Analysis Overview
SHA256
b57fd996f2bcb3d3c09ead04b388a9fc619018985e26be74a65efbb4487462e2
Threat Level: Likely malicious
The file 4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 21:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 21:50
Reported
2024-10-15 21:52
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
124s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\aaad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\aaad.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\aaad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\aaad.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
C:\Windows\SysWOW64\aaad.exe
C:\Windows\system32\aaad.exe -i
C:\Windows\SysWOW64\aaad.exe
C:\Windows\system32\aaad.exe -s
C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | 6604017b97723459582278f29adf20d5 |
| SHA1 | 6eec88c892a29bf10d20692b08561d74406e2e50 |
| SHA256 | d887f632b8652be987072fc87a418edf75b9bfaf7482976815b10b0cef7f3754 |
| SHA512 | 4f6f9f02be6c6e244965238e0fdf191eeaafd1690b5e669b22f0064d67cb1128150b49ec691f58896d91439f81570f2467e4148147a3fbfc727148193eb526aa |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | 8b648c94ec827c3424a2521364186891 |
| SHA1 | 550bfd17903727aa4add841f27d4d9bf54377897 |
| SHA256 | c86d1230cd214571b3350c6db2a5f57083b23119feadaad9db388e666bfb00cc |
| SHA512 | 0564dd66eb92259f0594b83e2aa5f555751a1ee20ed39d12662c0ce13f95bc5860efa6807ac2035232a4bb46781e14c36d7acc5ea4db9fa1b893b4cec803b857 |
memory/2724-47-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
| MD5 | 828ccba7ef24786cd58e94d15846a0c7 |
| SHA1 | 1c0029ca95356f7cbc77e2a8c2954777dc22b48a |
| SHA256 | 12fb77c027354c279cad3dc9ba03bfbe75c2c2756c9d45be6a57e0e2378f48dd |
| SHA512 | 3adc2abddb2e1bbc7776a8abf9772cf100800d4c48bc193d5d7ceb2b8141ef0203a8868248995ee311ad0cc8c3561aa21fc98fe66ee8ddc50c5d4281299ed5cc |
memory/3132-57-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3132-60-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1540-64-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-71-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2260-73-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2908-75-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/4032-79-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-80-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2908-81-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/4032-83-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-85-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-86-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2908-88-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/4032-89-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-91-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-92-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2908-93-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/4032-96-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-100-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-104-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-105-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-109-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-110-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-114-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-117-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-119-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-120-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-124-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-128-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-132-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-136-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-137-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4032-140-0x0000000010000000-0x0000000010026000-memory.dmp
memory/4032-142-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 21:50
Reported
2024-10-15 21:52
Platform
win7-20240903-en
Max time kernel
147s
Max time network
121s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\aaad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\aaad.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\aaad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8ado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8ado.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\aaad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a2be3af52f74b5f5120b8431e5610b8_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\70l8.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\03ca.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da3r.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8ado.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8ado.dll"
C:\Windows\SysWOW64\aaad.exe
C:\Windows\system32\aaad.exe -i
C:\Windows\SysWOW64\aaad.exe
C:\Windows\system32\aaad.exe -s
C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\aaad.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll, Always
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32 C:\Windows\system32\830e.dll,Always
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
| US | 8.8.8.8:53 | 122.770304123.cn | udp |
| US | 8.8.8.8:53 | yahoo.com.cn | udp |
Files
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll
| MD5 | 03e9030cbaf4175994fe67f84b1f155d |
| SHA1 | 767c1368adae868841650ecf87951d2251bc3c96 |
| SHA256 | 7d274b8adfa036a114a2d34e747b42316c04c388b1f7d83d3c4de50f8b2a8ad1 |
| SHA512 | 94210245c58b71b8237ebc17aa95b7b61bf41cd9ed3aab5cf9b4cfdf88332ee4c0cdc218af354ea6e9392034b9c3c862ca16cb6bacd144f107358bdd2f4a3ea5 |
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll
| MD5 | 19b3792652d33d6719232035fca1d111 |
| SHA1 | 14b676a104d9e8bf889978d599e0a786e2486035 |
| SHA256 | fb01aeaab52e658cdf929c14f73dec26285b1a2258e852787e712628d12dccac |
| SHA512 | 18ecbb45591f129351eca106e847f7e5a1ad803b48b069b97b1b09108d4c1de8c16785255ec65a3b974f217c5a3d5307852042d51ed3a10fc7d78fbef75cb835 |
memory/2816-45-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\s.exe
| MD5 | 1df34f9eff7aef89bec15427fb63f232 |
| SHA1 | 6e243da7d8f72ca670f36d337fb5a510074d1c13 |
| SHA256 | f401573e17067a7036e352fd4d6c6bec831f31c4c4d5cc0313f9ec9406136c59 |
| SHA512 | daedbf20868a531062418d30a865e82e63b7ddb1b87a27c89143e954f01659856d83101bd3fae43f1059c8e436e051b81c125249d4ad1a85c4b0d62c5530899b |
memory/2328-54-0x0000000002200000-0x000000000221E000-memory.dmp
memory/2328-59-0x0000000002200000-0x000000000221E000-memory.dmp
memory/2920-61-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2584-73-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-71-0x0000000010000000-0x0000000010026000-memory.dmp
memory/1064-90-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2764-89-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2764-88-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2652-94-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-95-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-98-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2764-97-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2652-100-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-101-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-103-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2652-104-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-106-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-107-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2764-109-0x0000000010000000-0x00000000100B2000-memory.dmp
memory/2652-110-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-112-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-113-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-117-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-118-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-121-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-123-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-124-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-128-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-131-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-133-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-134-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-137-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-139-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-140-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-144-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-145-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-148-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-151-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-150-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-152-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-155-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-157-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-160-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-162-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-163-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-167-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-166-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-170-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-169-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2652-171-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2652-175-0x0000000010000000-0x0000000010026000-memory.dmp