Malware Analysis Report

2024-09-23 04:23

Sample ID 240620-nh9l1avcrf
Target 058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118
SHA256 21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3
Tags
metasploit backdoor bootkit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3

Threat Level: Known bad

The file 058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor bootkit persistence trojan

MetaSploit

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:25

Reported

2024-06-20 11:27

Platform

win7-20240611-en

Max time kernel

148s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\draft32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 2348 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 2348 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 2348 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 2668 wrote to memory of 2960 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2668 wrote to memory of 2960 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2668 wrote to memory of 2960 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2668 wrote to memory of 2960 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2960 wrote to memory of 1912 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1912 wrote to memory of 1140 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1912 wrote to memory of 1140 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1912 wrote to memory of 1140 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1912 wrote to memory of 1140 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1140 wrote to memory of 2040 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1140 wrote to memory of 2040 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1140 wrote to memory of 2040 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1140 wrote to memory of 2040 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2040 wrote to memory of 320 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2040 wrote to memory of 320 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2040 wrote to memory of 320 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2040 wrote to memory of 320 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 320 wrote to memory of 1800 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 320 wrote to memory of 1800 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 320 wrote to memory of 1800 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 320 wrote to memory of 1800 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1800 wrote to memory of 2340 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1800 wrote to memory of 2340 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1800 wrote to memory of 2340 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1800 wrote to memory of 2340 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2340 wrote to memory of 1660 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1660 wrote to memory of 1520 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1660 wrote to memory of 1520 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1660 wrote to memory of 1520 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1660 wrote to memory of 1520 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 536 "C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 528 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 540 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 524 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 532 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 552 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 556 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 544 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 564 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 560 "C:\Windows\SysWOW64\draft32.exe"

Network

N/A

Files

memory/2348-1-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2348-0-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2348-2-0x0000000000250000-0x0000000000256000-memory.dmp

memory/2348-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2348-4-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2348-9-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2348-23-0x0000000002360000-0x0000000002361000-memory.dmp

memory/2348-37-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2348-36-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2348-35-0x0000000002420000-0x0000000002421000-memory.dmp

memory/2348-34-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2348-33-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2348-32-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2348-31-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2348-30-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2348-29-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/2348-28-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2348-27-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2348-26-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2348-25-0x0000000002380000-0x0000000002381000-memory.dmp

memory/2348-24-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2348-22-0x0000000002370000-0x0000000002371000-memory.dmp

memory/2348-21-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2348-20-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2348-19-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2348-18-0x0000000002330000-0x0000000002331000-memory.dmp

memory/2348-17-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2348-16-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2348-15-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2348-14-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2348-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2348-12-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2348-11-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2348-10-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2348-8-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2348-7-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2348-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2348-5-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\draft32.exe

MD5 058e65cc5c8b62de498e338e97d3ec3e
SHA1 f0bb915425b732dc0ffebeabf3b650a1d4528fbd
SHA256 21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3
SHA512 eb7c3dcbf9571723193528d6fd3d2422d0753ad0f7e1dd06f292ac9eb73fd11d1f88364d973694a2a277683fe77996a81b2f907c13cc5e53a7db07546d6a25a3

memory/2348-51-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/2348-63-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/2348-64-0x0000000002D50000-0x0000000002E04000-memory.dmp

memory/2348-62-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/2348-61-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/2348-60-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/2348-59-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/2348-58-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/2348-57-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2348-56-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2348-55-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/2348-54-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2348-53-0x0000000002910000-0x0000000002911000-memory.dmp

memory/2348-52-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/2348-50-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/2348-43-0x0000000002830000-0x0000000002831000-memory.dmp

memory/2348-49-0x0000000002890000-0x0000000002891000-memory.dmp

memory/2348-48-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/2348-47-0x0000000002870000-0x0000000002871000-memory.dmp

