metasploit | 389ef436a20233d214ae7429a3a6917e4925dd40a01a23a26dfa33cc0bdbba95

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Size

169KB
MD5

e82734e688f7acf18b0fcbd21ebae5f0
SHA1

2574b4d35f9cd038f19c1f82272d24f011436681
SHA256

389ef436a20233d214ae7429a3a6917e4925dd40a01a23a26dfa33cc0bdbba95
SHA512

06392761978bbb0bb84d47f38368a53490d2c1ee4a293a85c77c4101f3346e9d6d9b74285dd3b1c5cffe6c6d60b56badb7faa5028c9bc87db3d4c473dfe9b9e5
SSDEEP

3072:gGEEhq67tQXpmp6EEhX114wcNQivA0eGEsHJP91VCACFk+hV59U3ZcyiqMh8:gGAktQ5VX1CNqiVeGEy9nCfFk+hV+cyx

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2672	wmptfx.exe

Executes dropped EXE 36 IoCs

pid	Process
2640	wmptfx.exe
2672	wmptfx.exe
1164	wmptfx.exe
2588	wmptfx.exe
752	wmptfx.exe
1028	wmptfx.exe
980	wmptfx.exe
1652	wmptfx.exe
2800	wmptfx.exe
2408	wmptfx.exe
1040	wmptfx.exe
1376	wmptfx.exe
292	wmptfx.exe
1820	wmptfx.exe
2452	wmptfx.exe
1564	wmptfx.exe
1724	wmptfx.exe
3004	wmptfx.exe
2756	wmptfx.exe
2768	wmptfx.exe
2324	wmptfx.exe
2328	wmptfx.exe
264	wmptfx.exe
784	wmptfx.exe
1968	wmptfx.exe
2040	wmptfx.exe
2800	wmptfx.exe
3052	wmptfx.exe
664	wmptfx.exe
2000	wmptfx.exe
2912	wmptfx.exe
2236	wmptfx.exe
936	wmptfx.exe
552	wmptfx.exe
2088	wmptfx.exe
3036	wmptfx.exe

