latentbot | ee268b91629f196135bc24c194a32afceddaf6b7db0b9d27bdd68818ad887016

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Size

868KB
MD5

a8871e8d7fe2e9c0476b1b9c191ab16d
SHA1

73f3bd2dde3a7c006276c8f3732cadf8ab0a01f2
SHA256

ee268b91629f196135bc24c194a32afceddaf6b7db0b9d27bdd68818ad887016
SHA512

d22d1e23bce03d604c4160f9a4eca30687fbc06d158b1d6111708977ae3c0b1fb0cd0ff4e4966d13fd88e7fcc54bbcd9e6964fb06ae39e1235016692273d30aa
SSDEEP

12288:qo2VOCmcf8ySc8+i0jJdbBmvS2mIAwOh+2b9M204PnY8MQz5tCcAPzc5yuLofrgq:5a/pB2bmIkA2b9Z04PBMQb7i45ypzga

Score

10^/10

latentbot bootkit discovery evasion persistence trojan upx

Malware Config

Extracted

Family

latentbot

1juliagaetz.zapto.org

2juliagaetz.zapto.org

3juliagaetz.zapto.org

4juliagaetz.zapto.org

5juliagaetz.zapto.org

6juliagaetz.zapto.org

7juliagaetz.zapto.org

8juliagaetz.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 16 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RT3A2QOp8.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

YPD1T0MXKQ.exeRT3A2QOp8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	RT3A2QOp8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

YPD1T0MXKQ.exeRT3A2QOp8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components\{7E97FCF9-DFFF-A410-94DC-FC6FD4ADEC2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}	RT3A2QOp8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}	RT3A2QOp8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components\{DBBAEB0F-AF95-F4EE-2EDA-7CF5FAFADFFB}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe

Executes dropped EXE 4 IoCs

Processes:

YPD1T0MXKQ.exeRT3A2QOp8.exeRT3A2QOp8.exeRT3A2QOp8.exe

pid	Process
2664	YPD1T0MXKQ.exe
1668	RT3A2QOp8.exe
2476	RT3A2QOp8.exe
1684	RT3A2QOp8.exe

Loads dropped DLL 6 IoCs

Processes:

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeRT3A2QOp8.exeRT3A2QOp8.exe

pid	Process
2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
1668	RT3A2QOp8.exe
2476	RT3A2QOp8.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0005000000010300-27.dat	upx
behavioral1/memory/2664-28-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2344-23-0x00000000030B0000-0x0000000003123000-memory.dmp	upx
behavioral1/memory/1684-82-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-77-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-74-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-72-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-84-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-91-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-95-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-96-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-97-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-98-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-100-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-102-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-103-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-104-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-105-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-106-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-107-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-109-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-110-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-111-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/1684-112-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-113-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2664-117-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

YPD1T0MXKQ.exeRT3A2QOp8.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\YPD1T0MXKQ.exe"	YPD1T0MXKQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\MKH3VSB8QJ.exe"	RT3A2QOp8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeRT3A2QOp8.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	RT3A2QOp8.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeRT3A2QOp8.exeRT3A2QOp8.exe

description	pid	Process	procid_target
PID 1304 set thread context of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1668 set thread context of 2476	1668	RT3A2QOp8.exe	33
PID 2476 set thread context of 1684	2476	RT3A2QOp8.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RT3A2QOp8.execmd.exereg.exereg.exereg.exea8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeRT3A2QOp8.exereg.exereg.exea8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.execmd.execmd.exeYPD1T0MXKQ.execmd.execmd.exereg.execmd.exereg.execmd.exereg.exeRT3A2QOp8.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YPD1T0MXKQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RT3A2QOp8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	Process
352	reg.exe
356	reg.exe
2004	reg.exe
756	reg.exe
1288	reg.exe
772	reg.exe
1472	reg.exe
2920	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

