modiloader | 4b425e4d2556ca6f5ef8177b6c60d227a6c83ffde6d976c402844e8d00b8a5f6

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Size

637KB
MD5

d7dce1e32b4245e0d242de38c5bf9995
SHA1

4c5cae60d9d16d50afdc36ff4ece59ae2d36f948
SHA256

4b425e4d2556ca6f5ef8177b6c60d227a6c83ffde6d976c402844e8d00b8a5f6
SHA512

86b5b5f6bee354cdb2f724eca53d10b07e44919450def1b2e30580e8d197915b3c23124219da0a98c0f80b0636e6ee78e89c3a2a2b1e95301f97e590cf4a0b9c
SSDEEP

12288:Owd3kQSt5XJ8FeJGyHJmdRUSRK/lGRgOUqmq9kR6lhKXydJ6AsD:Owd3kQSt5GUoypAK/cRgOnmq9g6BED

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 33 IoCs

resource	yara_rule
behavioral2/memory/4540-24-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/4540-25-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/4540-43-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/4204-52-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/4204-51-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/4204-61-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/384-68-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/384-69-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/384-78-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/1176-85-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/1176-94-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2144-101-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2144-102-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2144-112-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/1480-118-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/1480-119-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/1480-129-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-136-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-137-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-147-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3740-154-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3740-166-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2656-173-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2656-186-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/740-194-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/740-207-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2980-214-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/2980-226-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3900-244-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3688-250-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/3688-261-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/436-269-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2
behavioral2/memory/436-280-0x0000000000400000-0x00000000004E9000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe

Executes dropped EXE 27 IoCs

pid	Process
2052	kern.exe
4204	kern.exe
2880	kern.exe
384	kern.exe
1436	kern.exe
1176	kern.exe
2336	kern.exe
2144	kern.exe
764	kern.exe
1480	kern.exe
4944	kern.exe
3156	kern.exe
1656	kern.exe
3740	kern.exe
212	kern.exe
2656	kern.exe
1088	kern.exe
740	kern.exe
2692	kern.exe
2980	kern.exe
1632	kern.exe
3900	kern.exe
4756	kern.exe
3688	kern.exe
1628	kern.exe
436	kern.exe
2480	kern.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\u0pw2riKy = "C:\\Windows\\system32\\IkVPt.exe"	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MFLmP536BUr5sl = "C:\\Windows\\system32\\IkVPt.exe"	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InternalSystray = "c:\\windows\\system32\\kern.exe"	kern.exe

Maps connected drives based on registry 3 TTPs 30 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	kern.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IkVPt.exe	cmd.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File opened for modification	\??\c:\windows\SysWOW64\kern.exe	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IkVPt.exe	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IkVPt.exe	cmd.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe
File created	\??\c:\windows\SysWOW64\kern.exe	kern.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 2052 set thread context of 4204	2052	kern.exe	97
PID 2880 set thread context of 384	2880	kern.exe	100
PID 1436 set thread context of 1176	1436	kern.exe	102
PID 2336 set thread context of 2144	2336	kern.exe	104
PID 764 set thread context of 1480	764	kern.exe	106
PID 4944 set thread context of 3156	4944	kern.exe	108
PID 1656 set thread context of 3740	1656	kern.exe	110
PID 212 set thread context of 2656	212	kern.exe	112
PID 1088 set thread context of 740	1088	kern.exe	114
PID 2692 set thread context of 2980	2692	kern.exe	116
PID 1632 set thread context of 3900	1632	kern.exe	118
PID 4756 set thread context of 3688	4756	kern.exe	120
PID 1628 set thread context of 436	1628	kern.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kern.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
4204	kern.exe
4204	kern.exe
384	kern.exe
384	kern.exe
1176	kern.exe
1176	kern.exe
2144	kern.exe
2144	kern.exe
1480	kern.exe
1480	kern.exe
3156	kern.exe
3156	kern.exe
3740	kern.exe
3740	kern.exe
2656	kern.exe
2656	kern.exe
740	kern.exe
740	kern.exe
2980	kern.exe
2980	kern.exe
3900	kern.exe
3900	kern.exe
3688	kern.exe
3688	kern.exe
436	kern.exe
436	kern.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Token: SeDebugPrivilege	4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
Token: SeDebugPrivilege	4204	kern.exe
Token: SeDebugPrivilege	4204	kern.exe
Token: SeDebugPrivilege	384	kern.exe
Token: SeDebugPrivilege	384	kern.exe
Token: SeDebugPrivilege	1176	kern.exe
Token: SeDebugPrivilege	1176	kern.exe
Token: SeDebugPrivilege	2144	kern.exe
Token: SeDebugPrivilege	2144	kern.exe
Token: SeDebugPrivilege	1480	kern.exe
Token: SeDebugPrivilege	1480	kern.exe
Token: SeDebugPrivilege	3156	kern.exe
Token: SeDebugPrivilege	3156	kern.exe
Token: SeDebugPrivilege	3740	kern.exe
Token: SeDebugPrivilege	3740	kern.exe
Token: SeDebugPrivilege	2656	kern.exe
Token: SeDebugPrivilege	2656	kern.exe
Token: SeDebugPrivilege	740	kern.exe
Token: SeDebugPrivilege	740	kern.exe
Token: SeDebugPrivilege	2980	kern.exe
Token: SeDebugPrivilege	2980	kern.exe
Token: SeDebugPrivilege	3900	kern.exe
Token: SeDebugPrivilege	3900	kern.exe
Token: SeDebugPrivilege	3688	kern.exe
Token: SeDebugPrivilege	3688	kern.exe
Token: SeDebugPrivilege	436	kern.exe
Token: SeDebugPrivilege	436	kern.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
2052	kern.exe
2880	kern.exe
1436	kern.exe
2336	kern.exe
764	kern.exe
4944	kern.exe
1656	kern.exe
212	kern.exe
1088	kern.exe
2692	kern.exe
1632	kern.exe
4756	kern.exe
1628	kern.exe
2480	kern.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 1352 wrote to memory of 4540	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	93
PID 4540 wrote to memory of 2052	4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	94
PID 4540 wrote to memory of 2052	4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	94
PID 4540 wrote to memory of 2052	4540	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	94
PID 1352 wrote to memory of 532	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	95
PID 1352 wrote to memory of 532	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	95
PID 1352 wrote to memory of 532	1352	d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe	95
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 2052 wrote to memory of 4204	2052	kern.exe	97
PID 4204 wrote to memory of 2880	4204	kern.exe	98
PID 4204 wrote to memory of 2880	4204	kern.exe	98
PID 4204 wrote to memory of 2880	4204	kern.exe	98
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 2880 wrote to memory of 384	2880	kern.exe	100
PID 384 wrote to memory of 1436	384	kern.exe	101
PID 384 wrote to memory of 1436	384	kern.exe	101
PID 384 wrote to memory of 1436	384	kern.exe	101
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1436 wrote to memory of 1176	1436	kern.exe	102
PID 1176 wrote to memory of 2336	1176	kern.exe	103
PID 1176 wrote to memory of 2336	1176	kern.exe	103
PID 1176 wrote to memory of 2336	1176	kern.exe	103
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2336 wrote to memory of 2144	2336	kern.exe	104
PID 2144 wrote to memory of 764	2144	kern.exe	105
PID 2144 wrote to memory of 764	2144	kern.exe	105
PID 2144 wrote to memory of 764	2144	kern.exe	105
PID 764 wrote to memory of 1480	764	kern.exe	106
PID 764 wrote to memory of 1480	764	kern.exe	106
PID 764 wrote to memory of 1480	764	kern.exe	106
PID 764 wrote to memory of 1480	764	kern.exe	106
PID 764 wrote to memory of 1480	764	kern.exe	106
PID 764 wrote to memory of 1480	764	kern.exe	106

