metasploit | 0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Size

664KB
MD5

bd6343ee092d1db1e805257467c5ede6
SHA1

221c8c0b806e2e04ddbcbe2d32442ab037f8dc36
SHA256

0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a
SHA512

95766903945a8643a209c03491ff8c3d7ca6125f9fd860bd23e665eda98253d1c888b5a2f1b9a6a90a9fcc5ecdeb9a8c60f08a8dd140278f832f691f4c545b8a
SSDEEP

6144:rIN4KH8q7lVdspX4ruPQp7gEByECUgiVAXAADnCRc/smfGSs8pccagsHZv5w9Syl:kTT7vda4ruPo7/EvxX5GR6G98CCCifl

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe

Executes dropped EXE 10 IoCs

pid	Process
2540	uptmgr.exe
1320	uptmgr.exe
2940	uptmgr.exe
1608	uptmgr.exe
3052	uptmgr.exe
896	uptmgr.exe
888	uptmgr.exe
2736	uptmgr.exe
2772	uptmgr.exe
1976	uptmgr.exe

Loads dropped DLL 20 IoCs

pid	Process
1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
2540	uptmgr.exe
2540	uptmgr.exe
1320	uptmgr.exe
1320	uptmgr.exe
2940	uptmgr.exe
2940	uptmgr.exe
1608	uptmgr.exe
1608	uptmgr.exe
3052	uptmgr.exe
3052	uptmgr.exe
896	uptmgr.exe
896	uptmgr.exe
888	uptmgr.exe
888	uptmgr.exe
2736	uptmgr.exe
2736	uptmgr.exe
2772	uptmgr.exe
2772	uptmgr.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xtoL`rX"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\AppID = "{36938566-B1AA-4E77-9B3F-730CF4E996AB}"	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xu\\daMf"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cWNVKr\x7fn@V{STJ"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dltfoahNie = "pXMblZ~^aTCqd{XBjyQLxDj"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAC\\IBvCnnt~mwUti[WYpxAx^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAL\|IBvCnnt~mwUti[WYpx@H^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PA}lIBvCnnt~mwUti[WYpxMH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PA}lIBvCnnt~mwUti[WYpxMX^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAULIBvCnnt~mwUti[WYpxFH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAVlIBvCnnt~mwUti[WYpxFX^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cwNVKr\x7fn@v{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAt\\IBvCnnt~mwUti[WYpxNh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAyLIBvCnnt~mwUti[WYpxLh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAy\\IBvCnnt~mwUti[WYpxKh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_`WNVKr\x7fnCV{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\PreviewDetails = "prop:System.Link.TargetParsingPath"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\shell\find\command\DelegateExecute = "{a015411a-f97d-4ef3-8425-8a38d022aebc}"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAV\|IBvCnnt~mwUti[WYpxEH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Pcfm = "y^MFU_FMlfgXi@iTMWmH[bKBQeZZ_"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PA^LIBvCnnt~mwUti[WYpxDX^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAGlIBvCnnt~mwUti[WYpxBH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cgNVKr\x7fn@f{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xwrPtWE"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAR\\IBvCnnt~mwUti[WYpxDH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PA^LIBvCnnt~mwUti[WYpxCh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAGlIBvCnnt~mwUti[WYpxBx^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Pcfm = "y^MFU_FMlfgXi@iTMWmH[bKBQeZZ_"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xuNtXvd"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_`wNVKr\x7fnCv{STJ"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\shell\find\command	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\shellex\{00021500-0000-0000-C000-000000000046}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dltfoahNie = "pXMblZ~^aTCqd{XBjyQLxDj"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cWNVKr\x7fn@V{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAL\|IBvCnnt~mwUti[WYpx@X^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xwnILtk"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAZLIBvCnnt~mwUti[WYpxBh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\tocxk = "UIEVh{nBGJoYhQA^PLGbfQbB"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_`wNVKr\x7fnCv{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAL\|IBvCnnt~mwUti[WYpxOh^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xtC\x7fZiz"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAq\|IBvCnnt~mwUti[WYpxNX^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dltfoahNie = "pXMblZ~^aTCqd{XBjyQLxDj"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xuBZbWx"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\shellex\IconHandler	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xv[ofUv"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cGNVKr\x7fn@F{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dltfoahNie = "pXMblZ~^aTCqd{XBjyQLxDj"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAC\\IBvCnnt~mwUti[WYpxAH^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xwTJ~KZ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cWNVKr\x7fn@V{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xuK\x7fRg_"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_`WNVKr\x7fnCV{STJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xtbN^VB"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dltfoahNie = "pXMblZ~^aTCqd{XBjyQLxDj"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Folder Shortcut"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\shell\find\command\ = "%SystemRoot%\\Explorer.exe"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Pcfm = "y^MFU_FMlfgXi@iTMWmH[bKBQeZZ_"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xwsQ}PG"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\exxldjUyK = "PAOLIBvCnnt~mwUti[WYpx@h^i"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ynosnLcz = "]xtvjZwd"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\iawukAsCn = "Mfl{Kn`btUoWntG_cwNVKr\x7fn@v{STJ"	uptmgr.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File created	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Token: 33	2540	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2540	uptmgr.exe
Token: 33	1320	uptmgr.exe
Token: SeIncBasePriorityPrivilege	1320	uptmgr.exe
Token: 33	2940	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2940	uptmgr.exe
Token: 33	1608	uptmgr.exe
Token: SeIncBasePriorityPrivilege	1608	uptmgr.exe
Token: 33	3052	uptmgr.exe
Token: SeIncBasePriorityPrivilege	3052	uptmgr.exe
Token: 33	896	uptmgr.exe
Token: SeIncBasePriorityPrivilege	896	uptmgr.exe
Token: 33	2736	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2736	uptmgr.exe
Token: 33	2772	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2772	uptmgr.exe
Token: 33	1976	uptmgr.exe
Token: SeIncBasePriorityPrivilege	1976	uptmgr.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2540	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2540	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2540	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	30
PID 1804 wrote to memory of 2540	1804	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	30
PID 2540 wrote to memory of 1320	2540	uptmgr.exe	32
PID 2540 wrote to memory of 1320	2540	uptmgr.exe	32
PID 2540 wrote to memory of 1320	2540	uptmgr.exe	32
PID 2540 wrote to memory of 1320	2540	uptmgr.exe	32
PID 1320 wrote to memory of 2940	1320	uptmgr.exe	33
PID 1320 wrote to memory of 2940	1320	uptmgr.exe	33
PID 1320 wrote to memory of 2940	1320	uptmgr.exe	33
PID 1320 wrote to memory of 2940	1320	uptmgr.exe	33
PID 2940 wrote to memory of 1608	2940	uptmgr.exe	34
PID 2940 wrote to memory of 1608	2940	uptmgr.exe	34
PID 2940 wrote to memory of 1608	2940	uptmgr.exe	34
PID 2940 wrote to memory of 1608	2940	uptmgr.exe	34
PID 1608 wrote to memory of 3052	1608	uptmgr.exe	35
PID 1608 wrote to memory of 3052	1608	uptmgr.exe	35
PID 1608 wrote to memory of 3052	1608	uptmgr.exe	35
PID 1608 wrote to memory of 3052	1608	uptmgr.exe	35
PID 3052 wrote to memory of 896	3052	uptmgr.exe	36
PID 3052 wrote to memory of 896	3052	uptmgr.exe	36
PID 3052 wrote to memory of 896	3052	uptmgr.exe	36
PID 3052 wrote to memory of 896	3052	uptmgr.exe	36
PID 896 wrote to memory of 888	896	uptmgr.exe	37
PID 896 wrote to memory of 888	896	uptmgr.exe	37
PID 896 wrote to memory of 888	896	uptmgr.exe	37
PID 896 wrote to memory of 888	896	uptmgr.exe	37
PID 2736 wrote to memory of 2772	2736	uptmgr.exe	39
PID 2736 wrote to memory of 2772	2736	uptmgr.exe	39
PID 2736 wrote to memory of 2772	2736	uptmgr.exe	39
PID 2736 wrote to memory of 2772	2736	uptmgr.exe	39
PID 2772 wrote to memory of 1976	2772	uptmgr.exe	40
PID 2772 wrote to memory of 1976	2772	uptmgr.exe	40
PID 2772 wrote to memory of 1976	2772	uptmgr.exe	40
PID 2772 wrote to memory of 1976	2772	uptmgr.exe	40

