metasploit | 0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Size

664KB
MD5

bd6343ee092d1db1e805257467c5ede6
SHA1

221c8c0b806e2e04ddbcbe2d32442ab037f8dc36
SHA256

0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a
SHA512

95766903945a8643a209c03491ff8c3d7ca6125f9fd860bd23e665eda98253d1c888b5a2f1b9a6a90a9fcc5ecdeb9a8c60f08a8dd140278f832f691f4c545b8a
SSDEEP

6144:rIN4KH8q7lVdspX4ruPQp7gEByECUgiVAXAADnCRc/smfGSs8pccagsHZv5w9Syl:kTT7vda4ruPo7/EvxX5GR6G98CCCifl

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uptmgr.exe

Executes dropped EXE 10 IoCs

pid	Process
2920	uptmgr.exe
2208	uptmgr.exe
4672	uptmgr.exe
536	uptmgr.exe
1644	uptmgr.exe
4880	uptmgr.exe
2456	uptmgr.exe
2736	uptmgr.exe
1124	uptmgr.exe
3656	uptmgr.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uptmgr.exe	uptmgr.exe
File opened for modification	C:\Windows\SysWOW64\uptmgr.exe	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uptmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_cWNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "x^i]xuQqC\|I"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\bssccrBukp = "pXMblZ~^aTCqd{XBjyQLx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "H^i]xwUTHPd"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_bgNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "H^i]xtF\x7fU^@"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fn@v{STJPAZ\\IBvCnnt~mwUti[WYpxA"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fnCV{STJPAC\|IBvCnnt~mwUti[WYpx@"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_`WNVK"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xrbvfgjpn = "oYhQA^PLGbfQbBMf"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fn@f{STJPAFLIBvCnnt~mwUti[WYpx@"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fnCV{STJPAFLIBvCnnt~mwUti[WYpx@"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_cWNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\bssccrBukp = "pXMblZ~^aTCqd{XBjyQLx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "H^i]xtl]fIx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_`WNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\xrbvfgjpn = "oYhQA^PLGbfQbBMf"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "H^i]xvF`LwY"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_cwNVK"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "h^i]xwGhyK_"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fn@V{STJPAV\|IBvCnnt~mwUti[WYpxD"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fn@V{STJPAR\|IBvCnnt~mwUti[WYpxD"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "x^i]xuWBgBb"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dYJqDBRgGDwZz = "WmH[bKBQeZZ_UIEVh{nBGJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "X^i]xtvjZwd"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\bssccrBukp = "pXMblZ~^aTCqd{XBjyQLx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_cGNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "x^i]xugvbd\\"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "h^i]xus[`@x"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\bssccrBukp = "pXMblZ~^aTCqd{XBjyQLx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fnAf{STJPAV\|IBvCnnt~mwUti[WYpxE"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "X^i]xv\\WpIE"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "h^i]xvL`rKw"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dYJqDBRgGDwZz = "WmH[bKBQeZZ_UIEVh{nBGJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\Class = "mshtml.OldHTMLFormElementClass"	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_bwNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "x^i]xt@ggwk"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "X^i]xvvuC^}"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dYJqDBRgGDwZz = "WmH[bKBQeZZ_UIEVh{nBGJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\bssccrBukp = "pXMblZ~^aTCqd{XBjyQLx"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fnCF{STJPAOlIBvCnnt~mwUti[WYpxN"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "H^i]xwPyMvl"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\dYJqDBRgGDwZz = "WmH[bKBQeZZ_UIEVh{nBGJ"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fn@V{STJPAR\|IBvCnnt~mwUti[WYpxD"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_bgNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\MmxmOrt = "Djy^MFU_FMlfgXi@iTM"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_`GNVK"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\kmmfPXJ = "l{Kn`btUoWntG_bGNVK"	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\nsrscKmosqcm = "r\x7fnAv{STJPAULIBvCnnt~mwUti[WYpxF"	uptmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	uptmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\yCvJovsl = "x^i]xvDhb`~"	uptmgr.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	uptmgr.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: 33	336	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	336	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
Token: 33	2920	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2920	uptmgr.exe
Token: 33	2208	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2208	uptmgr.exe
Token: 33	4672	uptmgr.exe
Token: SeIncBasePriorityPrivilege	4672	uptmgr.exe
Token: 33	536	uptmgr.exe
Token: SeIncBasePriorityPrivilege	536	uptmgr.exe
Token: 33	1644	uptmgr.exe
Token: SeIncBasePriorityPrivilege	1644	uptmgr.exe
Token: 33	4880	uptmgr.exe
Token: SeIncBasePriorityPrivilege	4880	uptmgr.exe
Token: 33	2456	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2456	uptmgr.exe
Token: 33	2736	uptmgr.exe
Token: SeIncBasePriorityPrivilege	2736	uptmgr.exe
Token: 33	1124	uptmgr.exe
Token: SeIncBasePriorityPrivilege	1124	uptmgr.exe
Token: 33	3656	uptmgr.exe
Token: SeIncBasePriorityPrivilege	3656	uptmgr.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 2920	336	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	84
PID 336 wrote to memory of 2920	336	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	84
PID 336 wrote to memory of 2920	336	bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe	84
PID 2920 wrote to memory of 2208	2920	uptmgr.exe	92
PID 2920 wrote to memory of 2208	2920	uptmgr.exe	92
PID 2920 wrote to memory of 2208	2920	uptmgr.exe	92
PID 2208 wrote to memory of 4672	2208	uptmgr.exe	95
PID 2208 wrote to memory of 4672	2208	uptmgr.exe	95
PID 2208 wrote to memory of 4672	2208	uptmgr.exe	95
PID 4672 wrote to memory of 536	4672	uptmgr.exe	96
PID 4672 wrote to memory of 536	4672	uptmgr.exe	96
PID 4672 wrote to memory of 536	4672	uptmgr.exe	96
PID 536 wrote to memory of 1644	536	uptmgr.exe	97
PID 536 wrote to memory of 1644	536	uptmgr.exe	97
PID 536 wrote to memory of 1644	536	uptmgr.exe	97
PID 1644 wrote to memory of 4880	1644	uptmgr.exe	98
PID 1644 wrote to memory of 4880	1644	uptmgr.exe	98
PID 1644 wrote to memory of 4880	1644	uptmgr.exe	98
PID 4880 wrote to memory of 2456	4880	uptmgr.exe	99
PID 4880 wrote to memory of 2456	4880	uptmgr.exe	99
PID 4880 wrote to memory of 2456	4880	uptmgr.exe	99
PID 2456 wrote to memory of 2736	2456	uptmgr.exe	100
PID 2456 wrote to memory of 2736	2456	uptmgr.exe	100
PID 2456 wrote to memory of 2736	2456	uptmgr.exe	100
PID 2736 wrote to memory of 1124	2736	uptmgr.exe	101
PID 2736 wrote to memory of 1124	2736	uptmgr.exe	101
PID 2736 wrote to memory of 1124	2736	uptmgr.exe	101
PID 1124 wrote to memory of 3656	1124	uptmgr.exe	102
PID 1124 wrote to memory of 3656	1124	uptmgr.exe	102
PID 1124 wrote to memory of 3656	1124	uptmgr.exe	102

