modiloader | cefe00dd1f648de9ed1c88919d02744aa26b59da22d30a56b83759b41845464e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Size

498KB
MD5

ee80cde5b59767db05fd851fd34cb1c3
SHA1

f98b2562736d841a783fefaa64b70e6e1d20fdb8
SHA256

cefe00dd1f648de9ed1c88919d02744aa26b59da22d30a56b83759b41845464e
SHA512

cd8550bfd5f1c64802091bb470461b8ccf307791ff84d0d388858b76ade346f8d8d01d711d0df457906f3f1a69965b5caa7d5ca7207e65c43cd9605b0ac26142
SSDEEP

12288:kHLUMuiv9RgfSjAzRtyaNn2OpFphSxGI/Sdz:+tAR4WFYvI

Score

10^/10

modiloader discovery evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	procexp.exe

ModiLoader Second Stage 16 IoCs

resource	yara_rule
behavioral2/memory/2772-53-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-71-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-74-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-75-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-78-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-81-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-84-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-87-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-90-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-93-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-96-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-99-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-102-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-105-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-108-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2
behavioral2/memory/2884-111-0x0000000000400000-0x0000000000450000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sawsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sawsn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	procexp.exe

Executes dropped EXE 5 IoCs

pid	Process
3488	server.exe
3316	sawsn.exe
2772	sawsn.exe
1332	procexp.exe
2884	procexp.exe

Loads dropped DLL 6 IoCs

pid	Process
2884	procexp.exe
2884	procexp.exe
2884	procexp.exe
2884	procexp.exe
3488	server.exe
3488	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\procexp = "C:\\Windows\\procexp.exe"	procexp.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sawsn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	procexp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	procexp.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3156-32-0x0000000000400000-0x00000000004C7000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3316 set thread context of 2772	3316	sawsn.exe	84
PID 1332 set thread context of 2884	1332	procexp.exe	88

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-0-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3156-9-0x0000000003660000-0x000000000468A000-memory.dmp	upx
behavioral2/memory/3156-12-0x0000000003660000-0x000000000468A000-memory.dmp	upx
behavioral2/memory/3156-1-0x0000000003660000-0x000000000468A000-memory.dmp	upx
behavioral2/memory/3156-3-0x0000000003660000-0x000000000468A000-memory.dmp	upx
behavioral2/memory/3156-32-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/2772-42-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2772-53-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-71-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-74-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-75-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-78-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-81-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-84-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-87-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-90-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-93-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-96-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-99-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-102-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-105-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-108-0x0000000000400000-0x0000000000450000-memory.dmp	upx
behavioral2/memory/2884-111-0x0000000000400000-0x0000000000450000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
File created	C:\Windows\procexp.exe	sawsn.exe
File opened for modification	C:\Windows\procexp.exe	sawsn.exe
File created	C:\Windows\ntdtcstp.dll	procexp.exe
File created	C:\Windows\cmsetac.dll	procexp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	procexp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sawsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sawsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 33 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1608	cmd.exe
2372	PING.EXE
636	PING.EXE
1460	PING.EXE
3512	PING.EXE
744	PING.EXE
3768	PING.EXE
2880	PING.EXE
3564	PING.EXE
4036	PING.EXE
4388	PING.EXE
4764	PING.EXE
4860	PING.EXE
4004	cmd.exe
2052	PING.EXE
3932	PING.EXE
2888	PING.EXE
3724	PING.EXE
2284	PING.EXE
1684	PING.EXE
3124	PING.EXE
3536	PING.EXE
4668	PING.EXE
4768	PING.EXE
3136	cmd.exe
3356	PING.EXE
4236	PING.EXE
3968	PING.EXE
3080	PING.EXE
3588	PING.EXE
3224	PING.EXE
4100	PING.EXE
4080	PING.EXE

