metasploit | 23306f0640e23f2487febf1c35be79487c5453fffe38c30ed40d3ad879b6132f

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
Size

198KB
MD5

dc9eb54ed1c3e7b99c207128a76f8ebc
SHA1

a76f058783b6918e802d492af5adc50d05b251d7
SHA256

23306f0640e23f2487febf1c35be79487c5453fffe38c30ed40d3ad879b6132f
SHA512

66c3b0790823c4614c17cc554287ec0d434338f5156f18f7a2edaee33e43a3b1cf983b8b1dbaccf8dc0a7ed7682e9150722e4e98c0e6127b548619892394b662
SSDEEP

3072:8boQs34PiJiFX/Zb5L1odA77vsDUUbjTcisIJoldaLGdWHPSn98gDDcuO:8S34HedqY1HT/sMopQw8gDDcuO

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
1744	wmpdtc32.exe

Executes dropped EXE 34 IoCs

pid	Process
2516	wmpdtc32.exe
1744	wmpdtc32.exe
2924	wmpdtc32.exe
1740	wmpdtc32.exe
2180	wmpdtc32.exe
1960	wmpdtc32.exe
1540	wmpdtc32.exe
1864	wmpdtc32.exe
2952	wmpdtc32.exe
2852	wmpdtc32.exe
1888	wmpdtc32.exe
2408	wmpdtc32.exe
2460	wmpdtc32.exe
1500	wmpdtc32.exe
1620	wmpdtc32.exe
568	wmpdtc32.exe
1048	wmpdtc32.exe
880	wmpdtc32.exe
2192	wmpdtc32.exe
2344	wmpdtc32.exe
3004	wmpdtc32.exe
2404	wmpdtc32.exe
2896	wmpdtc32.exe
2228	wmpdtc32.exe
2176	wmpdtc32.exe
2248	wmpdtc32.exe
1860	wmpdtc32.exe
1880	wmpdtc32.exe
288	wmpdtc32.exe
2912	wmpdtc32.exe
2084	wmpdtc32.exe
2108	wmpdtc32.exe
1420	wmpdtc32.exe
2720	wmpdtc32.exe

Loads dropped DLL 34 IoCs

pid	Process
2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
2516	wmpdtc32.exe
1744	wmpdtc32.exe
2924	wmpdtc32.exe
1740	wmpdtc32.exe
2180	wmpdtc32.exe
1960	wmpdtc32.exe
1540	wmpdtc32.exe
1864	wmpdtc32.exe
2952	wmpdtc32.exe
2852	wmpdtc32.exe
1888	wmpdtc32.exe
2408	wmpdtc32.exe
2460	wmpdtc32.exe
1500	wmpdtc32.exe
1620	wmpdtc32.exe
568	wmpdtc32.exe
1048	wmpdtc32.exe
880	wmpdtc32.exe
2192	wmpdtc32.exe
2344	wmpdtc32.exe
3004	wmpdtc32.exe
2404	wmpdtc32.exe
2896	wmpdtc32.exe
2228	wmpdtc32.exe
2176	wmpdtc32.exe
2248	wmpdtc32.exe
1860	wmpdtc32.exe
1880	wmpdtc32.exe
288	wmpdtc32.exe
2912	wmpdtc32.exe
2084	wmpdtc32.exe
2108	wmpdtc32.exe
1420	wmpdtc32.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2572-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-6-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-7-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-3-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-8-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-9-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1744-30-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-33-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1744-48-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1740-49-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1744-52-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1960-67-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1740-66-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1740-70-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1864-84-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1960-87-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2852-101-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1864-104-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2408-118-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2852-121-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1500-135-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2408-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/568-152-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1500-155-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/880-170-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/568-173-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2344-187-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/880-190-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2404-204-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2344-207-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2228-222-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2404-225-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2248-239-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2228-242-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1880-254-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2248-257-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2912-267-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1880-270-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2108-280-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2912-283-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2720-293-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2108-296-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 36 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtc32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtc32.exe
File created	C:\Windows\SysWOW64\wmpdtc32.exe	wmpdtc32.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2516 set thread context of 1744	2516	wmpdtc32.exe	33
PID 2924 set thread context of 1740	2924	wmpdtc32.exe	35
PID 2180 set thread context of 1960	2180	wmpdtc32.exe	37
PID 1540 set thread context of 1864	1540	wmpdtc32.exe	39
PID 2952 set thread context of 2852	2952	wmpdtc32.exe	41
PID 1888 set thread context of 2408	1888	wmpdtc32.exe	43
PID 2460 set thread context of 1500	2460	wmpdtc32.exe	45
PID 1620 set thread context of 568	1620	wmpdtc32.exe	47
PID 1048 set thread context of 880	1048	wmpdtc32.exe	49
PID 2192 set thread context of 2344	2192	wmpdtc32.exe	51
PID 3004 set thread context of 2404	3004	wmpdtc32.exe	53
PID 2896 set thread context of 2228	2896	wmpdtc32.exe	55
PID 2176 set thread context of 2248	2176	wmpdtc32.exe	57
PID 1860 set thread context of 1880	1860	wmpdtc32.exe	59
PID 288 set thread context of 2912	288	wmpdtc32.exe	61
PID 2084 set thread context of 2108	2084	wmpdtc32.exe	63
PID 1420 set thread context of 2720	1420	wmpdtc32.exe	65