C:\Users\Admin\AppData\Local\Temp\d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d7dce1e32b4245e0d242de38c5bf9995_JaffaCakes118.exe
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - \??\c:\windows\SysWOW64\kern.exe
    c:\windows\system32\kern.exe
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - \??\c:\windows\SysWOW64\kern.exe
      c:\windows\SysWOW64\kern.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4204
    - - \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        7⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        9⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        11⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        13⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        15⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        17⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        19⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        21⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        23⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        25⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        27⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\SysWOW64\kern.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        \??\c:\windows\SysWOW64\kern.exe
        
        c:\windows\system32\kern.exe
        29⤵
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
172B

MD5
c5a0ea98f800c9c689c83762b1cc7611

SHA1
14609136f098e9871589d34e49ba6bae5e7afb54

SHA256
c82e760e914f135619aed332141f07f80dd97800c20e4f927a99780efba698c6

SHA512
5c2c3051e2ebb0ecc25e0cab4f039f43e2570648d3a884882a44d74d7ecfb3e51802e65eee69d273ee2ff2eae6fa814367951929ad094685c53216f95ec8fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
116B

MD5
c924b9502d26d4de32b120f86afde78b

SHA1
9b20acb58aef17b0f2ffadf9866dd030d14e7a21

SHA256
dd935d54722f99664bf52b752a4873e3340013c101cc4e523ed476e42cadd016

SHA512
4e3b8cd10127e816a5776272b705c7a63be18f74c17a41e8d8d027ba5ba0f610a6631b7bed42d3553774ca4abe56bacde5d260cadd88518afe8cc0046679b889

Download Submit
\??\c:\windows\SysWOW64\kern.exe

Filesize
637KB

MD5
d7dce1e32b4245e0d242de38c5bf9995

SHA1
4c5cae60d9d16d50afdc36ff4ece59ae2d36f948

SHA256
4b425e4d2556ca6f5ef8177b6c60d227a6c83ffde6d976c402844e8d00b8a5f6

SHA512
86b5b5f6bee354cdb2f724eca53d10b07e44919450def1b2e30580e8d197915b3c23124219da0a98c0f80b0636e6ee78e89c3a2a2b1e95301f97e590cf4a0b9c

Download Submit
memory/212-182-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/212-163-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/212-172-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/384-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/384-78-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/384-68-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/436-269-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/436-280-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/740-207-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/740-194-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/764-124-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/764-109-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/764-117-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1088-183-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1088-202-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1088-193-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1176-85-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1176-94-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1352-16-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/1352-8-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/1352-1-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1352-10-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/1352-0-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-20-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-41-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-42-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1352-9-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1352-7-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/1352-19-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1352-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1352-14-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1352-15-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/1352-6-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1352-17-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1352-13-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1352-2-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1352-3-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/1352-4-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/1352-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1436-90-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1436-82-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1480-118-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1480-129-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1480-119-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1628-268-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1628-258-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1628-276-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1632-229-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1632-239-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1656-144-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1656-153-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1656-161-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2052-30-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2052-46-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2052-45-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2052-56-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2144-102-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2144-101-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2144-112-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2336-100-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2336-108-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2480-277-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2656-186-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2656-173-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2692-213-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2692-204-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2692-222-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2880-67-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2880-75-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2980-226-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2980-214-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3156-137-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3156-147-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3156-136-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3688-250-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3688-261-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3740-166-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3740-154-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3900-244-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4204-51-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4204-61-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4204-52-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-24-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-43-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-21-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-22-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-23-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4540-25-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4756-249-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4756-256-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4756-241-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4944-143-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4944-135-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4944-126-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download