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
4388	PING.EXE
4764	PING.EXE
4236	PING.EXE
744	PING.EXE
3768	PING.EXE
4668	PING.EXE
4768	PING.EXE
3724	PING.EXE
2284	PING.EXE
2880	PING.EXE
2372	PING.EXE
4080	PING.EXE
3356	PING.EXE
3080	PING.EXE
3512	PING.EXE
2888	PING.EXE
3124	PING.EXE
4100	PING.EXE
3588	PING.EXE
3224	PING.EXE
3564	PING.EXE
3932	PING.EXE
3536	PING.EXE
636	PING.EXE
4036	PING.EXE
2052	PING.EXE
1460	PING.EXE
3968	PING.EXE
1684	PING.EXE
4860	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Token: SeDebugPrivilege	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	procexp.exe
2884	procexp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 776	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	8
PID 3156 wrote to memory of 784	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	9
PID 3156 wrote to memory of 316	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	13
PID 3156 wrote to memory of 2988	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	50
PID 3156 wrote to memory of 3036	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	51
PID 3156 wrote to memory of 1068	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	52
PID 3156 wrote to memory of 3492	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	56
PID 3156 wrote to memory of 3616	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	57
PID 3156 wrote to memory of 3816	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	58
PID 3156 wrote to memory of 3912	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	59
PID 3156 wrote to memory of 3976	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	60
PID 3156 wrote to memory of 4056	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	61
PID 3156 wrote to memory of 4156	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	62
PID 3156 wrote to memory of 1568	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	75
PID 3156 wrote to memory of 5044	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	76
PID 3156 wrote to memory of 3488	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	82
PID 3156 wrote to memory of 3488	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	82
PID 3156 wrote to memory of 3488	3156	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe	82
PID 3488 wrote to memory of 3316	3488	server.exe	83
PID 3488 wrote to memory of 3316	3488	server.exe	83
PID 3488 wrote to memory of 3316	3488	server.exe	83
PID 3316 wrote to memory of 2772	3316	sawsn.exe	84
PID 3316 wrote to memory of 2772	3316	sawsn.exe	84
PID 3316 wrote to memory of 2772	3316	sawsn.exe	84
PID 3316 wrote to memory of 2772	3316	sawsn.exe	84
PID 3316 wrote to memory of 2772	3316	sawsn.exe	84
PID 3316 wrote to memory of 3136	3316	sawsn.exe	85
PID 3316 wrote to memory of 3136	3316	sawsn.exe	85
PID 3316 wrote to memory of 3136	3316	sawsn.exe	85
PID 2772 wrote to memory of 1332	2772	sawsn.exe	87
PID 2772 wrote to memory of 1332	2772	sawsn.exe	87
PID 2772 wrote to memory of 1332	2772	sawsn.exe	87
PID 1332 wrote to memory of 2884	1332	procexp.exe	88
PID 1332 wrote to memory of 2884	1332	procexp.exe	88
PID 1332 wrote to memory of 2884	1332	procexp.exe	88
PID 1332 wrote to memory of 2884	1332	procexp.exe	88
PID 1332 wrote to memory of 2884	1332	procexp.exe	88
PID 1332 wrote to memory of 4004	1332	procexp.exe	89
PID 1332 wrote to memory of 4004	1332	procexp.exe	89
PID 1332 wrote to memory of 4004	1332	procexp.exe	89
PID 4004 wrote to memory of 3356	4004	cmd.exe	91
PID 4004 wrote to memory of 3356	4004	cmd.exe	91
PID 4004 wrote to memory of 3356	4004	cmd.exe	91
PID 3488 wrote to memory of 1608	3488	server.exe	92
PID 3488 wrote to memory of 1608	3488	server.exe	92
PID 3488 wrote to memory of 1608	3488	server.exe	92
PID 4004 wrote to memory of 2052	4004	cmd.exe	94
PID 4004 wrote to memory of 2052	4004	cmd.exe	94
PID 4004 wrote to memory of 2052	4004	cmd.exe	94
PID 4004 wrote to memory of 4236	4004	cmd.exe	95
PID 4004 wrote to memory of 4236	4004	cmd.exe	95
PID 4004 wrote to memory of 4236	4004	cmd.exe	95
PID 4004 wrote to memory of 1460	4004	cmd.exe	96
PID 4004 wrote to memory of 1460	4004	cmd.exe	96
PID 4004 wrote to memory of 1460	4004	cmd.exe	96
PID 4004 wrote to memory of 2284	4004	cmd.exe	99
PID 4004 wrote to memory of 2284	4004	cmd.exe	99
PID 4004 wrote to memory of 2284	4004	cmd.exe	99
PID 4004 wrote to memory of 3968	4004	cmd.exe	102
PID 4004 wrote to memory of 3968	4004	cmd.exe	102
PID 4004 wrote to memory of 3968	4004	cmd.exe	102
PID 4004 wrote to memory of 3080	4004	cmd.exe	103
PID 4004 wrote to memory of 3080	4004	cmd.exe	103
PID 4004 wrote to memory of 3080	4004	cmd.exe	103

