | 8edab9832e7b118921ca1828ce2dae70 |
| SHA1 | 174f0f8be30da4691710dfce267ee7aa444a0688 |
| SHA256 | 80214af59cdea6f7a8d961a0e97ce7765239bb8c87f43b2dd7a981ad0242b89b |
| SHA512 | 5ab0f0a31e3fd5f88dec23348e3a96f2853804e32ee048992744ac7c6e2623a4379fe0abc46ee1e9bab9d0bed57fffc2c83e8d118d7ffe56704fc72c513eeab1 |
F:\AutoRun.exe
| MD5 | 2ea947ef32c34098f5db9a0fb419fde7 |
| SHA1 | 7b31dfff7e9f932fa3e4d47128b0603f94096ebd |
| SHA256 | b9b17212daed8c69f09c9933c9215824c23065e2e7593b3c3d8954610977d7b2 |
| SHA512 | 9a58e7ba65eb4b3f2c15b96cf7a1bfe56d0645661d8f21c6f3b1bceedd617f4b333b65e6545e986ae4c171e84a1948ac6e92d8d11ad06496cb9b441dd44fe9d3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9aeeb1aa04e77ef5f8b6f6361505ef88 |
| SHA1 | bd577c02912f63aaf38e5777d6e53a5109030312 |
| SHA256 | 4c4cb12a831b7bd8c1ee5b96d682e3d43743fe0197f2dff4c417d49e4253ec6c |
| SHA512 | 4c820750c89d6f0d5bee8fb233b5a2c171d3ce74d226982a2c57cb8dfdcbd4f03962c125dcc09146f3b8b7bcdb7fd0c3ca3de87637c0c25cd46924e66ad1bd82 |
memory/2000-226-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-227-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b955921fef041dc75d10383750f6f0d2 |
| SHA1 | d7869f09444f69bfa8ed7fecd234c400472a22ea |
| SHA256 | 5af77c6c6bc99d224c2971fd5b8cbb641c8f902ceb8eb86213ccbf3e4ba0ee39 |
| SHA512 | 78bb107863a915734b5eb2f9b6b248fd319524e9e434e1ddfa8ad4018d9eddcec92713d96260ae64962943c9a6f5643ede9ec5719f13e0fe50c550aa59a99c68 |
memory/2000-236-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-237-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-246-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-247-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-259-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-258-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-268-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-269-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-279-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-278-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-288-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-289-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-298-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-299-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-308-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-309-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-318-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-319-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-326-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-327-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-338-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-339-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-348-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-349-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-358-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1856-359-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2000-364-0x0000000000400000-0x0000000000478000-memory.dmp