Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 15:16
Behavioral task
behavioral1
Sample
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
-
Size
49KB
-
MD5
fd0e477f26eccd783d2819b1c35e4d40
-
SHA1
ace074e56e7f8875405cba17cdf48d4c053b37e5
-
SHA256
af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605
-
SHA512
5d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9
-
SSDEEP
1536:Rffj6lx9QTW/dfhoBbWnkYswggDwx8ltmHUr9:RffMxv/dfwbj0RDo8l7
Malware Config
Signatures
-
Executes dropped EXE 60 IoCs
Processes:
wuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exepid process 4636 wuaucldt.exe 5112 wuaucldt.exe 3616 wuaucldt.exe 2620 wuaucldt.exe 4748 wuaucldt.exe 1824 wuaucldt.exe 3192 wuaucldt.exe 2188 wuaucldt.exe 4620 wuaucldt.exe 4004 wuaucldt.exe 4376 wuaucldt.exe 1380 wuaucldt.exe 1964 wuaucldt.exe 3048 wuaucldt.exe 2596 wuaucldt.exe 4312 wuaucldt.exe 840 wuaucldt.exe 4080 wuaucldt.exe 4308 wuaucldt.exe 2916 wuaucldt.exe 1620 wuaucldt.exe 4108 wuaucldt.exe 4908 wuaucldt.exe 5084 wuaucldt.exe 4756 wuaucldt.exe 2024 wuaucldt.exe 568 wuaucldt.exe 2640 wuaucldt.exe 3644 wuaucldt.exe 5080 wuaucldt.exe 660 wuaucldt.exe 1160 wuaucldt.exe 3260 wuaucldt.exe 2620 wuaucldt.exe 4500 wuaucldt.exe 4620 wuaucldt.exe 3536 wuaucldt.exe 3756 wuaucldt.exe 4480 wuaucldt.exe 2772 wuaucldt.exe 4940 wuaucldt.exe 512 wuaucldt.exe 1628 wuaucldt.exe 2324 wuaucldt.exe 1676 wuaucldt.exe 440 wuaucldt.exe 2236 wuaucldt.exe 4308 wuaucldt.exe 220 wuaucldt.exe 4960 wuaucldt.exe 4828 wuaucldt.exe 4416 wuaucldt.exe 5084 wuaucldt.exe 3180 wuaucldt.exe 3724 wuaucldt.exe 368 wuaucldt.exe 3848 wuaucldt.exe 4700 wuaucldt.exe 3708 wuaucldt.exe 4340 wuaucldt.exe -
Processes:
resource yara_rule behavioral2/memory/4000-0-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4000-1-0x0000000000400000-0x0000000000414001-memory.dmp upx C:\Windows\SysWOW64\wuaucldt.exe upx behavioral2/memory/4000-10-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4636-17-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/3616-37-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2620-42-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/3192-64-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2188-66-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4376-71-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4376-94-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/1380-95-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2596-114-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4312-115-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4308-135-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2916-144-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4908-166-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/5084-168-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/568-170-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/568-193-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2640-195-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/1160-222-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/660-223-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4500-240-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4620-242-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4480-259-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2772-260-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/1628-275-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/1676-284-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/2236-293-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/220-302-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/4828-312-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/5084-323-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/3724-333-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/3848-342-0x0000000000400000-0x0000000000414001-memory.dmp upx behavioral2/memory/3708-373-0x0000000000400000-0x0000000000414001-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" wuaucldt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" wuaucldt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" wuaucldt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" wuaucldt.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 13 IoCs
Processes:
wuaucldt.exewuaucldt.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File created \??\c:\windows\SysWOW64\wuaucldt.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File created \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe File opened for modification \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exedescription pid process target process PID 4000 set thread context of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4636 set thread context of 5112 4636 wuaucldt.exe wuaucldt.exe PID 3616 set thread context of 4748 3616 wuaucldt.exe wuaucldt.exe PID 2620 set thread context of 1824 2620 wuaucldt.exe wuaucldt.exe PID 4748 set thread context of 1956 4748 wuaucldt.exe svchost.exe PID 3192 set thread context of 4620 3192 wuaucldt.exe wuaucldt.exe PID 2188 set thread context of 4004 2188 wuaucldt.exe wuaucldt.exe PID 4376 set thread context of 1964 4376 wuaucldt.exe wuaucldt.exe PID 1380 set thread context of 3048 1380 wuaucldt.exe wuaucldt.exe PID 2596 set thread context of 840 2596 wuaucldt.exe wuaucldt.exe PID 4312 set thread context of 4080 4312 wuaucldt.exe wuaucldt.exe PID 4308 set thread context of 1620 4308 wuaucldt.exe wuaucldt.exe PID 2916 set thread context of 4108 2916 wuaucldt.exe wuaucldt.exe PID 4908 set thread context of 4756 4908 wuaucldt.exe wuaucldt.exe PID 5084 set thread context of 2024 5084 wuaucldt.exe wuaucldt.exe PID 568 set thread context of 3644 568 wuaucldt.exe wuaucldt.exe PID 2640 set thread context of 5080 2640 wuaucldt.exe wuaucldt.exe PID 660 set thread context of 3260 660 