metasploit | 135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Size

197KB
MD5

df3ebbd747838b88de37c7dcf96ca408
SHA1

ee5946bb7b98027b5078e1fee5ac9d8d404f3bb0
SHA256

135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce
SHA512

fcabcbf5eea9c43fcffd80f574d9e84eeb307e2e7f20aff70f02b10ff62f1814ed6f1305233440109bf2e95351fbbfb5794be74dbb311bdddc573cc03bdd5ebe
SSDEEP

3072:8XG+uJi5O4zgRHPLRMFDb8Z4yl+U7CxCYItGKTNyn846yCN54TNPVD9utP6f+3:8W6AqCljYE5yn/6yQOTF7utP6fW

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2812	wmpdlc32.exe

Executes dropped EXE 32 IoCs

pid	Process
2416	wmpdlc32.exe
2812	wmpdlc32.exe
2680	wmpdlc32.exe
2656	wmpdlc32.exe
572	wmpdlc32.exe
1708	wmpdlc32.exe
1240	wmpdlc32.exe
2612	wmpdlc32.exe
2940	wmpdlc32.exe
2932	wmpdlc32.exe
1252	wmpdlc32.exe
448	wmpdlc32.exe
1756	wmpdlc32.exe
2028	wmpdlc32.exe
2432	wmpdlc32.exe
1784	wmpdlc32.exe
1512	wmpdlc32.exe
1828	wmpdlc32.exe
2260	wmpdlc32.exe
2396	wmpdlc32.exe
2780	wmpdlc32.exe
2348	wmpdlc32.exe
2936	wmpdlc32.exe
2572	wmpdlc32.exe
1096	wmpdlc32.exe
2044	wmpdlc32.exe
876	wmpdlc32.exe
1948	wmpdlc32.exe
3032	wmpdlc32.exe
1716	wmpdlc32.exe
2248	wmpdlc32.exe
3040	wmpdlc32.exe

Loads dropped DLL 32 IoCs

pid	Process
2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
2416	wmpdlc32.exe
2812	wmpdlc32.exe
2680	wmpdlc32.exe
2656	wmpdlc32.exe
572	wmpdlc32.exe
1708	wmpdlc32.exe
1240	wmpdlc32.exe
2612	wmpdlc32.exe
2940	wmpdlc32.exe
2932	wmpdlc32.exe
1252	wmpdlc32.exe
448	wmpdlc32.exe
1756	wmpdlc32.exe
2028	wmpdlc32.exe
2432	wmpdlc32.exe
1784	wmpdlc32.exe
1512	wmpdlc32.exe
1828	wmpdlc32.exe
2260	wmpdlc32.exe
2396	wmpdlc32.exe
2780	wmpdlc32.exe
2348	wmpdlc32.exe
2936	wmpdlc32.exe
2572	wmpdlc32.exe
1096	wmpdlc32.exe
2044	wmpdlc32.exe
876	wmpdlc32.exe
1948	wmpdlc32.exe
3032	wmpdlc32.exe
1716	wmpdlc32.exe
2248	wmpdlc32.exe

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdlc32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdlc32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdlc32.exe
File created	C:\Windows\SysWOW64\wmpdlc32.exe	wmpdlc32.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 2416 set thread context of 2812	2416	wmpdlc32.exe	33
PID 2680 set thread context of 2656	2680	wmpdlc32.exe	35
PID 572 set thread context of 1708	572	wmpdlc32.exe	37
PID 1240 set thread context of 2612	1240	wmpdlc32.exe	39
PID 2940 set thread context of 2932	2940	wmpdlc32.exe	41
PID 1252 set thread context of 448	1252	wmpdlc32.exe	43
PID 1756 set thread context of 2028	1756	wmpdlc32.exe	45
PID 2432 set thread context of 1784	2432	wmpdlc32.exe	47
PID 1512 set thread context of 1828	1512	wmpdlc32.exe	49
PID 2260 set thread context of 2396	2260	wmpdlc32.exe	51
PID 2780 set thread context of 2348	2780	wmpdlc32.exe	53
PID 2936 set thread context of 2572	2936	wmpdlc32.exe	55
PID 1096 set thread context of 2044	1096	wmpdlc32.exe	57
PID 876 set thread context of 1948	876	wmpdlc32.exe	59
PID 3032 set thread context of 1716	3032	wmpdlc32.exe	61
PID 2248 set thread context of 3040	2248	wmpdlc32.exe	63

