Malware Analysis Report

2024-10-18 21:34

Sample ID 240622-1ysdwaweje
Target 040aa26e340fc21f5592418762f93c78_JaffaCakes118
SHA256 eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818

Threat Level: Known bad

The file 040aa26e340fc21f5592418762f93c78_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

Loads dropped DLL

Executes dropped EXE

UPX packed file

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:03

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:03

Reported

2024-06-22 22:06

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 1376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 4688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4688 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 536 wrote to memory of 1576 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1576 wrote to memory of 1736 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1576 wrote to memory of 1736 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1576 wrote to memory of 1736 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1736 wrote to memory of 3500 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3500 wrote to memory of 3280 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3500 wrote to memory of 3280 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3500 wrote to memory of 3280 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 3280 wrote to memory of 4824 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4824 wrote to memory of 4524 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4824 wrote to memory of 4524 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4824 wrote to memory of 4524 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4524 wrote to memory of 2012 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2012 wrote to memory of 4900 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2012 wrote to memory of 4900 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2012 wrote to memory of 4900 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 4900 wrote to memory of 2292 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2292 wrote to memory of 1004 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 976 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Windows\SysWOW64\globalpatch.exe

976 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1124 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1124 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1092 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 1084 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

1084 "C:\Windows\SysWOW64\globalpatch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp

Files

memory/1376-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4688-1-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4688-3-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4688-4-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1376-2-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4688-5-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Windows\SysWOW64\globalpatch.exe

MD5 040aa26e340fc21f5592418762f93c78
SHA1 96589badd0c65357b28c135a11593307160d15be
SHA256 eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
SHA512 849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7

memory/536-12-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4688-13-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1576-21-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1576-18-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1576-17-0x0000000000400000-0x0000000000481000-memory.dmp

memory/536-20-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1576-22-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3500-29-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1736-31-0x0000000000400000-0x000000000044B000-memory.dmp

memory/3500-32-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3500-28-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3500-33-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3280-41-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4824-40-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4824-42-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4524-44-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4524-51-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2012-49-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2012-52-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4900-54-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2292-59-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4900-61-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2292-62-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1004-64-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1004-71-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4812-70-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4812-72-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1256-78-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2916-80-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1256-81-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4604-89-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4528-88-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4528-90-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3776-92-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4444-99-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3776-98-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4444-100-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3684-108-0x0000000000400000-0x000000000044B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:03

Reported

2024-06-22 22:06

Platform

win7-20240611-en

Max time kernel

139s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A
N/A N/A C:\Windows\SysWOW64\globalpatch.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File opened for modification C:\Windows\SysWOW64\globalpatch.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A
File created C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2152 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2376 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2648 wrote to memory of 1896 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1896 wrote to memory of 2296 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 2296 wrote to memory of 680 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 680 wrote to memory of 1532 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe
PID 1532 wrote to memory of 976 N/A C:\Windows\SysWOW64\globalpatch.exe C:\Windows\SysWOW64\globalpatch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 476 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Windows\SysWOW64\globalpatch.exe

476 "C:\Users\Admin\AppData\Local\Temp\040aa26e340fc21f5592418762f93c78_JaffaCakes118.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

C:\Windows\system32\globalpatch.exe 580 "C:\Windows\SysWOW64\globalpatch.exe"

C:\Windows\SysWOW64\globalpatch.exe

580 "C:\Windows\SysWOW64\globalpatch.exe"

Network

N/A

Files

memory/2152-0-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2152-1-0x00000000005C0000-0x000000000060B000-memory.dmp

memory/2376-5-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2376-12-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2152-16-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2376-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2376-8-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2376-6-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2376-2-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2376-17-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2376-14-0x0000000000400000-0x0000000000481000-memory.dmp

\Windows\SysWOW64\globalpatch.exe

MD5 040aa26e340fc21f5592418762f93c78
SHA1 96589badd0c65357b28c135a11593307160d15be
SHA256 eebf205aee00f0e41d9880358b55bb605964c6ca6265e24c6d5e8beaf260e818
SHA512 849d5b6a98a560786bd1112b5523692b5bef697261c80dd202a3cb498ce81d4d3082f6cac851550bfc3d8483cc21e97ace376524d4b2a50f1e2a8234051834c7

memory/2376-22-0x0000000002470000-0x00000000024BB000-memory.dmp

memory/2648-32-0x00000000002B0000-0x00000000002FB000-memory.dmp

memory/2648-29-0x00000000002B0000-0x00000000002FB000-memory.dmp

memory/2376-30-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2648-35-0x0000000000390000-0x00000000003DB000-memory.dmp

memory/2648-60-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1896-58-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1896-57-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1896-56-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1896-55-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1896-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1896-54-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1896-61-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2296-68-0x00000000002C0000-0x000000000030B000-memory.dmp

memory/1896-67-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1896-71-0x0000000000230000-0x000000000023D000-memory.dmp

memory/2296-87-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2296-73-0x0000000000330000-0x000000000037B000-memory.dmp

memory/680-93-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1532-123-0x0000000000400000-0x000000000044B000-memory.dmp

memory/976-122-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/976-121-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/1532-102-0x0000000000350000-0x000000000039B000-memory.dmp

memory/976-126-0x0000000001F30000-0x0000000001F7B000-memory.dmp

memory/1736-132-0x0000000000230000-0x000000000027B000-memory.dmp

memory/976-131-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/1736-136-0x0000000000320000-0x000000000036B000-memory.dmp

memory/1736-155-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2632-157-0x0000000000880000-0x00000000008CB000-memory.dmp

memory/2632-156-0x0000000000880000-0x00000000008CB000-memory.dmp

memory/2632-160-0x0000000001F80000-0x0000000001FCB000-memory.dmp

memory/704-165-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/1976-186-0x0000000000230000-0x000000000027B000-memory.dmp

memory/1976-187-0x0000000000230000-0x000000000027B000-memory.dmp

memory/704-189-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2380-198-0x00000000002D0000-0x000000000031B000-memory.dmp

memory/2380-197-0x00000000002D0000-0x000000000031B000-memory.dmp

memory/2380-196-0x00000000002D0000-0x000000000031B000-memory.dmp

memory/2380-202-0x0000000000380000-0x00000000003CB000-memory.dmp

memory/1224-222-0x00000000002B0000-0x00000000002FB000-memory.dmp

memory/2380-216-0x0000000000400000-0x000000000044B000-memory.dmp

memory/3036-228-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/3036-227-0x00000000001C0000-0x000000000020B000-memory.dmp

memory/3036-244-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2672-247-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/2672-248-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/3036-231-0x0000000000810000-0x000000000085B000-memory.dmp

memory/2836-250-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2672-251-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/2672-252-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/2836-254-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2672-253-0x0000000000270000-0x00000000002BB000-memory.dmp

memory/2672-257-0x0000000000270000-0x000000000027C000-memory.dmp

memory/2836-270-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2664-275-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2664-274-0x0000000000230000-0x000000000027B000-memory.dmp

memory/2664-273-0x0000000000230000-0x000000000027B000-memory.dmp