wuaucldt.exe wuaucldt.exe PID 1160 set thread context of 2620 1160 wuaucldt.exe wuaucldt.exe PID 4500 set thread context of 3536 4500 wuaucldt.exe wuaucldt.exe PID 4620 set thread context of 3756 4620 wuaucldt.exe wuaucldt.exe PID 4480 set thread context of 4940 4480 wuaucldt.exe wuaucldt.exe PID 2772 set thread context of 512 2772 wuaucldt.exe wuaucldt.exe PID 5112 set thread context of 3704 5112 wuaucldt.exe svchost.exe PID 1628 set thread context of 2324 1628 wuaucldt.exe wuaucldt.exe PID 1676 set thread context of 440 1676 wuaucldt.exe wuaucldt.exe PID 2236 set thread context of 4308 2236 wuaucldt.exe wuaucldt.exe PID 220 set thread context of 4960 220 wuaucldt.exe wuaucldt.exe PID 4828 set thread context of 4416 4828 wuaucldt.exe wuaucldt.exe PID 5084 set thread context of 3180 5084 wuaucldt.exe wuaucldt.exe PID 3724 set thread context of 368 3724 wuaucldt.exe wuaucldt.exe PID 3848 set thread context of 4700 3848 wuaucldt.exe wuaucldt.exe PID 3708 set thread context of 4340 3708 wuaucldt.exe wuaucldt.exe PID 1268 set thread context of 64 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 660 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 4172 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 4376 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 3128 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 1564 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 1516 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 4780 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 568 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 1360 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 3040 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 60 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 3416 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 5076 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 944 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 1160 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 4964 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 3924 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 5024 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 3152 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 208 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 3776 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 4472 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 4064 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 2936 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 3260 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 976 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 4244 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 3180 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe PID 5112 set thread context of 1008 5112 wuaucldt.exe svchost.exe PID 1268 set thread context of 4612 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe svchost.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exepid process 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe 4636 wuaucldt.exe 3616 wuaucldt.exe 2620 wuaucldt.exe 3192 wuaucldt.exe 2188 wuaucldt.exe 4376 wuaucldt.exe 1380 wuaucldt.exe 4312 wuaucldt.exe 2596 wuaucldt.exe 4308 wuaucldt.exe 2916 wuaucldt.exe 4908 wuaucldt.exe 5084 wuaucldt.exe 568 wuaucldt.exe 2640 wuaucldt.exe 660 wuaucldt.exe 1160 wuaucldt.exe 4500 wuaucldt.exe 4620 wuaucldt.exe 4480 wuaucldt.exe 2772 wuaucldt.exe 1628 wuaucldt.exe 1676 wuaucldt.exe 2236 wuaucldt.exe 220 wuaucldt.exe 4828 wuaucldt.exe 5084 wuaucldt.exe 3724 wuaucldt.exe 3848 wuaucldt.exe 3708 wuaucldt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exedescription pid process target process PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 4000 wrote to memory of 1268 4000 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe PID 1268 wrote to memory of 4636 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 4636 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 4636 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 4636 wrote to memory of 5112 4636 wuaucldt.exe wuaucldt.exe PID 1268 wrote to memory of 3616 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 3616 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 3616 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 5112 wrote to memory of 2620 5112 wuaucldt.exe wuaucldt.exe PID 5112 wrote to memory of 2620 5112 wuaucldt.exe wuaucldt.exe PID 5112 wrote to memory of 2620 5112 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 3616 wrote to memory of 4748 3616 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 2620 wrote to memory of 1824 2620 wuaucldt.exe wuaucldt.exe PID 1268 wrote to memory of 3192 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 3192 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 1268 wrote to memory of 3192 1268 fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe wuaucldt.exe PID 4748 wrote to memory of 1956 4748 wuaucldt.exe svchost.exe PID 4748 wrote to memory of 1956 4748 wuaucldt.exe svchost.exe PID 4748 wrote to memory of 1956 4748 wuaucldt.exe svchost.exe PID 4748 wrote to memory of 1956 4748 wuaucldt.exe svchost.exe PID 5112 wrote to memory of 2188 5112 wuaucldt.exe wuaucldt.exe PID 5112 wrote to memory of 2188 5112 wuaucldt.exe wuaucldt.exe PID 5112 wrote to memory of 2188 5112 wuaucldt.exe wuaucldt.exe PID 4748 wrote to memory of 1956 4748 wuaucldt.exe svchost.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe PID 3192 wrote to memory of 4620 3192 wuaucldt.exe wuaucldt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Writes to the Master Boot Record (MBR)
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\SysWOW64\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\wuaucldt.exeFilesize
49KB
MD5fd0e477f26eccd783d2819b1c35e4d40
SHA1ace074e56e7f8875405cba17cdf48d4c053b37e5