C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\uptmgr.exe
  C:\Windows\system32\uptmgr.exe 1348 "C:\Users\Admin\AppData\Local\Temp\bd6343ee092d1db1e805257467c5ede6_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\uptmgr.exe
    C:\Windows\system32\uptmgr.exe 1464 "C:\Windows\SysWOW64\uptmgr.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\uptmgr.exe
      C:\Windows\system32\uptmgr.exe 1468 "C:\Windows\SysWOW64\uptmgr.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1472 "C:\Windows\SysWOW64\uptmgr.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1476 "C:\Windows\SysWOW64\uptmgr.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1480 "C:\Windows\SysWOW64\uptmgr.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1484 "C:\Windows\SysWOW64\uptmgr.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1488 "C:\Windows\SysWOW64\uptmgr.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1492 "C:\Windows\SysWOW64\uptmgr.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\uptmgr.exe
        
        C:\Windows\system32\uptmgr.exe 1496 "C:\Windows\SysWOW64\uptmgr.exe"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
0f68b92e55bf3b0d87feed0356eaf068

SHA1
29a2cc541e0c8f9ced295df8bc313a583b6273e3

SHA256
8794d2ac85cbcf02575f03af1b9fe91a2bf276417f1b767162babd636a2db818

SHA512
49fe484d6083707e179e7e9eb141c8931dc0b2342f5dd42d96fbbb68bdf3a7756557bf12842159f99e6c38a6ae57dcfbc2b0ed7fea2c824d4d6811729e011ac7

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
0281a278712b95fbc8dd5f7d0da225e6

SHA1
d47606fbbe0b9847387f2e58958166883fd65170

SHA256
f4b43f1d43ef1cb02ee41432e81121e7c30f5dfd4b6d2ce323564c78de5090e6

SHA512
6d73a1dc6281ef24cf1360c2f797e40b9c2a4b274b352e11ba0c5450f6ab63166a5af6306913dc072a89dc289b1391400421bf4a342429f00689568732f7bd39