C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\uptmgr.exe
  C:\Windows\system32\uptmgr.exe 676 "C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\uptmgr.exe
    C:\Windows\system32\uptmgr.exe 760 "C:\Windows\SysWOW64\uptmgr.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\uptmgr.exe
      C:\Windows\system32\uptmgr.exe 764 "C:\Windows\SysWOW64\uptmgr.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 756 "C:\Windows\SysWOW64\uptmgr.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 768 "C:\Windows\SysWOW64\uptmgr.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 752 "C:\Windows\SysWOW64\uptmgr.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 780 "C:\Windows\SysWOW64\uptmgr.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 772 "C:\Windows\SysWOW64\uptmgr.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 792 "C:\Windows\SysWOW64\uptmgr.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 788 "C:\Windows\SysWOW64\uptmgr.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
73dcd73d8c4c41e0e1af5e3b01d0281c

SHA1
e906e809c0927145b21cc2c82dc09d048c29857b

SHA256
2dcb5e482972399bc83135e6ba5934279b18414f91cab11d2d0a066600527c74

SHA512
2b6c4cf843bb05c096c27eeb88e77a5b3ef2f90678ffaf31dc66cd3888747427627a1f4875429e2a06b0250d698086f81c3faff360a455ad870c41b89a96b226

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
894ffc2a658b76e541dab1d61abc969b

SHA1
a45d815b13e9700420ddb86f081700e26f69128a

SHA256
265987cd00de9c107e0f6ac711d5e71cfe10c4416092b2f72d2543cbc76c03d1

SHA512
890061b82044de64d30ae2afb432f8080250bc6ed28e8eb8f05d40ea40138b27eecac9c319fc081e763280a8abb203f35a95753b0cdc743692db91806a274154

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
f29ef7e1143181cfc4a890d015e32d27

SHA1
076847555df092c71ff569c3a6985bd5a90f27b2

SHA256
18a37b4ec5763404130bbedbd7d71a5f4cdb97a14be236402af7a26d582b6d05

SHA512
e60c32a84d0e6382ff07f0577a48913656359fd5c1486689a7ed22dcf36c1eb4acac738ea99b5ac0503bd234ea08191fa46f2fab500cde4bff5a03da03f1e06f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
14656496939686cf5ef2c915aaa751c2

SHA1
d78f34685b0a1e37d33da006c789a944af474d9b

SHA256
9270d233712660d306490d571614c8e14fac6c7ba99ec384a4010389a88f5c0e

SHA512
0b0d2e4002beacd92e15a88425a0dd31bef3710f625631268dd1f3f1dbc40bdab7873f6f3b7da71f95ecf3d9a8b6b536fc1a4f6b3ad2816bcd473702195cec2c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
40014664b16f26e82bdee3449dfca0fc

SHA1
a3146d7bee329de4dd9641bc9ffbc9d7c816aac3

SHA256
62d2a534db090bf49dc84164be8e1d041a2d018b4cad82b4402a52d8a4e3dcb0

SHA512
491b88f31049a66edd17f110005de0d2826362533092ca2a6ca4abe70b0e41ed8eb708d2fee0a37181a034700c6ba34cee1c145bd7db5b2408af41971c80f436

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
9699fea577fe65567151d78d357411e8

SHA1
c278481bb29245bcb3fe9bbdd519ed20e750e735

SHA256
dd96ef4b1087318fc5d50027a2e10ce1a34f99df2684030951cf1506e5798c3f

SHA512
a15f59cc28cd47e169a7f94ca73e9bbac8a365fa09450ca5a0286697a94be073eeca5978448dd570ad237fcf511aa5b3a4cd2f49def46b68fa72a1ca3725614a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
848ea49fb06257578004cde05b403683

SHA1
41a3bc395c3a6c176a8c14bd41ca68ac2acd5ee7

SHA256
717aaed871d7dd5aafa57397c1810b9ab426252f5682799d06395b56686cf9aa

SHA512
61a66208c4f02d520396ad46187f8e860013d0731f86a124bf796fac62e957b2ae194f8cdef664bb58334d7a59cb023bb3dcd0c91904e70f95ae16a49820da6c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
46c1412e1aa4fe49bc19e01d485f5d85

SHA1
61927e5532bdf0ffc561f08cacdff7429c13fbaa

SHA256
26d1da1153344d533601c63938104ed91d13c432333f077a6b85525e9c10ae21

SHA512
59f327eb694571bae389d94b4cd35f60710376edc083b50e7742489fced58047cc94fe008e759a6268e889fb5508ee4bd5361a6862343764fa7eed9df17f3cc4

