metasploit | 1252ab0cd33bd0b06f3c60a794909d1c50189a6aa42d0a3dcf01a40f80c2b6f5

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Size

173KB
MD5

ec18ef42443b23fc4aff8737eee15d8f
SHA1

7423ae71bdfa78734db1b21bf11fec178807a530
SHA256

1252ab0cd33bd0b06f3c60a794909d1c50189a6aa42d0a3dcf01a40f80c2b6f5
SHA512

c7efa24d047174a611aa1cf7876d2c5eaca0314d133f4f67125f4671a692cbbf15685f44e8c7d79169175773f3fd80c28d1b92e2d81645d895fec278d1a1817d
SSDEEP

3072:WsGEEhlRNs4Z8Gzr27BT+gzDRDxckVC/L2x7WYGP/cliC5uZOT7:dGXHkGzuq8RhC/JlPklBw6

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2560	wmptv2.exe

Executes dropped EXE 30 IoCs

pid	Process
2760	wmptv2.exe
2560	wmptv2.exe
3016	wmptv2.exe
904	wmptv2.exe
1676	wmptv2.exe
1944	wmptv2.exe
2852	wmptv2.exe
1760	wmptv2.exe
2244	wmptv2.exe
912	wmptv2.exe
704	wmptv2.exe
1720	wmptv2.exe
2304	wmptv2.exe
2068	wmptv2.exe
1796	wmptv2.exe
1964	wmptv2.exe
2188	wmptv2.exe
2688	wmptv2.exe
2816	wmptv2.exe
2616	wmptv2.exe
2064	wmptv2.exe
1784	wmptv2.exe
1360	wmptv2.exe
1680	wmptv2.exe
556	wmptv2.exe
2196	wmptv2.exe
1708	wmptv2.exe
2264	wmptv2.exe
900	wmptv2.exe
1936	wmptv2.exe

Loads dropped DLL 30 IoCs

pid	Process
860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
2560	wmptv2.exe
2560	wmptv2.exe
904	wmptv2.exe
904	wmptv2.exe
1944	wmptv2.exe
1944	wmptv2.exe
1760	wmptv2.exe
1760	wmptv2.exe
912	wmptv2.exe
912	wmptv2.exe
1720	wmptv2.exe
1720	wmptv2.exe
2068	wmptv2.exe
2068	wmptv2.exe
1964	wmptv2.exe
1964	wmptv2.exe
2688	wmptv2.exe
2688	wmptv2.exe
2616	wmptv2.exe
2616	wmptv2.exe
1784	wmptv2.exe
1784	wmptv2.exe
1680	wmptv2.exe
1680	wmptv2.exe
2196	wmptv2.exe
2196	wmptv2.exe
2264	wmptv2.exe
2264	wmptv2.exe

Maps connected drives based on registry 3 TTPs 32 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmptv2.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File opened for modification	C:\Windows\SysWOW64\wmptv2.exe	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe
File created	C:\Windows\SysWOW64\wmptv2.exe	wmptv2.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 2328 set thread context of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2760 set thread context of 2560	2760	wmptv2.exe	33
PID 3016 set thread context of 904	3016	wmptv2.exe	35
PID 1676 set thread context of 1944	1676	wmptv2.exe	37
PID 2852 set thread context of 1760	2852	wmptv2.exe	39
PID 2244 set thread context of 912	2244	wmptv2.exe	41
PID 704 set thread context of 1720	704	wmptv2.exe	43
PID 2304 set thread context of 2068	2304	wmptv2.exe	45
PID 1796 set thread context of 1964	1796	wmptv2.exe	47
PID 2188 set thread context of 2688	2188	wmptv2.exe	50
PID 2816 set thread context of 2616	2816	wmptv2.exe	52
PID 2064 set thread context of 1784	2064	wmptv2.exe	54
PID 1360 set thread context of 1680	1360	wmptv2.exe	56
PID 556 set thread context of 2196	556	wmptv2.exe	58
PID 1708 set thread context of 2264	1708	wmptv2.exe	60
PID 900 set thread context of 1936	900	wmptv2.exe	62