SHA256af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605
SHA5125d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9
-
memory/60-456-0x0000000000CD0000-0x0000000000CD9000-memory.dmpFilesize
36KB
-
memory/64-356-0x0000000000970000-0x0000000000979000-memory.dmpFilesize
36KB
-
memory/64-436-0x0000000000970000-0x0000000000979000-memory.dmpFilesize
36KB
-
memory/208-542-0x0000000000F50000-0x0000000000F59000-memory.dmpFilesize
36KB
-
memory/220-302-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/512-257-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/568-170-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/568-193-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/568-440-0x0000000000FB0000-0x0000000000FB9000-memory.dmpFilesize
36KB
-
memory/660-223-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/660-360-0x0000000000FB0000-0x0000000000FB9000-memory.dmpFilesize
36KB
-
memory/944-470-0x0000000000980000-0x0000000000989000-memory.dmpFilesize
36KB
-
memory/976-612-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/1008-628-0x0000000000BE0000-0x0000000000BE9000-memory.dmpFilesize
36KB
-
memory/1160-500-0x0000000000DD0000-0x0000000000DD9000-memory.dmpFilesize
36KB
-
memory/1160-222-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/1268-6-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/1268-4-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/1360-448-0x0000000000480000-0x0000000000489000-memory.dmpFilesize
36KB
-
memory/1380-95-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/1516-389-0x0000000001270000-0x0000000001279000-memory.dmpFilesize
36KB
-
memory/1564-377-0x0000000000810000-0x0000000000819000-memory.dmpFilesize
36KB
-
memory/1628-275-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/1676-284-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/1824-44-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/1956-49-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/1956-61-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/1956-67-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/1956-54-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/1956-69-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/1956-46-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/2188-66-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2236-293-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2596-114-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2620-42-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2640-195-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2772-260-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2916-144-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/2936-592-0x0000000000E60000-0x0000000000E69000-memory.dmpFilesize
36KB
-
memory/3040-452-0x00000000009E0000-0x00000000009E9000-memory.dmpFilesize
36KB
-
memory/3128-372-0x0000000000990000-0x0000000000999000-memory.dmpFilesize
36KB
-
memory/3152-538-0x00000000009E0000-0x00000000009E9000-memory.dmpFilesize
36KB
-
memory/3180-324-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/3180-622-0x00000000008A0000-0x00000000008A9000-memory.dmpFilesize
36KB
-
memory/3192-64-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/3260-604-0x0000000000950000-0x0000000000959000-memory.dmpFilesize
36KB
-
memory/3416-460-0x0000000000480000-0x0000000000489000-memory.dmpFilesize
36KB
-
memory/3616-37-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/3704-269-0x0000000000D30000-0x0000000000D39000-memory.dmpFilesize
36KB
-
memory/3708-373-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/3724-333-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/3776-546-0x0000000000A10000-0x0000000000A19000-memory.dmpFilesize
36KB
-
memory/3848-342-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/3924-530-0x0000000000D40000-0x0000000000D49000-memory.dmpFilesize
36KB
-
memory/4000-0-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4000-1-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4000-10-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4064-562-0x0000000000A00000-0x0000000000A09000-memory.dmpFilesize
36KB
-
memory/4108-137-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/4172-364-0x0000000000C50000-0x0000000000C59000-memory.dmpFilesize
36KB
-
memory/4244-618-0x0000000000AA0000-0x0000000000AA9000-memory.dmpFilesize
36KB
-
memory/4308-135-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4312-115-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4376-368-0x0000000000310000-0x0000000000319000-memory.dmpFilesize
36KB
-
memory/4376-94-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4376-71-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4416-311-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/4472-550-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/4480-259-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4500-240-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4620-58-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/4620-242-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4636-17-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4748-36-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB
-
memory/4780-435-0x0000000000F70000-0x0000000000F79000-memory.dmpFilesize
36KB
-
memory/4828-312-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4908-166-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/4964-522-0x0000000000EC0000-0x0000000000EC9000-memory.dmpFilesize
36KB
-
memory/5024-534-0x0000000000E60000-0x0000000000E69000-memory.dmpFilesize
36KB
-
memory/5076-464-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/5084-168-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/5084-323-0x0000000000400000-0x0000000000414001-memory.dmpFilesize
80KB
-
memory/5112-23-0x0000000070000000-0x000000007000B000-memory.dmpFilesize
44KB