Malware Analysis Report

2024-07-11 07:36

Sample ID 240618-tymeas1dpb
Target bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118
SHA256 6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b
Tags
latentbot plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b

Threat Level: Known bad

The file bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

latentbot plugx trojan

Detects PlugX payload

PlugX

LatentBot

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 16:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 16:28

Reported

2024-06-18 16:30

Platform

win7-20240508-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\ca-a5-a2-dd-a4-f4 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionTime = f04e92809cc1da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionTime = f04e92809cc1da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003700460037003200420042004200350034004500350045004400310045000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1868 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 2552 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2552 wrote to memory of 2344 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 2920

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2552

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

MD5 d659d95d46f71f172cd4f2aca9532949
SHA1 13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d
SHA256 9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837
SHA512 ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

memory/2920-25-0x0000000001C60000-0x0000000001D60000-memory.dmp

memory/2920-27-0x00000000002A0000-0x00000000002CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

MD5 c889dc4f6294e882c8ce08f1f9a0aa12
SHA1 2522d785f2f78d0bb2841723695e1ab55afa1313
SHA256 d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b
SHA512 44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

memory/2596-46-0x0000000000410000-0x000000000043C000-memory.dmp

memory/2448-51-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2552-56-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2552-55-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2552-52-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2552-59-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-75-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-76-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-73-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2920-74-0x00000000002A0000-0x00000000002CC000-memory.dmp

memory/2552-72-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-71-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2448-58-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2552-57-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-77-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2552-81-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2596-82-0x0000000000410000-0x000000000043C000-memory.dmp

memory/2552-83-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/2344-92-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2344-90-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2344-91-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2344-89-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2552-93-0x00000000001B0000-0x00000000001DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 16:28

Reported

2024-06-18 16:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003400340042004500330034003500320030003900390034004300310042000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1696 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 1696 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2308 wrote to memory of 2844 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2844 wrote to memory of 4024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 1368

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2844

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
US 8.8.8.8:53 jinyuan2012.zapto.org udp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

MD5 d659d95d46f71f172cd4f2aca9532949
SHA1 13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d
SHA256 9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837
SHA512 ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

MD5 c889dc4f6294e882c8ce08f1f9a0aa12
SHA1 2522d785f2f78d0bb2841723695e1ab55afa1313
SHA256 d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b
SHA512 44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

memory/1368-19-0x0000000002100000-0x0000000002200000-memory.dmp

memory/1368-21-0x0000000002090000-0x00000000020BC000-memory.dmp

memory/2960-40-0x0000000002160000-0x000000000218C000-memory.dmp

memory/2960-44-0x0000000002160000-0x000000000218C000-memory.dmp

memory/2308-45-0x00000000006C0000-0x00000000006EC000-memory.dmp

memory/2308-46-0x00000000006C0000-0x00000000006EC000-memory.dmp

memory/2844-47-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-60-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-62-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2844-48-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-61-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-63-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-64-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/1368-69-0x0000000002090000-0x00000000020BC000-memory.dmp

memory/2960-70-0x0000000002160000-0x000000000218C000-memory.dmp

memory/4024-74-0x0000000002B90000-0x0000000002BBC000-memory.dmp

memory/4024-73-0x0000000002B90000-0x0000000002BBC000-memory.dmp

memory/4024-72-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/4024-71-0x0000000002B90000-0x0000000002BBC000-memory.dmp

memory/2844-75-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-76-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2844-77-0x0000000000A00000-0x0000000000A2C000-memory.dmp