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/860-2-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-4-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-12-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-13-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-11-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-10-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-6-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/860-27-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2560-40-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2560-39-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2560-38-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2560-37-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2560-48-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/904-60-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/904-67-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1944-79-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1944-86-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1760-99-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1760-106-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/912-116-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/912-125-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1720-138-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1720-145-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2068-157-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2068-163-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1964-176-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1964-184-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2688-202-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2616-220-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1784-229-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1784-240-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/1680-258-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2196-276-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral1/memory/2264-290-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmptv2.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
2560	wmptv2.exe
904	wmptv2.exe
1944	wmptv2.exe
1760	wmptv2.exe
912	wmptv2.exe
1720	wmptv2.exe
2068	wmptv2.exe
1964	wmptv2.exe
2688	wmptv2.exe
2616	wmptv2.exe
1784	wmptv2.exe
1680	wmptv2.exe
2196	wmptv2.exe
2264	wmptv2.exe
1936	wmptv2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 2328 wrote to memory of 860	2328	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	31
PID 860 wrote to memory of 2760	860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	32
PID 860 wrote to memory of 2760	860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	32
PID 860 wrote to memory of 2760	860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	32
PID 860 wrote to memory of 2760	860	ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2760 wrote to memory of 2560	2760	wmptv2.exe	33
PID 2560 wrote to memory of 3016	2560	wmptv2.exe	34
PID 2560 wrote to memory of 3016	2560	wmptv2.exe	34
PID 2560 wrote to memory of 3016	2560	wmptv2.exe	34
PID 2560 wrote to memory of 3016	2560	wmptv2.exe	34
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 3016 wrote to memory of 904	3016	wmptv2.exe	35
PID 904 wrote to memory of 1676	904	wmptv2.exe	36
PID 904 wrote to memory of 1676	904	wmptv2.exe	36
PID 904 wrote to memory of 1676	904	wmptv2.exe	36
PID 904 wrote to memory of 1676	904	wmptv2.exe	36
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1676 wrote to memory of 1944	1676	wmptv2.exe	37
PID 1944 wrote to memory of 2852	1944	wmptv2.exe	38
PID 1944 wrote to memory of 2852	1944	wmptv2.exe	38
PID 1944 wrote to memory of 2852	1944	wmptv2.exe	38
PID 1944 wrote to memory of 2852	1944	wmptv2.exe	38
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 2852 wrote to memory of 1760	2852	wmptv2.exe	39
PID 1760 wrote to memory of 2244	1760	wmptv2.exe	40
PID 1760 wrote to memory of 2244	1760	wmptv2.exe	40
PID 1760 wrote to memory of 2244	1760	wmptv2.exe	40
PID 1760 wrote to memory of 2244	1760	wmptv2.exe	40
PID 2244 wrote to memory of 912	2244	wmptv2.exe	41
PID 2244 wrote to memory of 912	2244	wmptv2.exe	41
PID 2244 wrote to memory of 912	2244	wmptv2.exe	41
PID 2244 wrote to memory of 912	2244	wmptv2.exe	41

C:\Users\Admin\AppData\Local\Temp\ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec18ef42443b23fc4aff8737eee15d8f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\wmptv2.exe
    "C:\Windows\system32\wmptv2.exe" C:\Users\Admin\AppData\Local\Temp\EC18EF~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\wmptv2.exe
      "C:\Windows\system32\wmptv2.exe" C:\Users\Admin\AppData\Local\Temp\EC18EF~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\wmptv2.exe
        
        "C:\Windows\system32\wmptv2.exe" C:\Windows\SysWOW64\wmptv2.exe
        32⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wmptv2.exe

Filesize
173KB

MD5
ec18ef42443b23fc4aff8737eee15d8f

SHA1
7423ae71bdfa78734db1b21bf11fec178807a530

SHA256
1252ab0cd33bd0b06f3c60a794909d1c50189a6aa42d0a3dcf01a40f80c2b6f5

SHA512
c7efa24d047174a611aa1cf7876d2c5eaca0314d133f4f67125f4671a692cbbf15685f44e8c7d79169175773f3fd80c28d1b92e2d81645d895fec278d1a1817d

Download Submit
memory/860-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-13-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-11-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/860-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-4-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/860-27-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/904-67-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/904-60-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/912-125-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/912-116-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1676-80-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1680-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1720-145-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1720-138-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1760-99-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1760-106-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1784-240-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1784-229-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1944-86-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1944-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1964-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1964-184-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2068-163-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2068-157-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2196-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2264-290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2560-39-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2560-38-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2560-48-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2560-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2560-37-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2616-220-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2688-202-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2760-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3016-61-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download