YPD1T0MXKQ.exeRT3A2QOp8.exe

description	pid	Process
Token: 1	2664	YPD1T0MXKQ.exe
Token: SeCreateTokenPrivilege	2664	YPD1T0MXKQ.exe
Token: SeAssignPrimaryTokenPrivilege	2664	YPD1T0MXKQ.exe
Token: SeLockMemoryPrivilege	2664	YPD1T0MXKQ.exe
Token: SeIncreaseQuotaPrivilege	2664	YPD1T0MXKQ.exe
Token: SeMachineAccountPrivilege	2664	YPD1T0MXKQ.exe
Token: SeTcbPrivilege	2664	YPD1T0MXKQ.exe
Token: SeSecurityPrivilege	2664	YPD1T0MXKQ.exe
Token: SeTakeOwnershipPrivilege	2664	YPD1T0MXKQ.exe
Token: SeLoadDriverPrivilege	2664	YPD1T0MXKQ.exe
Token: SeSystemProfilePrivilege	2664	YPD1T0MXKQ.exe
Token: SeSystemtimePrivilege	2664	YPD1T0MXKQ.exe
Token: SeProfSingleProcessPrivilege	2664	YPD1T0MXKQ.exe
Token: SeIncBasePriorityPrivilege	2664	YPD1T0MXKQ.exe
Token: SeCreatePagefilePrivilege	2664	YPD1T0MXKQ.exe
Token: SeCreatePermanentPrivilege	2664	YPD1T0MXKQ.exe
Token: SeBackupPrivilege	2664	YPD1T0MXKQ.exe
Token: SeRestorePrivilege	2664	YPD1T0MXKQ.exe
Token: SeShutdownPrivilege	2664	YPD1T0MXKQ.exe
Token: SeDebugPrivilege	2664	YPD1T0MXKQ.exe
Token: SeAuditPrivilege	2664	YPD1T0MXKQ.exe
Token: SeSystemEnvironmentPrivilege	2664	YPD1T0MXKQ.exe
Token: SeChangeNotifyPrivilege	2664	YPD1T0MXKQ.exe
Token: SeRemoteShutdownPrivilege	2664	YPD1T0MXKQ.exe
Token: SeUndockPrivilege	2664	YPD1T0MXKQ.exe
Token: SeSyncAgentPrivilege	2664	YPD1T0MXKQ.exe
Token: SeEnableDelegationPrivilege	2664	YPD1T0MXKQ.exe
Token: SeManageVolumePrivilege	2664	YPD1T0MXKQ.exe
Token: SeImpersonatePrivilege	2664	YPD1T0MXKQ.exe
Token: SeCreateGlobalPrivilege	2664	YPD1T0MXKQ.exe
Token: 31	2664	YPD1T0MXKQ.exe
Token: 32	2664	YPD1T0MXKQ.exe
Token: 33	2664	YPD1T0MXKQ.exe
Token: 34	2664	YPD1T0MXKQ.exe
Token: 35	2664	YPD1T0MXKQ.exe
Token: 1	1684	RT3A2QOp8.exe
Token: SeCreateTokenPrivilege	1684	RT3A2QOp8.exe
Token: SeAssignPrimaryTokenPrivilege	1684	RT3A2QOp8.exe
Token: SeLockMemoryPrivilege	1684	RT3A2QOp8.exe
Token: SeIncreaseQuotaPrivilege	1684	RT3A2QOp8.exe
Token: SeMachineAccountPrivilege	1684	RT3A2QOp8.exe
Token: SeTcbPrivilege	1684	RT3A2QOp8.exe
Token: SeSecurityPrivilege	1684	RT3A2QOp8.exe
Token: SeTakeOwnershipPrivilege	1684	RT3A2QOp8.exe
Token: SeLoadDriverPrivilege	1684	RT3A2QOp8.exe
Token: SeSystemProfilePrivilege	1684	RT3A2QOp8.exe
Token: SeSystemtimePrivilege	1684	RT3A2QOp8.exe
Token: SeProfSingleProcessPrivilege	1684	RT3A2QOp8.exe
Token: SeIncBasePriorityPrivilege	1684	RT3A2QOp8.exe
Token: SeCreatePagefilePrivilege	1684	RT3A2QOp8.exe
Token: SeCreatePermanentPrivilege	1684	RT3A2QOp8.exe
Token: SeBackupPrivilege	1684	RT3A2QOp8.exe
Token: SeRestorePrivilege	1684	RT3A2QOp8.exe
Token: SeShutdownPrivilege	1684	RT3A2QOp8.exe
Token: SeDebugPrivilege	1684	RT3A2QOp8.exe
Token: SeAuditPrivilege	1684	RT3A2QOp8.exe
Token: SeSystemEnvironmentPrivilege	1684	RT3A2QOp8.exe
Token: SeChangeNotifyPrivilege	1684	RT3A2QOp8.exe
Token: SeRemoteShutdownPrivilege	1684	RT3A2QOp8.exe
Token: SeUndockPrivilege	1684	RT3A2QOp8.exe
Token: SeSyncAgentPrivilege	1684	RT3A2QOp8.exe
Token: SeEnableDelegationPrivilege	1684	RT3A2QOp8.exe
Token: SeManageVolumePrivilege	1684	RT3A2QOp8.exe
Token: SeImpersonatePrivilege	1684	RT3A2QOp8.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exea8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeYPD1T0MXKQ.exeRT3A2QOp8.exeRT3A2QOp8.exeRT3A2QOp8.exe