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
65f9d1d945066a7f8d68a5164f060000

SHA1
82e7207be4f93c4555cb22ba6724ffded6baef58

SHA256
3266cbd532ec5d8e625e93dcbdf9337016a17a33de05d72c9ed0699024586107

SHA512
111c23be3697b06c3560780c3f40a20c4ed02619e2242f3d9d6701cf068630641e8ca91b2211aab00294b2442c1f3a696cce9cffbfa62b92c4e139709e3c2fe8

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
42b79a13d751eb8a8a11df7882805535

SHA1
c0752e53e299d101de06480bf5bd3f6b17e8b36b

SHA256
c594b63dfd6a7b08d8d9fbe03cbce87cfde222e714aa4fe47ee927af518130cd

SHA512
827a3fa4375a7184defb0ae0d3efc240c26748d98da33449c600a5b2e5b4ae78ffe3ebe4f7e0a5ed39790bb299546c530ccc83b703fb41d9ad41bb4620af7b11

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
351f07784ea6ae0ff2e0181b0c255cfb

SHA1
bc5ae3f23c36afd44898e335209efd1009454973

SHA256
8a96e6063b545f7dc54b14647d69d65974920ed10e7f6fd238e51944b5bda173

SHA512
6c9459bdbf0baa1309b40592ef0e62ab5f09102bd51d5fdcdc04658e5441c23d019e9459b6c82847c9cc9d30e5842bfb47a2f69289a7cd36fe72066c1e91993b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
1f61542fb214582d2997efac730152cb

SHA1
1d48127007a71d25814dba186e7611ed742fd6fe

SHA256
f490ccfdcde8e06d624e11a0884cf32155fe15ccd6d21d1828ac56ebe4461084

SHA512
4f93a00e8609e5ca335eaee5c3832aaa1d1b9b61e2862937977bd4a03fd1df98c5e0df4d32d106a714a3cbec83e0e684eaec7e61ef949c6acea3a755465bfa03

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
378eafecdb28bf9510a4e023e01d3774

SHA1
b160635932f12f3983240ee57931bc7b06a16d48

SHA256
a3d18339b6a6743d98d3e8effdcafc53b1a1ee280e4090061ecaa8d9df89a534

SHA512
21a908dba347555f32f876396bb50e2266c412f7c1251193584bd25285763ffe8f0e408413814fa17c8cb20b1c0e5f858cd1e1bd3e7325e446f0d6afefedfc87

Download Submit
\Windows\SysWOW64\uptmgr.exe

Filesize
664KB

MD5
bd6343ee092d1db1e805257467c5ede6

SHA1
221c8c0b806e2e04ddbcbe2d32442ab037f8dc36

SHA256
0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a

SHA512
95766903945a8643a209c03491ff8c3d7ca6125f9fd860bd23e665eda98253d1c888b5a2f1b9a6a90a9fcc5ecdeb9a8c60f08a8dd140278f832f691f4c545b8a

Download Submit
memory/888-210-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/888-242-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/888-224-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/896-182-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/896-218-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/896-203-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-75-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1320-105-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-53-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-102-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1320-79-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1320-77-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-68-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-72-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-74-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1320-73-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-71-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1320-69-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1608-168-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1608-119-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1608-139-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-9-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-7-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-30-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1804-6-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-10-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-12-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1804-5-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-11-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1804-0-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1804-41-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1976-318-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-44-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-51-0x0000000003150000-0x000000000331A000-memory.dmp

Filesize
1.8MB

Download
memory/2540-29-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-39-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2540-38-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-37-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-36-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-34-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-33-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-42-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2540-47-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2540-61-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2540-64-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2540-50-0x0000000003150000-0x000000000331A000-memory.dmp

Filesize
1.8MB

Download
memory/2736-253-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2736-259-0x0000000002F80000-0x000000000314A000-memory.dmp

Filesize
1.8MB

Download
memory/2736-282-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2736-234-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2772-286-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2772-304-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2772-292-0x0000000002F90000-0x000000000315A000-memory.dmp

Filesize
1.8MB

Download
memory/2940-96-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-109-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-136-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-95-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-98-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/2940-97-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-88-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-93-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2940-92-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/3052-200-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/3052-172-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download