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
f752cdc8d58f572fe5c1919dc3e44f92

SHA1
7b10a75a2d9c4406115c86f3c654a08050b64b3c

SHA256
4d1c5680d1d4ce0eadffbdead53ffdd6db33c29fa234253724960f31fa68e2ec

SHA512
b718e01f6661546e5749e5ee4894f7b20a4731f20baddfe81174b2a7930224350c46a0c7288db684c465b86868b6ce16987a64f4dd948c0e56bd83dd44d8f984

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
eddde4b3a82e710aa95f7d1f9483a88f

SHA1
06c7aea3d7240edc7f26d3ac2411eb3b5c213fab

SHA256
baf8afdc43c912f1ed52a555285ab09597dd5c3df3ed6f64f5ed332d92abe145

SHA512
37b669f94b4ffd9f3c10f20709d2f02841b6b49fcf948d8c29021eaa108db7099bd1f43d84671ab4437db05ece48f6d94d5db06e4db02128674abacacf9fe819

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
64d85e3ba9cac062f57ab077a054994b

SHA1
6bcff2412274e246f3d31cac9caecd838d0f7cb5

SHA256
0dcc3bd97fd50547a35ddf6af8cce48c29a758ae1e042a5d17b38e75951c45c4

SHA512
c845d367fb3c39fc8ad3401480d31e79a4ef4b7224a4ee1cc13739d3fc0c24cdfa2408a4ab7b39135eda34ee35832fab8d135759977d2ca1d9be2f39212214fb

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
eeede254f177dc801f90c01371ae744e

SHA1
1e3962883f63e66ab6bf89449baeeb8712f0bb1a

SHA256
888617a85b242f1333e996af86a13f6490d1c5d894f68f2392b763025d8dec58

SHA512
b26847627a681a9e87242c6442c218877d8aa708eb7420e84a1ec3134310903427242bbc62f1df782c37fa27604b24706438ba7643e8ef64882809b619d36d0a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
c860f97b47007be55dcd313fb3fbb5d3

SHA1
0f0afde92fe5bd808d28c2d0279e31ba7b6dee25

SHA256
d7458ff073828d8403d586eb736c225295b2defe072dcbc141d074a8d3abc2a2

SHA512
c4db6ff67b909d811880585473197efa47810d207a5d07167a66d5d99eae3066c15bab8143618ff9b37a4e762991772cb57b7f37150ecc5415d193ed84e57a83

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
aaa218f83858c6d2a177916b73f2b12c

SHA1
0a94f52558bf09bb3ff41643d2bd124a7648c19a

SHA256
f8ef2c6df00bab88bfbce2a3b44a2bc1a251bad30e14a8fbade97510b6789067

SHA512
d799c1bd63c9f11f3384f4c458e5bf29a878dae40a176c6ff3ad06c98152341b4c3126362741df36053199990083a8643d4ea24d26317abfc70ad9bacdfc1653

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
7372e1fbeb844cbe96a582444f5b5d4d

SHA1
8f17b97a09201b14d3d128728ca4d950ef555f16

SHA256
b1c0138e0cb14e5ad025a0fb3c3fa85ebfd3f1808b7db1f79f46fd8a198a4db7

SHA512
0507c39f51ca76176ddf5a918eda8b07f2f255c0cb3d65fd9fd3a7605e6f78ba53fa7cb6044fbf743cd4564f4bccb46dcd786e292bf56ed6ee1b5c5158b0283a

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
3e8d5e4ad1b201c5a076947aa68d19a9

SHA1
8b57fb872936b6355beaf01cdec4f8ffdb2a77e5

SHA256
d512b988a32855410002e964cf73761343bb42cf7af6188c95628dbf23b05d4c

SHA512
22e126ed0d9c504df6f82c15bc530e3876de8137f74c446e9830f48182b0ee5c3e5714305f240d44043052837af7e70c2faed937e88ac7a49060da8cc4c9a3ff

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
47df6c2b63da2bf7e8b9789b95effb74

SHA1
7e97718d76761ab6837484d65006cb0e1e40af08

SHA256
d31289b7d604b2a159fe68e7a2496da5a06592b8eaa0ab46b63c751ed67549a8

SHA512
b6fb4439ba972c9efabc3e74be7bfbf21c7bd69602e085b0aefab20047bbe0730d74ce811a02e44522f1f547c69f1fc6b17fa71174d002607694877997a4332b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
0ae1b07640a4e721a62c640838ed09ef