pid	Process
1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
2664	YPD1T0MXKQ.exe
2664	YPD1T0MXKQ.exe
1668	RT3A2QOp8.exe
2476	RT3A2QOp8.exe
1684	RT3A2QOp8.exe
1684	RT3A2QOp8.exe
1684	RT3A2QOp8.exe
2664	YPD1T0MXKQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exea8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exeRT3A2QOp8.exeRT3A2QOp8.exeRT3A2QOp8.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2344	1304	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2664	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2664	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2664	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	31
PID 2344 wrote to memory of 2664	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	31
PID 2344 wrote to memory of 1668	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	32
PID 2344 wrote to memory of 1668	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	32
PID 2344 wrote to memory of 1668	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	32
PID 2344 wrote to memory of 1668	2344	a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe	32
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 1668 wrote to memory of 2476	1668	RT3A2QOp8.exe	33
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 2476 wrote to memory of 1684	2476	RT3A2QOp8.exe	34
PID 1684 wrote to memory of 2852	1684	RT3A2QOp8.exe	35
PID 1684 wrote to memory of 2852	1684	RT3A2QOp8.exe	35
PID 1684 wrote to memory of 2852	1684	RT3A2QOp8.exe	35
PID 1684 wrote to memory of 2852	1684	RT3A2QOp8.exe	35
PID 1684 wrote to memory of 2812	1684	RT3A2QOp8.exe	36
PID 1684 wrote to memory of 2812	1684	RT3A2QOp8.exe	36
PID 1684 wrote to memory of 2812	1684	RT3A2QOp8.exe	36
PID 1684 wrote to memory of 2812	1684	RT3A2QOp8.exe	36
PID 1684 wrote to memory of 1092	1684	RT3A2QOp8.exe	38
PID 1684 wrote to memory of 1092	1684	RT3A2QOp8.exe	38
PID 1684 wrote to memory of 1092	1684	RT3A2QOp8.exe	38
PID 1684 wrote to memory of 1092	1684	RT3A2QOp8.exe	38
PID 1684 wrote to memory of 2440	1684	RT3A2QOp8.exe	39
PID 1684 wrote to memory of 2440	1684	RT3A2QOp8.exe	39
PID 1684 wrote to memory of 2440	1684	RT3A2QOp8.exe	39
PID 1684 wrote to memory of 2440	1684	RT3A2QOp8.exe	39
PID 2852 wrote to memory of 1288	2852	cmd.exe	43
PID 2852 wrote to memory of 1288	2852	cmd.exe	43
PID 2852 wrote to memory of 1288	2852	cmd.exe	43
PID 2852 wrote to memory of 1288	2852	cmd.exe	43
PID 2440 wrote to memory of 772	2440	cmd.exe	44
PID 2440 wrote to memory of 772	2440	cmd.exe	44
PID 2440 wrote to memory of 772	2440	cmd.exe	44
PID 2440 wrote to memory of 772	2440	cmd.exe	44
PID 2812 wrote to memory of 1472	2812	cmd.exe	45
PID 2812 wrote to memory of 1472	2812	cmd.exe	45
PID 2812 wrote to memory of 1472	2812	cmd.exe	45
PID 2812 wrote to memory of 1472	2812	cmd.exe	45
PID 1092 wrote to memory of 2920	1092	cmd.exe	46
PID 1092 wrote to memory of 2920	1092	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a8871e8d7fe2e9c0476b1b9c191ab16d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe
    "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YPD1T0MXKQ.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:756
- - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
    "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
      "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1472
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MKH3VSB8QJ.exe:*:Enabled:Windows Messanger" /f
        7⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RT3A2QOp8.exe

Filesize
436KB

MD5
8c3aa7ee66dd0e83ab8d546212dccae6

SHA1
03c373c4924259807b6a74d6d4b8f9305fa1fd39

SHA256
b06b54515a86705c2d7e54bea6d92df09a313aee119e1f3974fb910c5f60968d

SHA512
8b625c08ef22cfabe58a966b90def1309d04ce030669e55d70ee1c6615b27e22b72f3f02316cfa7f9f5e788bcbfa375f00b02b4e6e0a37294eead14fe3d8a153

Download Submit
C:\Users\Admin\AppData\Local\Temp\YPD1T0MXKQ.exe

Filesize
162KB

MD5
cab361c6b9025935a054c8b42135a850

SHA1
5aef399df5e884a7ba0031adb7666cbb829a716c

SHA256
320dbe17b2b61797119975af9ac0a868499da1b27f9ea4abfd62f7224dc1f540

SHA512
293bdafd7c39e4666e3241f9e102c6bd7391faa1adc22245d6caa04473e20eef63fb14dbfe1924548d16e3f800b3bd28828d40995900fa862c15f05e74648fb6

Download Submit
C:\Users\Admin\AppData\Roaming\yup

Filesize
34B

MD5
c92d94754b303a234a4be3c92208a5d4

SHA1
be2fad79f6768e177be454e815903ce01b56c045

SHA256
0855acef7b3f5246f704fda0c69ec675fe4153275044da2997939e46d7cbe5ea

SHA512
0198267b8dd6a2e6d883c3cee8e0175c992076413caa726431ccd013d7ceea9b08a245a106ecd73fa3f1b374e18d3023775355798bca8a46942d0d7fa55e2da9

Download Submit
memory/1304-0-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1668-43-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1684-74-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-102-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-112-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-110-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-106-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-104-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-98-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-96-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-84-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-72-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-77-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1684-82-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2344-15-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-7-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-29-0x00000000030B0000-0x0000000003123000-memory.dmp

Filesize
460KB

Download
memory/2344-23-0x00000000030B0000-0x0000000003123000-memory.dmp

Filesize
460KB

Download
memory/2344-13-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-5-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-3-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-48-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2344-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-100-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-103-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-91-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-105-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-107-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-109-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-95-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-111-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-97-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-113-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2664-117-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download