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	procexp.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3036

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ee80cde5b59767db05fd851fd34cb1c3_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp/server.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\sawsn.exe
      "C:\Users\Admin\AppData\Local\Temp\sawsn.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\sawsn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sawsn.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\procexp.exe
        
        "C:\Windows\procexp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\procexp.exe
        
        "C:\Windows\procexp.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "for /L %a in (1,1,30) do del "C:\Windows\procexp.exe" && if exist "C:\Windows\procexp.exe" ping -n 2 0.0.0.0"
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3224
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4036
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 0.0.0.0
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "for /L %a in (1,1,30) do del "C:\Users\Admin\AppData\Local\Temp\sawsn.exe" && if exist "C:\Users\Admin\AppData\Local\Temp\sawsn.exe" ping -n 2 0.0.0.0"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "for /L %a in (1,1,30) do del "C:\Users\Admin\AppData\Local\Temp\server.exe" && if exist "C:\Users\Admin\AppData\Local\Temp\server.exe" ping -n 2 0.0.0.0"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4156

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sawsn.exe

Filesize
142KB

MD5
e32e61de6d9eb9ca872551dbbfe1b29d

SHA1
41b0d626b8bbbf8f397bf69aff63b412665152bf

SHA256
4d35a09692fcfdb5c62a463d8b91c2fb331b0515383a471a1888c5aee93c49dc

SHA512
7810af1d7c77e6697d95f10d6684437471880fce0a4cf2be3c24f91b917421964bb0b118b0aef3e19c8494a5670ade59fb2a5ea9b6715be5ff8f88dcb240b7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
177KB

MD5
5d7e02cf9ba6b601e2a9fde603999fbc

SHA1
9d708551412ceffa7dbd5f61ce6550c4cf659be3

SHA256
51df0099baae5473f2a9f240bbe256a2f8ffa1a699676e4fe516eeeb5b516322

SHA512
8235b403ea05b907d11e3581ba0bc22d4363afee3c340a1ac7922ff3d8da585e7d6dde07601dac34d405fb6157fccd4f733262166dc29e3e32787dcbbbd89e26

Download Submit
C:\Windows\cmsetac.dll

Filesize
33KB

MD5
15333b164c15d24fa3957e2f2da3e085

SHA1
fb19be6413343a78a304e78c038c587799a8d79b

SHA256
6cc2b816f9923c4106c39d12494018fb8078f7c789bab4974d6eae92cab4a486

SHA512
1ce2d82de9cd48fefc65b0126b1503ab738a53f9b35748f10bbbb9d96da321f35964106fbb1c579b160d4f571ce5281e6af9331927ca01c39256a2b5af932f2d

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/2772-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2772-42-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-87-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-90-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-111-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-108-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-105-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-102-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-99-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-96-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-93-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-84-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-64-0x0000000002A80000-0x0000000002A8E000-memory.dmp

Filesize
56KB

Download
memory/2884-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-71-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-73-0x0000000002A80000-0x0000000002A8E000-memory.dmp

Filesize
56KB

Download
memory/2884-72-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2884-75-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3156-7-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/3156-0-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3156-3-0x0000000003660000-0x000000000468A000-memory.dmp

Filesize
16.2MB

Download
memory/3156-9-0x0000000003660000-0x000000000468A000-memory.dmp

Filesize
16.2MB

Download
memory/3156-11-0x0000000001980000-0x0000000001982000-memory.dmp

Filesize
8KB

Download
memory/3156-13-0x0000000001980000-0x0000000001982000-memory.dmp

Filesize
8KB

Download
memory/3156-12-0x0000000003660000-0x000000000468A000-memory.dmp

Filesize
16.2MB

Download
memory/3156-32-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3156-1-0x0000000003660000-0x000000000468A000-memory.dmp

Filesize
16.2MB

Download
memory/3156-6-0x0000000001980000-0x0000000001982000-memory.dmp

Filesize
8KB

Download
memory/3488-70-0x00000000036B0000-0x00000000036BE000-memory.dmp

Filesize
56KB

Download
memory/3488-69-0x00000000036B0000-0x00000000036BE000-memory.dmp

Filesize
56KB

Download