SHA1
63ca6ac68fe1874053437832d7bf9da1b413b452

SHA256
d81785e86daa9f354f0496471cc8f8f3887a3818db67722bb348de127a771ae5

SHA512
6916143d562149a4db5be2c278d9e02b56c5ab9dc3ea6ddfa970b012faf234507a4e1a6ac53bcb6245606ee5991682d3ec8dee6578958162d42560a7be2509da

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
1da44ac386344a0c615776023c0b4926

SHA1
c6596748822bebb6149eef629b54c443fa46b96a

SHA256
b8c7d644d8f722f314101e8c73dd61bcb7c152bbbf46fc30b5424ead93a83c90

SHA512
ef61aea45b259a58c55a135f38abd69c7d49fd6a9ce35c92e897af851db12e2377d4395c25dfaa8059b22145f3f66d3c922078a3faf3e66a83381b555e84f71c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
06742cfbf0409561f1c5828366f34d87

SHA1
f948bfe071bd7854ab70c0a9741ec630e3f69a53

SHA256
6016bb4409d8de3ffa901b694ddb1c53ba2ecdbbf13d499fbceb9e42364c9efc

SHA512
c0a1c68a494b963ac66ab462f8eb9076cf427c46f3586da04e55d35b9c3ece5a63686b9c28c86e762f6fd070e2823908963ae505031980187260fb578ae0d8c2

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
f0986915ae36fd9d0cb10819c842889b

SHA1
9c559bf885260ee80f36ca4e32aad65164190449

SHA256
0d5c638c6babf4ff5ea99e5b8dae2dea6183d8feb7f628378756343d849d8132

SHA512
5c7544f50423d3c8c29d2ed998b673f5a6e842189ddb5983ebdbd452e2bad3e550140250b0f9ff59a92483b74e9d3fb94ff81bbd4683e562107323ff37331d81

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
41bd0bc5df753c4ba95d7be60085feca

SHA1
3cf303e3326c63c985cf8661c7cee8d0db3e63f5

SHA256
c0b5f807af6abf23f2b5c9be79557aeeb5986dbada46c07ddef958d858afe6a5

SHA512
ed98947ec35dc4f45cd05999f19fd39a60cd924e6d9e4955d50015ced4936636ad8b578bb072eff710e2221ae2d3d55664d250ba448fc3085951a4363a99b1fc

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
104B

MD5
72335ed39ee269447223c315d5244338

SHA1
65f4e014895c9c42a10248d83ef5c49f34c31e9d

SHA256
8d6887eaa221247c71b756b475b097554c32c16583a575fdd1ddb43cf7d03a90

SHA512
cca560d40da1431e84f3a14ee0ca29cea0a323ec9e43091df955edbd68a9ad6e7fca2c5ffc832961b3a8c4462c637195c64e3c8018b128395c0147d140aa1bdd

Download Submit
C:\Windows\SysWOW64\uptmgr.exe

Filesize
664KB

MD5
bd6343ee092d1db1e805257467c5ede6

SHA1
221c8c0b806e2e04ddbcbe2d32442ab037f8dc36

SHA256
0230a60bbe2eba375c47faa589247283baaded8bc36d7e8e8ca8928e8af7473a

SHA512
95766903945a8643a209c03491ff8c3d7ca6125f9fd860bd23e665eda98253d1c888b5a2f1b9a6a90a9fcc5ecdeb9a8c60f08a8dd140278f832f691f4c545b8a

Download Submit
memory/336-8-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-0-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-38-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-2-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/336-10-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-13-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/336-11-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-12-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/336-36-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/336-7-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/536-152-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/536-127-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1124-272-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1124-297-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1644-156-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1644-181-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-53-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-54-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-70-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2208-67-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2208-93-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-58-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-56-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-57-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-59-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2208-69-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2208-45-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2208-92-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2208-90-0x00000000006A0000-0x00000000006ED000-memory.dmp

Filesize
308KB

Download
memory/2456-239-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2456-214-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2736-243-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2736-268-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-39-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-34-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-62-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-26-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-21-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-32-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-35-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-42-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-33-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-30-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-29-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-66-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2920-64-0x00000000005D0000-0x000000000061D000-memory.dmp

Filesize
308KB

Download
memory/2920-41-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/3656-301-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-87-0x00000000006E0000-0x000000000072D000-memory.dmp

Filesize
308KB

Download
memory/4672-73-0x00000000006E0000-0x000000000072D000-memory.dmp

Filesize
308KB

Download
memory/4672-82-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-123-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-86-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-85-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-84-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-81-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4672-97-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4880-210-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/4880-185-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download