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtc32.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
1744	wmpdtc32.exe
1744	wmpdtc32.exe
1740	wmpdtc32.exe
1740	wmpdtc32.exe
1960	wmpdtc32.exe
1960	wmpdtc32.exe
1864	wmpdtc32.exe
1864	wmpdtc32.exe
2852	wmpdtc32.exe
2852	wmpdtc32.exe
2408	wmpdtc32.exe
2408	wmpdtc32.exe
1500	wmpdtc32.exe
1500	wmpdtc32.exe
568	wmpdtc32.exe
568	wmpdtc32.exe
880	wmpdtc32.exe
880	wmpdtc32.exe
2344	wmpdtc32.exe
2344	wmpdtc32.exe
2404	wmpdtc32.exe
2404	wmpdtc32.exe
2228	wmpdtc32.exe
2228	wmpdtc32.exe
2248	wmpdtc32.exe
2248	wmpdtc32.exe
1880	wmpdtc32.exe
1880	wmpdtc32.exe
2912	wmpdtc32.exe
2912	wmpdtc32.exe
2108	wmpdtc32.exe
2108	wmpdtc32.exe
2720	wmpdtc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	30
PID 2572 wrote to memory of 2516	2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	32
PID 2572 wrote to memory of 2516	2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	32
PID 2572 wrote to memory of 2516	2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	32
PID 2572 wrote to memory of 2516	2572	dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe	32
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 2516 wrote to memory of 1744	2516	wmpdtc32.exe	33
PID 1744 wrote to memory of 2924	1744	wmpdtc32.exe	34
PID 1744 wrote to memory of 2924	1744	wmpdtc32.exe	34
PID 1744 wrote to memory of 2924	1744	wmpdtc32.exe	34
PID 1744 wrote to memory of 2924	1744	wmpdtc32.exe	34
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 2924 wrote to memory of 1740	2924	wmpdtc32.exe	35
PID 1740 wrote to memory of 2180	1740	wmpdtc32.exe	36
PID 1740 wrote to memory of 2180	1740	wmpdtc32.exe	36
PID 1740 wrote to memory of 2180	1740	wmpdtc32.exe	36
PID 1740 wrote to memory of 2180	1740	wmpdtc32.exe	36
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 2180 wrote to memory of 1960	2180	wmpdtc32.exe	37
PID 1960 wrote to memory of 1540	1960	wmpdtc32.exe	38
PID 1960 wrote to memory of 1540	1960	wmpdtc32.exe	38
PID 1960 wrote to memory of 1540	1960	wmpdtc32.exe	38
PID 1960 wrote to memory of 1540	1960	wmpdtc32.exe	38
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1540 wrote to memory of 1864	1540	wmpdtc32.exe	39
PID 1864 wrote to memory of 2952	1864	wmpdtc32.exe	40
PID 1864 wrote to memory of 2952	1864	wmpdtc32.exe	40
PID 1864 wrote to memory of 2952	1864	wmpdtc32.exe	40
PID 1864 wrote to memory of 2952	1864	wmpdtc32.exe	40
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2952 wrote to memory of 2852	2952	wmpdtc32.exe	41
PID 2852 wrote to memory of 1888	2852	wmpdtc32.exe	42
PID 2852 wrote to memory of 1888	2852	wmpdtc32.exe	42

C:\Users\Admin\AppData\Local\Temp\dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc9eb54ed1c3e7b99c207128a76f8ebc_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\wmpdtc32.exe
    "C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\DC9EB5~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\wmpdtc32.exe
      "C:\Windows\system32\wmpdtc32.exe" C:\Users\Admin\AppData\Local\Temp\DC9EB5~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\wmpdtc32.exe
        
        "C:\Windows\system32\wmpdtc32.exe" C:\Windows\SysWOW64\wmpdtc32.exe
        36⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpdtc32.exe

Filesize
198KB

MD5
dc9eb54ed1c3e7b99c207128a76f8ebc

SHA1
a76f058783b6918e802d492af5adc50d05b251d7

SHA256
23306f0640e23f2487febf1c35be79487c5453fffe38c30ed40d3ad879b6132f

SHA512
66c3b0790823c4614c17cc554287ec0d434338f5156f18f7a2edaee33e43a3b1cf983b8b1dbaccf8dc0a7ed7682e9150722e4e98c0e6127b548619892394b662

Download Submit
memory/568-152-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/568-173-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/880-170-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/880-190-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1500-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1500-155-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1740-49-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1740-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1740-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1744-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1744-48-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1744-52-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1864-104-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1864-84-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1880-254-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1880-270-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1960-87-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1960-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2108-280-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2108-296-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2228-222-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2228-242-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2248-239-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2248-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2344-207-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2344-187-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2404-204-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2404-225-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2408-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2408-118-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-33-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2720-293-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2852-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2852-101-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2912-267-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2912-283-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download