metasploit | ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Size

161KB
MD5

f51be466fe0103c6b29596054bc962ee
SHA1

4a0a3ab920069f05ed889f23dce32cef92bb8b7a
SHA256

ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401
SHA512

f2ac31a2ec9fa858b6f43807732c5837997f1a0e0890f4f3dd3ad819c5d2ee5c5c622f9d499ca7ac73a0db4ccf17fef60bac677d94e71a0cd6d91b1416cffa05
SSDEEP

3072:HaQR1ahRGxO7yFDWenXF9fy0Gd7oT6QGlVp1304RnYDAlg/yMYE:HaQREhRGxfFDLFFyBnX3041s/jD

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2640	MsPcClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2764	MsPcClient.exe
2640	MsPcClient.exe
1744	MsPcClient.exe
2172	MsPcClient.exe
2056	MsPcClient.exe
2572	MsPcClient.exe
2952	MsPcClient.exe
1736	MsPcClient.exe
2020	MsPcClient.exe
1652	MsPcClient.exe
1948	MsPcClient.exe
2488	MsPcClient.exe
752	MsPcClient.exe
1132	MsPcClient.exe
292	MsPcClient.exe
1856	MsPcClient.exe
600	MsPcClient.exe
1568	MsPcClient.exe
1036	MsPcClient.exe
284	MsPcClient.exe
1584	MsPcClient.exe
2140	MsPcClient.exe
2768	MsPcClient.exe
2764	MsPcClient.exe
2460	MsPcClient.exe
824	MsPcClient.exe
2064	MsPcClient.exe
2848	MsPcClient.exe
664	MsPcClient.exe
2960	MsPcClient.exe
1096	MsPcClient.exe
2788	MsPcClient.exe
2452	MsPcClient.exe
1804	MsPcClient.exe
1732	MsPcClient.exe
1264	MsPcClient.exe
2376	MsPcClient.exe
2500	MsPcClient.exe
1576	MsPcClient.exe
1344	MsPcClient.exe
1336	MsPcClient.exe
1544	MsPcClient.exe
524	MsPcClient.exe
680	MsPcClient.exe
1836	MsPcClient.exe
1840	MsPcClient.exe
2264	MsPcClient.exe
2348	MsPcClient.exe
2652	MsPcClient.exe
2684	MsPcClient.exe
1144	MsPcClient.exe
1900	MsPcClient.exe
2804	MsPcClient.exe
112	MsPcClient.exe
764	MsPcClient.exe
1312	MsPcClient.exe
1904	MsPcClient.exe
2296	MsPcClient.exe
2108	MsPcClient.exe
2280	MsPcClient.exe
1864	MsPcClient.exe
380	MsPcClient.exe
1876	MsPcClient.exe
1048	MsPcClient.exe

