metasploit | d0215d9f04581b0d6329d70ee1d501d2fa2360a9f274da0a22eca611fb882ad1

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/12/2024, 16:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Size

142KB
MD5

e7549ec8fa1ba0ba769e8cfe14d34790
SHA1

8e1130a36a9f26256fd2e0e6be67d5bc980aee66
SHA256

d0215d9f04581b0d6329d70ee1d501d2fa2360a9f274da0a22eca611fb882ad1
SHA512

31021a284312716323579b4de6dc27c76c9c55bdb620b490c1a1defe5360684b864ee5a65f1d299df6af2ba45005072e695b745a7896625738743a92caa7cd28
SSDEEP

3072:NT0/l0C5cSH6fMUAxeIE3EyMd8Z6OpA/RCpMxil+xI:NBCuRfMQFMd7gAgp0iMxI

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2716	wmpdtn32.exe

Executes dropped EXE 32 IoCs

pid	Process
2384	wmpdtn32.exe
2716	wmpdtn32.exe
2732	wmpdtn32.exe
2600	wmpdtn32.exe
2656	wmpdtn32.exe
2668	wmpdtn32.exe
1920	wmpdtn32.exe
1372	wmpdtn32.exe
2872	wmpdtn32.exe
268	wmpdtn32.exe
2468	wmpdtn32.exe
2460	wmpdtn32.exe
888	wmpdtn32.exe
2240	wmpdtn32.exe
568	wmpdtn32.exe
2060	wmpdtn32.exe
2252	wmpdtn32.exe
2256	wmpdtn32.exe
2840	wmpdtn32.exe
2808	wmpdtn32.exe
2904	wmpdtn32.exe
1908	wmpdtn32.exe
288	wmpdtn32.exe
2952	wmpdtn32.exe
2464	wmpdtn32.exe
2880	wmpdtn32.exe
1996	wmpdtn32.exe
2972	wmpdtn32.exe
2268	wmpdtn32.exe
872	wmpdtn32.exe
1932	wmpdtn32.exe
1508	wmpdtn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
2384	wmpdtn32.exe
2384	wmpdtn32.exe
2716	wmpdtn32.exe
2716	wmpdtn32.exe
2732	wmpdtn32.exe
2732	wmpdtn32.exe
2600	wmpdtn32.exe
2600	wmpdtn32.exe
2656	wmpdtn32.exe
2656	wmpdtn32.exe
2668	wmpdtn32.exe
2668	wmpdtn32.exe
1920	wmpdtn32.exe
1920	wmpdtn32.exe
1372	wmpdtn32.exe
1372	wmpdtn32.exe
2872	wmpdtn32.exe
2872	wmpdtn32.exe
268	wmpdtn32.exe
268	wmpdtn32.exe
2468	wmpdtn32.exe
2468	wmpdtn32.exe
2460	wmpdtn32.exe
2460	wmpdtn32.exe
888	wmpdtn32.exe
888	wmpdtn32.exe
2240	wmpdtn32.exe
2240	wmpdtn32.exe
568	wmpdtn32.exe
568	wmpdtn32.exe
2060	wmpdtn32.exe
2060	wmpdtn32.exe
2252	wmpdtn32.exe
2252	wmpdtn32.exe
2256	wmpdtn32.exe
2256	wmpdtn32.exe
2840	wmpdtn32.exe
2840	wmpdtn32.exe
2808	wmpdtn32.exe
2808	wmpdtn32.exe
2904	wmpdtn32.exe
2904	wmpdtn32.exe
1908	wmpdtn32.exe
1908	wmpdtn32.exe
288	wmpdtn32.exe
288	wmpdtn32.exe
2952	wmpdtn32.exe
2952	wmpdtn32.exe
2464	wmpdtn32.exe
2464	wmpdtn32.exe
2880	wmpdtn32.exe
2880	wmpdtn32.exe
1996	wmpdtn32.exe
1996	wmpdtn32.exe
2972	wmpdtn32.exe
2972	wmpdtn32.exe
2268	wmpdtn32.exe
2268	wmpdtn32.exe
872	wmpdtn32.exe
872	wmpdtn32.exe
1932	wmpdtn32.exe
1932	wmpdtn32.exe

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmpdtn32.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File opened for modification	C:\Windows\SysWOW64\	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe
File created	C:\Windows\SysWOW64\wmpdtn32.exe	wmpdtn32.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2384 set thread context of 2716	2384	wmpdtn32.exe	33
PID 2732 set thread context of 2600	2732	wmpdtn32.exe	35
PID 2656 set thread context of 2668	2656	wmpdtn32.exe	37
PID 1920 set thread context of 1372	1920	wmpdtn32.exe	39
PID 2872 set thread context of 268	2872	wmpdtn32.exe	41
PID 2468 set thread context of 2460	2468	wmpdtn32.exe	43
PID 888 set thread context of 2240	888	wmpdtn32.exe	45
PID 568 set thread context of 2060	568	wmpdtn32.exe	47
PID 2252 set thread context of 2256	2252	wmpdtn32.exe	49
PID 2840 set thread context of 2808	2840	wmpdtn32.exe	51
PID 2904 set thread context of 1908	2904	wmpdtn32.exe	53
PID 288 set thread context of 2952	288	wmpdtn32.exe	56
PID 2464 set thread context of 2880	2464	wmpdtn32.exe	58
PID 1996 set thread context of 2972	1996	wmpdtn32.exe	60
PID 2268 set thread context of 872	2268	wmpdtn32.exe	62
PID 1932 set thread context of 1508	1932	wmpdtn32.exe	64