Loads dropped DLL 36 IoCs

pid	Process
2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
2672	wmptfx.exe
2672	wmptfx.exe
2588	wmptfx.exe
2588	wmptfx.exe
1028	wmptfx.exe
1028	wmptfx.exe
1652	wmptfx.exe
1652	wmptfx.exe
2408	wmptfx.exe
2408	wmptfx.exe
1376	wmptfx.exe
1376	wmptfx.exe
1820	wmptfx.exe
1820	wmptfx.exe
1564	wmptfx.exe
1564	wmptfx.exe
3004	wmptfx.exe
3004	wmptfx.exe
2768	wmptfx.exe
2768	wmptfx.exe
2328	wmptfx.exe
2328	wmptfx.exe
784	wmptfx.exe
784	wmptfx.exe
2040	wmptfx.exe
2040	wmptfx.exe
3052	wmptfx.exe
3052	wmptfx.exe
2000	wmptfx.exe
2000	wmptfx.exe
2236	wmptfx.exe
2236	wmptfx.exe
552	wmptfx.exe
552	wmptfx.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-16-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-7-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-4-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2940-29-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2672-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2672-42-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2672-41-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2672-40-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2672-49-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2588-60-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2588-59-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2588-61-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2588-62-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2588-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1028-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1028-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1028-79-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1028-78-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1028-87-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1652-98-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1652-106-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2408-119-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2408-126-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1376-139-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1376-145-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1820-156-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1820-164-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1564-177-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1564-184-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3004-197-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3004-204-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2768-214-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2768-223-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2328-241-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/784-259-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2040-277-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3052-291-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2000-305-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2236-319-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/552-333-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 38 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptfx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptfx.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File created	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe
File opened for modification	C:\Windows\SysWOW64\wmptfx.exe	wmptfx.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2640 set thread context of 2672	2640	wmptfx.exe	33
PID 1164 set thread context of 2588	1164	wmptfx.exe	35
PID 752 set thread context of 1028	752	wmptfx.exe	37
PID 980 set thread context of 1652	980	wmptfx.exe	39
PID 2800 set thread context of 2408	2800	wmptfx.exe	41
PID 1040 set thread context of 1376	1040	wmptfx.exe	43
PID 292 set thread context of 1820	292	wmptfx.exe	45
PID 2452 set thread context of 1564	2452	wmptfx.exe	47
PID 1724 set thread context of 3004	1724	wmptfx.exe	49
PID 2756 set thread context of 2768	2756	wmptfx.exe	52
PID 2324 set thread context of 2328	2324	wmptfx.exe	54
PID 264 set thread context of 784	264	wmptfx.exe	56
PID 1968 set thread context of 2040	1968	wmptfx.exe	58
PID 2800 set thread context of 3052	2800	wmptfx.exe	60
PID 664 set thread context of 2000	664	wmptfx.exe	62
PID 2912 set thread context of 2236	2912	wmptfx.exe	64
PID 936 set thread context of 552	936	wmptfx.exe	66
PID 2088 set thread context of 3036	2088	wmptfx.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptfx.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
2672	wmptfx.exe
2588	wmptfx.exe
1028	wmptfx.exe
1652	wmptfx.exe
2408	wmptfx.exe
1376	wmptfx.exe
1820	wmptfx.exe
1564	wmptfx.exe
3004	wmptfx.exe
2768	wmptfx.exe
2328	wmptfx.exe
784	wmptfx.exe
2040	wmptfx.exe
3052	wmptfx.exe
2000	wmptfx.exe
2236	wmptfx.exe
552	wmptfx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2832 wrote to memory of 2940	2832	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2640	2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2640	2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2640	2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2640	2940	e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2640 wrote to memory of 2672	2640	wmptfx.exe	33
PID 2672 wrote to memory of 1164	2672	wmptfx.exe	34
PID 2672 wrote to memory of 1164	2672	wmptfx.exe	34
PID 2672 wrote to memory of 1164	2672	wmptfx.exe	34
PID 2672 wrote to memory of 1164	2672	wmptfx.exe	34
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 1164 wrote to memory of 2588	1164	wmptfx.exe	35
PID 2588 wrote to memory of 752	2588	wmptfx.exe	36
PID 2588 wrote to memory of 752	2588	wmptfx.exe	36
PID 2588 wrote to memory of 752	2588	wmptfx.exe	36
PID 2588 wrote to memory of 752	2588	wmptfx.exe	36
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 752 wrote to memory of 1028	752	wmptfx.exe	37
PID 1028 wrote to memory of 980	1028	wmptfx.exe	38
PID 1028 wrote to memory of 980	1028	wmptfx.exe	38
PID 1028 wrote to memory of 980	1028	wmptfx.exe	38
PID 1028 wrote to memory of 980	1028	wmptfx.exe	38
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 980 wrote to memory of 1652	980	wmptfx.exe	39
PID 1652 wrote to memory of 2800	1652	wmptfx.exe	40
PID 1652 wrote to memory of 2800	1652	wmptfx.exe	40
PID 1652 wrote to memory of 2800	1652	wmptfx.exe	40
PID 1652 wrote to memory of 2800	1652	wmptfx.exe	40
PID 2800 wrote to memory of 2408	2800	wmptfx.exe	41
PID 2800 wrote to memory of 2408	2800	wmptfx.exe	41
PID 2800 wrote to memory of 2408	2800	wmptfx.exe	41
PID 2800 wrote to memory of 2408	2800	wmptfx.exe	41

C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e82734e688f7acf18b0fcbd21ebae5f0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\wmptfx.exe
    "C:\Windows\system32\wmptfx.exe" C:\Users\Admin\AppData\Local\Temp\E82734~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\wmptfx.exe
      "C:\Windows\system32\wmptfx.exe" C:\Users\Admin\AppData\Local\Temp\E82734~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\wmptfx.exe
        
        "C:\Windows\system32\wmptfx.exe" C:\Windows\SysWOW64\wmptfx.exe
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmptfx.exe

Filesize
169KB

MD5
e82734e688f7acf18b0fcbd21ebae5f0

SHA1
2574b4d35f9cd038f19c1f82272d24f011436681

SHA256
389ef436a20233d214ae7429a3a6917e4925dd40a01a23a26dfa33cc0bdbba95

SHA512
06392761978bbb0bb84d47f38368a53490d2c1ee4a293a85c77c4101f3346e9d6d9b74285dd3b1c5cffe6c6d60b56badb7faa5028c9bc87db3d4c473dfe9b9e5

Download Submit
memory/552-333-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/752-77-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/784-259-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1028-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1028-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1028-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1028-79-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1028-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1164-58-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1376-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1376-145-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1564-184-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1564-177-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1652-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1820-164-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1820-156-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2000-305-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2040-277-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2236-319-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2328-241-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2408-126-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2408-119-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2588-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2588-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2588-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2588-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2588-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2640-39-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2672-43-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-41-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-40-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-49-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2672-42-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2768-214-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2768-223-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2832-13-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2940-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-4-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-29-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2940-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-197-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-204-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3052-291-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download