Loads dropped DLL 64 IoCs

pid	Process
2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
2764	MsPcClient.exe
2640	MsPcClient.exe
2640	MsPcClient.exe
2172	MsPcClient.exe
2172	MsPcClient.exe
2572	MsPcClient.exe
2572	MsPcClient.exe
1736	MsPcClient.exe
1736	MsPcClient.exe
1652	MsPcClient.exe
1652	MsPcClient.exe
2488	MsPcClient.exe
2488	MsPcClient.exe
1132	MsPcClient.exe
1132	MsPcClient.exe
1856	MsPcClient.exe
1856	MsPcClient.exe
1568	MsPcClient.exe
1568	MsPcClient.exe
284	MsPcClient.exe
284	MsPcClient.exe
2140	MsPcClient.exe
2140	MsPcClient.exe
2764	MsPcClient.exe
2764	MsPcClient.exe
824	MsPcClient.exe
824	MsPcClient.exe
2848	MsPcClient.exe
2848	MsPcClient.exe
2960	MsPcClient.exe
2960	MsPcClient.exe
2788	MsPcClient.exe
2788	MsPcClient.exe
1804	MsPcClient.exe
1804	MsPcClient.exe
1264	MsPcClient.exe
1264	MsPcClient.exe
2500	MsPcClient.exe
2500	MsPcClient.exe
1344	MsPcClient.exe
1344	MsPcClient.exe
1544	MsPcClient.exe
1544	MsPcClient.exe
680	MsPcClient.exe
680	MsPcClient.exe
1840	MsPcClient.exe
1840	MsPcClient.exe
2348	MsPcClient.exe
2348	MsPcClient.exe
2684	MsPcClient.exe
2684	MsPcClient.exe
1900	MsPcClient.exe
1900	MsPcClient.exe
112	MsPcClient.exe
112	MsPcClient.exe
1312	MsPcClient.exe
1312	MsPcClient.exe
2296	MsPcClient.exe
2296	MsPcClient.exe
2280	MsPcClient.exe
2280	MsPcClient.exe
380	MsPcClient.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MsPcClient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File opened for modification	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe
File created	C:\Windows\SysWOW64\MsPcClient.exe	MsPcClient.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2764 set thread context of 2640	2764	MsPcClient.exe	32
PID 1744 set thread context of 2172	1744	MsPcClient.exe	34
PID 2056 set thread context of 2572	2056	MsPcClient.exe	36
PID 2952 set thread context of 1736	2952	MsPcClient.exe	38
PID 2020 set thread context of 1652	2020	MsPcClient.exe	40
PID 1948 set thread context of 2488	1948	MsPcClient.exe	43
PID 752 set thread context of 1132	752	MsPcClient.exe	45
PID 292 set thread context of 1856	292	MsPcClient.exe	47
PID 600 set thread context of 1568	600	MsPcClient.exe	49
PID 1036 set thread context of 284	1036	MsPcClient.exe	51
PID 1584 set thread context of 2140	1584	MsPcClient.exe	53
PID 2768 set thread context of 2764	2768	MsPcClient.exe	55
PID 2460 set thread context of 824	2460	MsPcClient.exe	57
PID 2064 set thread context of 2848	2064	MsPcClient.exe	59
PID 664 set thread context of 2960	664	MsPcClient.exe	61
PID 1096 set thread context of 2788	1096	MsPcClient.exe	63
PID 2452 set thread context of 1804	2452	MsPcClient.exe	65
PID 1732 set thread context of 1264	1732	MsPcClient.exe	67
PID 2376 set thread context of 2500	2376	MsPcClient.exe	69
PID 1576 set thread context of 1344	1576	MsPcClient.exe	71
PID 1336 set thread context of 1544	1336	MsPcClient.exe	73
PID 524 set thread context of 680	524	MsPcClient.exe	75
PID 1836 set thread context of 1840	1836	MsPcClient.exe	77
PID 2264 set thread context of 2348	2264	MsPcClient.exe	79
PID 2652 set thread context of 2684	2652	MsPcClient.exe	81
PID 1144 set thread context of 1900	1144	MsPcClient.exe	83
PID 2804 set thread context of 112	2804	MsPcClient.exe	85
PID 764 set thread context of 1312	764	MsPcClient.exe	87
PID 1904 set thread context of 2296	1904	MsPcClient.exe	89
PID 2108 set thread context of 2280	2108	MsPcClient.exe	91
PID 1864 set thread context of 380	1864	MsPcClient.exe	93
PID 1876 set thread context of 1048	1876	MsPcClient.exe	95
PID 1764 set thread context of 2588	1764	MsPcClient.exe	97
PID 600 set thread context of 2688	600	MsPcClient.exe	99
PID 2176 set thread context of 876	2176	MsPcClient.exe	101
PID 2700 set thread context of 864	2700	MsPcClient.exe	103
PID 2468 set thread context of 2876	2468	MsPcClient.exe	105
PID 2184 set thread context of 2652	2184	MsPcClient.exe	107