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-3-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-4-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-7-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-9-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-8-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2812-29-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2944-32-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2812-36-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2656-48-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2812-49-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1708-64-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2656-67-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2612-81-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1708-82-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2932-98-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2612-99-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/448-114-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2932-117-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2028-131-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/448-134-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1784-148-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2028-151-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1828-166-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1784-169-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2396-183-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1828-186-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2348-201-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2396-204-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-218-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2348-221-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2044-236-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2572-239-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1948-252-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2044-255-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1716-265-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1948-268-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3040-278-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1716-281-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1756-291-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3040-294-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdlc32.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
2812	wmpdlc32.exe
2812	wmpdlc32.exe
2656	wmpdlc32.exe
2656	wmpdlc32.exe
1708	wmpdlc32.exe
1708	wmpdlc32.exe
2612	wmpdlc32.exe
2612	wmpdlc32.exe
2932	wmpdlc32.exe
2932	wmpdlc32.exe
448	wmpdlc32.exe
448	wmpdlc32.exe
2028	wmpdlc32.exe
2028	wmpdlc32.exe
1784	wmpdlc32.exe
1784	wmpdlc32.exe
1828	wmpdlc32.exe
1828	wmpdlc32.exe
2396	wmpdlc32.exe
2396	wmpdlc32.exe
2348	wmpdlc32.exe
2348	wmpdlc32.exe
2572	wmpdlc32.exe
2572	wmpdlc32.exe
2044	wmpdlc32.exe
2044	wmpdlc32.exe
1948	wmpdlc32.exe
1948	wmpdlc32.exe
1716	wmpdlc32.exe
1716	wmpdlc32.exe
3040	wmpdlc32.exe
3040	wmpdlc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 784 wrote to memory of 2944	784	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2416	2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2416	2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2416	2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2416	2944	df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2416 wrote to memory of 2812	2416	wmpdlc32.exe	33
PID 2812 wrote to memory of 2680	2812	wmpdlc32.exe	34
PID 2812 wrote to memory of 2680	2812	wmpdlc32.exe	34
PID 2812 wrote to memory of 2680	2812	wmpdlc32.exe	34
PID 2812 wrote to memory of 2680	2812	wmpdlc32.exe	34
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2680 wrote to memory of 2656	2680	wmpdlc32.exe	35
PID 2656 wrote to memory of 572	2656	wmpdlc32.exe	36
PID 2656 wrote to memory of 572	2656	wmpdlc32.exe	36
PID 2656 wrote to memory of 572	2656	wmpdlc32.exe	36
PID 2656 wrote to memory of 572	2656	wmpdlc32.exe	36
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 572 wrote to memory of 1708	572	wmpdlc32.exe	37
PID 1708 wrote to memory of 1240	1708	wmpdlc32.exe	38
PID 1708 wrote to memory of 1240	1708	wmpdlc32.exe	38
PID 1708 wrote to memory of 1240	1708	wmpdlc32.exe	38
PID 1708 wrote to memory of 1240	1708	wmpdlc32.exe	38
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 1240 wrote to memory of 2612	1240	wmpdlc32.exe	39
PID 2612 wrote to memory of 2940	2612	wmpdlc32.exe	40
PID 2612 wrote to memory of 2940	2612	wmpdlc32.exe	40
PID 2612 wrote to memory of 2940	2612	wmpdlc32.exe	40
PID 2612 wrote to memory of 2940	2612	wmpdlc32.exe	40
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2940 wrote to memory of 2932	2940	wmpdlc32.exe	41
PID 2932 wrote to memory of 1252	2932	wmpdlc32.exe	42
PID 2932 wrote to memory of 1252	2932	wmpdlc32.exe	42

C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df3ebbd747838b88de37c7dcf96ca408_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\wmpdlc32.exe
    "C:\Windows\system32\wmpdlc32.exe" C:\Users\Admin\AppData\Local\Temp\DF3EBB~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\wmpdlc32.exe
      "C:\Windows\system32\wmpdlc32.exe" C:\Users\Admin\AppData\Local\Temp\DF3EBB~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        35⤵
        
        PID:936
        
        C:\Windows\SysWOW64\wmpdlc32.exe
        
        "C:\Windows\system32\wmpdlc32.exe" C:\Windows\SysWOW64\wmpdlc32.exe
        36⤵
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpdlc32.exe

Filesize
197KB

MD5
df3ebbd747838b88de37c7dcf96ca408

SHA1
ee5946bb7b98027b5078e1fee5ac9d8d404f3bb0

SHA256
135a032c74799dfc2f5086d47e0a47685be81849d7a7e8886e072e4e180413ce

SHA512
fcabcbf5eea9c43fcffd80f574d9e84eeb307e2e7f20aff70f02b10ff62f1814ed6f1305233440109bf2e95351fbbfb5794be74dbb311bdddc573cc03bdd5ebe

Download Submit
memory/448-114-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/448-134-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1708-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1708-82-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1716-281-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1716-265-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1756-291-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1784-148-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1784-169-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1828-166-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1828-186-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1948-268-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1948-252-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-151-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-131-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2044-236-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2044-255-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2348-221-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2348-201-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2396-183-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2396-204-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-239-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2572-218-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2612-99-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2656-48-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2656-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-49-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2932-98-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2932-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-32-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-8-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-4-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2944-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3040-278-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3040-294-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download