memory/2348-46-0x0000000002880000-0x0000000002881000-memory.dmp

memory/2348-45-0x0000000002850000-0x0000000002851000-memory.dmp

memory/2348-44-0x0000000002860000-0x0000000002861000-memory.dmp

memory/2348-42-0x0000000002840000-0x0000000002841000-memory.dmp

memory/2668-72-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2668-71-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2668-73-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2668-88-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2668-87-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2668-86-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/2668-85-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2668-84-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2668-83-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2668-82-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/2668-81-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/2668-80-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/2668-79-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/2668-78-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2668-77-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2668-76-0x0000000000380000-0x0000000000381000-memory.dmp

memory/2668-75-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2668-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2348-91-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2348-92-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2668-93-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2960-98-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2668-97-0x0000000002CD0000-0x0000000002D84000-memory.dmp

memory/2668-99-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2668-100-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2960-101-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1912-105-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2960-106-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1912-107-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1912-111-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1140-112-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1140-116-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2040-117-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/320-122-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2040-121-0x0000000002CE0000-0x0000000002D94000-memory.dmp

memory/2040-123-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/320-124-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1800-128-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/320-129-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1800-130-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2340-134-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1800-135-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2340-136-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1660-140-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2340-141-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1660-142-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1520-146-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1660-147-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1520-148-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:25

Reported

2024-06-20 11:27

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File created C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A
File opened for modification C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\draft32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\draft32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 3448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 3448 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe C:\Windows\SysWOW64\draft32.exe
PID 3304 wrote to memory of 1544 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3304 wrote to memory of 1544 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3304 wrote to memory of 1544 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1544 wrote to memory of 3428 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1544 wrote to memory of 3428 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1544 wrote to memory of 3428 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3428 wrote to memory of 2424 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3428 wrote to memory of 2424 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3428 wrote to memory of 2424 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2424 wrote to memory of 1036 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2424 wrote to memory of 1036 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2424 wrote to memory of 1036 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1036 wrote to memory of 3456 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1036 wrote to memory of 3456 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1036 wrote to memory of 3456 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3456 wrote to memory of 916 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3456 wrote to memory of 916 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 3456 wrote to memory of 916 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 916 wrote to memory of 2988 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 916 wrote to memory of 2988 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 916 wrote to memory of 2988 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2988 wrote to memory of 1552 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2988 wrote to memory of 1552 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 2988 wrote to memory of 1552 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe
PID 1552 wrote to memory of 4028 N/A C:\Windows\SysWOW64\draft32.exe C:\Windows\SysWOW64\draft32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1036 "C:\Users\Admin\AppData\Local\Temp\058e65cc5c8b62de498e338e97d3ec3e_JaffaCakes118.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1160 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1128 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1124 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1132 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1140 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1136 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1060 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1120 "C:\Windows\SysWOW64\draft32.exe"

C:\Windows\SysWOW64\draft32.exe

C:\Windows\system32\draft32.exe 1152 "C:\Windows\SysWOW64\draft32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3448-0-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3448-1-0x0000000000960000-0x0000000000990000-memory.dmp

memory/3448-2-0x0000000000950000-0x0000000000956000-memory.dmp

memory/3448-37-0x0000000002560000-0x0000000002561000-memory.dmp

memory/3448-36-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3448-35-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3448-34-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3448-33-0x0000000002510000-0x0000000002511000-memory.dmp

memory/3448-32-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3448-31-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/3448-30-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3448-29-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/3448-28-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/3448-27-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/3448-26-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3448-25-0x0000000002490000-0x0000000002491000-memory.dmp

memory/3448-24-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/3448-23-0x0000000002470000-0x0000000002471000-memory.dmp