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-6-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-9-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-8-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-4-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-3-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2432-22-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2640-34-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2640-35-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2640-32-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2640-33-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2640-41-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2172-50-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2172-51-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2172-52-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2172-58-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2572-68-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2572-75-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1736-86-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1736-92-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1652-103-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1652-109-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2488-126-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1132-135-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1132-142-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1856-160-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1568-176-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/284-192-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2140-209-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2764-225-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/824-241-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2848-249-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2848-254-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2960-266-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2788-278-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1804-290-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1264-302-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2500-314-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1344-326-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1544-334-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1544-339-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/680-351-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1840-363-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2348-375-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2684-387-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1900-396-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1900-400-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/112-412-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1312-424-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2296-436-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2280-448-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/380-460-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1048-472-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2588-484-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2688-496-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/876-505-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/876-509-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/864-521-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2876-533-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2652-545-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsPcClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2432	2980	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2764	2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2764	2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2764	2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2764	2432	f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe	31
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2764 wrote to memory of 2640	2764	MsPcClient.exe	32
PID 2640 wrote to memory of 1744	2640	MsPcClient.exe	33
PID 2640 wrote to memory of 1744	2640	MsPcClient.exe	33
PID 2640 wrote to memory of 1744	2640	MsPcClient.exe	33
PID 2640 wrote to memory of 1744	2640	MsPcClient.exe	33
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 1744 wrote to memory of 2172	1744	MsPcClient.exe	34
PID 2172 wrote to memory of 2056	2172	MsPcClient.exe	35
PID 2172 wrote to memory of 2056	2172	MsPcClient.exe	35
PID 2172 wrote to memory of 2056	2172	MsPcClient.exe	35
PID 2172 wrote to memory of 2056	2172	MsPcClient.exe	35
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2056 wrote to memory of 2572	2056	MsPcClient.exe	36
PID 2572 wrote to memory of 2952	2572	MsPcClient.exe	37
PID 2572 wrote to memory of 2952	2572	MsPcClient.exe	37
PID 2572 wrote to memory of 2952	2572	MsPcClient.exe	37
PID 2572 wrote to memory of 2952	2572	MsPcClient.exe	37
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 2952 wrote to memory of 1736	2952	MsPcClient.exe	38
PID 1736 wrote to memory of 2020	1736	MsPcClient.exe	39
PID 1736 wrote to memory of 2020	1736	MsPcClient.exe	39
PID 1736 wrote to memory of 2020	1736	MsPcClient.exe	39
PID 1736 wrote to memory of 2020	1736	MsPcClient.exe	39
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 2020 wrote to memory of 1652	2020	MsPcClient.exe	40
PID 1652 wrote to memory of 1948	1652	MsPcClient.exe	42
PID 1652 wrote to memory of 1948	1652	MsPcClient.exe	42

C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f51be466fe0103c6b29596054bc962ee_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\MsPcClient.exe
    "C:\Windows\system32\MsPcClient.exe" C:\Users\Admin\AppData\Local\Temp\F51BE4~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\MsPcClient.exe
      "C:\Windows\SysWOW64\MsPcClient.exe" C:\Users\Admin\AppData\Local\Temp\F51BE4~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1948
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2064
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:664
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2376
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1576
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2264
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1904
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        66⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        68⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        70⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        72⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        74⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\SysWOW64\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        78⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\MsPcClient.exe
        
        "C:\Windows\system32\MsPcClient.exe" C:\Windows\SysWOW64\MSPCCL~1.EXE
        79⤵
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MsPcClient.exe

Filesize
161KB

MD5
f51be466fe0103c6b29596054bc962ee

SHA1
4a0a3ab920069f05ed889f23dce32cef92bb8b7a

SHA256
ca0fcea9b0c53ccd48a53f54d28288c1553b837a216be00163a56a348ebd3401

SHA512
f2ac31a2ec9fa858b6f43807732c5837997f1a0e0890f4f3dd3ad819c5d2ee5c5c622f9d499ca7ac73a0db4ccf17fef60bac677d94e71a0cd6d91b1416cffa05

Download Submit
memory/112-412-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/284-192-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/380-460-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/680-351-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/824-241-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/864-521-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/876-505-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/876-509-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1048-472-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1132-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1132-135-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1264-302-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1312-424-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1344-326-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1544-334-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1544-339-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1568-176-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1652-103-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1652-109-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1736-86-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1736-92-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1804-290-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1840-363-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-160-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1900-396-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1900-400-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2140-209-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2172-51-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2172-52-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2172-58-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2172-50-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2280-448-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2296-436-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2348-375-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-6-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-3-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-22-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2432-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-126-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2500-314-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2572-68-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2572-75-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2588-484-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2640-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2640-34-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2640-32-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2640-33-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2640-41-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2652-545-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-387-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-496-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2764-225-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2788-278-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2848-249-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2848-254-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2876-533-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2960-266-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download