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-6-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-9-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-7-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-4-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-3-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-2-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-8-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2152-22-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-36-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-35-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-34-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-33-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-41-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2716-44-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2600-57-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2600-63-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2668-76-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2668-74-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2668-75-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2668-82-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1372-94-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1372-95-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1372-93-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1372-101-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/268-114-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/268-112-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/268-121-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2460-134-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2460-140-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2240-153-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2240-159-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2060-172-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2060-179-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2256-192-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2256-198-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2808-208-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2808-211-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1908-221-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1908-224-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2952-232-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2952-237-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2880-245-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2880-250-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2972-262-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/872-274-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpdtn32.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
2716	wmpdtn32.exe
2716	wmpdtn32.exe
2600	wmpdtn32.exe
2600	wmpdtn32.exe
2668	wmpdtn32.exe
2668	wmpdtn32.exe
1372	wmpdtn32.exe
1372	wmpdtn32.exe
268	wmpdtn32.exe
268	wmpdtn32.exe
2460	wmpdtn32.exe
2460	wmpdtn32.exe
2240	wmpdtn32.exe
2240	wmpdtn32.exe
2060	wmpdtn32.exe
2060	wmpdtn32.exe
2256	wmpdtn32.exe
2256	wmpdtn32.exe
2808	wmpdtn32.exe
2808	wmpdtn32.exe
1908	wmpdtn32.exe
1908	wmpdtn32.exe
2952	wmpdtn32.exe
2952	wmpdtn32.exe
2880	wmpdtn32.exe
2880	wmpdtn32.exe
2972	wmpdtn32.exe
2972	wmpdtn32.exe
872	wmpdtn32.exe
872	wmpdtn32.exe
1508	wmpdtn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2152	2228	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2384	2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2384	2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2384	2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	32
PID 2152 wrote to memory of 2384	2152	e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2384 wrote to memory of 2716	2384	wmpdtn32.exe	33
PID 2716 wrote to memory of 2732	2716	wmpdtn32.exe	34
PID 2716 wrote to memory of 2732	2716	wmpdtn32.exe	34
PID 2716 wrote to memory of 2732	2716	wmpdtn32.exe	34
PID 2716 wrote to memory of 2732	2716	wmpdtn32.exe	34
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2732 wrote to memory of 2600	2732	wmpdtn32.exe	35
PID 2600 wrote to memory of 2656	2600	wmpdtn32.exe	36
PID 2600 wrote to memory of 2656	2600	wmpdtn32.exe	36
PID 2600 wrote to memory of 2656	2600	wmpdtn32.exe	36
PID 2600 wrote to memory of 2656	2600	wmpdtn32.exe	36
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2656 wrote to memory of 2668	2656	wmpdtn32.exe	37
PID 2668 wrote to memory of 1920	2668	wmpdtn32.exe	38
PID 2668 wrote to memory of 1920	2668	wmpdtn32.exe	38
PID 2668 wrote to memory of 1920	2668	wmpdtn32.exe	38
PID 2668 wrote to memory of 1920	2668	wmpdtn32.exe	38
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1920 wrote to memory of 1372	1920	wmpdtn32.exe	39
PID 1372 wrote to memory of 2872	1372	wmpdtn32.exe	40
PID 1372 wrote to memory of 2872	1372	wmpdtn32.exe	40
PID 1372 wrote to memory of 2872	1372	wmpdtn32.exe	40
PID 1372 wrote to memory of 2872	1372	wmpdtn32.exe	40
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 2872 wrote to memory of 268	2872	wmpdtn32.exe	41
PID 268 wrote to memory of 2468	268	wmpdtn32.exe	42
PID 268 wrote to memory of 2468	268	wmpdtn32.exe	42

C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e7549ec8fa1ba0ba769e8cfe14d34790_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\wmpdtn32.exe
    "C:\Windows\system32\wmpdtn32.exe" C:\Users\Admin\AppData\Local\Temp\E7549E~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\wmpdtn32.exe
      "C:\Windows\system32\wmpdtn32.exe" C:\Users\Admin\AppData\Local\Temp\E7549E~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:872
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\wmpdtn32.exe
        
        "C:\Windows\system32\wmpdtn32.exe" C:\Windows\SysWOW64\wmpdtn32.exe
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmpdtn32.exe

Filesize
142KB

MD5
e7549ec8fa1ba0ba769e8cfe14d34790

SHA1
8e1130a36a9f26256fd2e0e6be67d5bc980aee66

SHA256
d0215d9f04581b0d6329d70ee1d501d2fa2360a9f274da0a22eca611fb882ad1

SHA512
31021a284312716323579b4de6dc27c76c9c55bdb620b490c1a1defe5360684b864ee5a65f1d299df6af2ba45005072e695b745a7896625738743a92caa7cd28

Download Submit
memory/268-114-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/268-112-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/268-121-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/872-274-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1372-93-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1372-95-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1372-94-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1372-101-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1908-221-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1908-224-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2060-179-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2060-172-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-2-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-22-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2152-6-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2240-159-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2240-153-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-192-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-198-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2460-134-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2460-140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2600-63-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2600-57-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-82-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-75-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-74-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2668-76-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-44-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-34-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-35-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2716-36-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2808-208-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2808-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2880-245-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2880-250-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2952-232-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2952-237-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2972-262-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download