memory/3448-22-0x0000000002480000-0x0000000002481000-memory.dmp

memory/3448-21-0x0000000002340000-0x0000000002341000-memory.dmp

memory/3448-20-0x0000000002350000-0x0000000002351000-memory.dmp

memory/3448-19-0x0000000002320000-0x0000000002321000-memory.dmp

memory/3448-18-0x0000000002330000-0x0000000002331000-memory.dmp

memory/3448-17-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3448-16-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3448-15-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3448-14-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/3448-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/3448-12-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3448-11-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/3448-10-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3448-9-0x0000000002280000-0x0000000002281000-memory.dmp

memory/3448-8-0x0000000002290000-0x0000000002291000-memory.dmp

memory/3448-7-0x0000000002240000-0x0000000002241000-memory.dmp

memory/3448-6-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3448-5-0x0000000000540000-0x0000000000541000-memory.dmp

memory/3448-4-0x0000000002230000-0x0000000002231000-memory.dmp

memory/3448-3-0x0000000000940000-0x0000000000941000-memory.dmp

memory/3448-43-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/3448-44-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/3448-63-0x00000000030A0000-0x00000000030A1000-memory.dmp

memory/3448-62-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/3448-61-0x0000000003080000-0x0000000003081000-memory.dmp

memory/3448-59-0x0000000003090000-0x0000000003091000-memory.dmp

memory/3448-58-0x0000000003060000-0x0000000003061000-memory.dmp

C:\Windows\SysWOW64\draft32.exe

MD5 058e65cc5c8b62de498e338e97d3ec3e
SHA1 f0bb915425b732dc0ffebeabf3b650a1d4528fbd
SHA256 21b69f6e7ed146f49d0036fad6443ef2f9dadff438c54d7c8d6d24704b44b8a3
SHA512 eb7c3dcbf9571723193528d6fd3d2422d0753ad0f7e1dd06f292ac9eb73fd11d1f88364d973694a2a277683fe77996a81b2f907c13cc5e53a7db07546d6a25a3

memory/3304-67-0x00000000005F0000-0x0000000000620000-memory.dmp

memory/3304-66-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3448-57-0x0000000003070000-0x0000000003071000-memory.dmp

memory/3448-56-0x0000000003040000-0x0000000003041000-memory.dmp

memory/3448-55-0x0000000003050000-0x0000000003051000-memory.dmp

memory/3448-54-0x0000000003020000-0x0000000003021000-memory.dmp

memory/3448-53-0x0000000003030000-0x0000000003031000-memory.dmp

memory/3448-52-0x0000000003000000-0x0000000003001000-memory.dmp

memory/3448-51-0x0000000003010000-0x0000000003011000-memory.dmp

memory/3448-50-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/3448-49-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/3448-48-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/3448-47-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/3448-46-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/3448-45-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

memory/3448-42-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/3448-41-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/3304-72-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3304-77-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3304-82-0x0000000002560000-0x0000000002561000-memory.dmp

memory/3304-81-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3304-80-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3304-79-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3304-78-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/3304-76-0x0000000002390000-0x0000000002391000-memory.dmp

memory/3304-75-0x0000000002370000-0x0000000002371000-memory.dmp

memory/3304-74-0x0000000002350000-0x0000000002351000-memory.dmp

memory/3304-73-0x0000000002330000-0x0000000002331000-memory.dmp

memory/3304-71-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/3304-70-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/3304-69-0x0000000002080000-0x0000000002081000-memory.dmp

memory/3304-68-0x0000000002070000-0x0000000002071000-memory.dmp

memory/3448-85-0x0000000000960000-0x0000000000990000-memory.dmp

memory/3448-84-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3304-86-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3304-88-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3304-89-0x00000000005F0000-0x0000000000620000-memory.dmp

memory/1544-90-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1544-92-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3428-93-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3428-95-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2424-96-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2424-98-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1036-99-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1036-101-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3456-102-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/3456-104-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/916-105-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/916-107-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2988-108-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/2988-110-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1552-111-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/1552-113-0x0000000000400000-0x00000000004B4000-memory.dmp

memory/4028-114-0x0000000000400000-0x00000000004B4000-memory.dmp