Malware Analysis Report

2024-09-22 21:58

Sample ID 240727-3a8r3atgjl
Target 024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118
SHA256 4ad56ad56865d9c280cdff0b03a69b51a36a032847ee7d7bc62b8aecb0b6981c
Tags
bitrat discovery persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ad56ad56865d9c280cdff0b03a69b51a36a032847ee7d7bc62b8aecb0b6981c

Threat Level: Known bad

The file 024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bitrat discovery persistence trojan upx

BitRAT payload

BitRAT

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-27 23:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 23:19

Reported

2024-07-30 13:21

Platform

win7-20240704-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCAZZSD26923540123KJLVYTYREXTQQQ = "C:\\Users\\Admin\\AppData\\Local\\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCAZZSD26923540123KJLVYTYREXTQQQ = "C:\\Users\\Admin\\AppData\\Local\\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 1844 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 1844 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 1844 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 2684 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2904 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2904 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2904 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2684 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe

"C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 extreme33.dns1.us udp

Files

memory/2056-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/2056-1-0x0000000001340000-0x00000000016D6000-memory.dmp

memory/2056-2-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2056-3-0x0000000000590000-0x00000000005BE000-memory.dmp

memory/2056-4-0x0000000000680000-0x00000000006B0000-memory.dmp

memory/2056-5-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/2056-6-0x0000000074C30000-0x000000007531E000-memory.dmp

C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe

MD5 024a2b33f4a43ab679b44f1b9bcb6bcc
SHA1 f154baff6d0e53d0f40ca49db29d911ec3231a8f
SHA256 4ad56ad56865d9c280cdff0b03a69b51a36a032847ee7d7bc62b8aecb0b6981c
SHA512 5b8d0e9605e929763ccbe286d4c63f3c12b0338cbcd1fcff301482de45c9f3d2e9240fab5f54179685a2c856a24af03c2fec4c6969070698d7da2b099b5c08a4

memory/2684-13-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2056-12-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2684-14-0x0000000001370000-0x0000000001706000-memory.dmp

memory/2684-15-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2684-16-0x0000000000710000-0x0000000000728000-memory.dmp

memory/2684-17-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

memory/1960-21-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-22-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1960-18-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-25-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-26-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-28-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-27-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-29-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-30-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-32-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-31-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-33-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-34-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-35-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-36-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-37-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-39-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-38-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-40-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-41-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-43-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-42-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-44-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-45-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-47-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-46-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1956-58-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-60-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-59-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1956-61-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-63-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-62-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1956-65-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1956-64-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-67-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-66-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-69-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-68-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-71-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-70-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-73-0x0000000000400000-0x0000000000811000-memory.dmp

memory/1960-72-0x0000000000400000-0x0000000000811000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 23:19

Reported

2024-07-30 13:20

Platform

win10v2004-20240709-en

Max time kernel

117s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe"

Signatures

BitRAT

trojan bitrat

BitRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCAZZSD26923540123KJLVYTYREXTQQQ = "C:\\Users\\Admin\\AppData\\Local\\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3476 set thread context of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3584 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 3584 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 3584 wrote to memory of 3476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe
PID 3476 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4932 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4932 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3476 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\024a2b33f4a43ab679b44f1b9bcb6bcc_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe

"C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "VCAZZSD26923540123KJLVYTYREXTQQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 extreme33.dns1.us udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 extreme33.dns1.us udp
US 8.8.8.8:53 extreme33.dns1.us udp
US 8.8.8.8:53 extreme33.dns1.us udp
US 8.8.8.8:53 extreme33.dns1.us udp

Files

memory/396-0-0x000000007524E000-0x000000007524F000-memory.dmp

memory/396-1-0x00000000009D0000-0x0000000000D66000-memory.dmp

memory/396-3-0x0000000005B10000-0x0000000005BAC000-memory.dmp

memory/396-2-0x00000000057B0000-0x0000000005B04000-memory.dmp

memory/396-4-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/396-5-0x0000000005690000-0x00000000056BE000-memory.dmp

memory/396-6-0x0000000005770000-0x00000000057A0000-memory.dmp

memory/396-7-0x000000000A820000-0x000000000ADC4000-memory.dmp

memory/396-8-0x000000000A350000-0x000000000A3E2000-memory.dmp

memory/396-9-0x000000007524E000-0x000000007524F000-memory.dmp

memory/396-10-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/396-14-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/396-15-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Local\ASDWRTEssscx342VJHVYGHVJJ7890MSDDERMYULLNMM.exe

MD5 024a2b33f4a43ab679b44f1b9bcb6bcc
SHA1 f154baff6d0e53d0f40ca49db29d911ec3231a8f
SHA256 4ad56ad56865d9c280cdff0b03a69b51a36a032847ee7d7bc62b8aecb0b6981c
SHA512 5b8d0e9605e929763ccbe286d4c63f3c12b0338cbcd1fcff301482de45c9f3d2e9240fab5f54179685a2c856a24af03c2fec4c6969070698d7da2b099b5c08a4

memory/3476-19-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3476-20-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3476-21-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3476-22-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/3476-23-0x00000000081E0000-0x00000000081F8000-memory.dmp

memory/3476-24-0x00000000081F0000-0x00000000081F6000-memory.dmp

memory/3476-25-0x00000000071B0000-0x00000000071D2000-memory.dmp

memory/5084-28-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-26-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-29-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-27-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-30-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-31-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-32-0x000000006DAC0000-0x000000006DAF9000-memory.dmp

memory/5084-33-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-34-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-35-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-36-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-38-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-39-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-37-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-40-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-43-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-42-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-41-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-45-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-46-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-44-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-47-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-48-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-49-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-51-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-52-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-50-0x0000000000400000-0x0000000000811000-memory.dmp

memory/4800-56-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-59-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-58-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-57-0x0000000000400000-0x0000000000811000-memory.dmp

memory/4800-60-0x0000000000400000-0x0000000000811000-memory.dmp

memory/4800-61-0x0000000000400000-0x0000000000811000-memory.dmp

memory/4800-62-0x0000000000400000-0x0000000000811000-memory.dmp

memory/4800-63-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-66-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-65-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-64-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-67-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-69-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-68-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-70-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-72-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-71-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-73-0x0000000000400000-0x0000000000811000-memory.dmp

memory/5084-75-0x000000006DA30000-0x000000006DA69000-memory.dmp

memory/5084-74-0x0000000000400000-0x0000000000811000-memory.dmp