latentbot | 07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77

Analysis

max time kernel
148s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Size

972KB
MD5

abcad621757e5245711c18b4c3a1c289
SHA1

ecb70053895dd4e0a5936c7545a665b1bb742187
SHA256

07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77
SHA512

48770f5df2dd2b57cec2681716faf8991ac82608f3b9eefec02f4b142df14d7176b8890ce6d3119b46f9bb0a76b339d5d5dfc4a72dfe65329af90c0efc65394c
SSDEEP

24576:KnPV2xWAm5O465P/QqUogjSegBFU68JgtD:mP4QwQt/uuyD

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

hiendsystems.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Temp\svhost.exe = "C:\\Windows\\Temp\\svhost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe = "C:\\Users\\Admin\\AppData\\Roaming\\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdPADSLdnsConNetSer .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdPADSLdnsConNetSer .exe	cmd.exe

Executes dropped EXE 15 IoCs

pid	Process
3432	svhost.exe
1948	PdPADSLdnsConNetSer .exe
892	svhost.exe
5116	PdPADSLdnsConNetSer .exe
4596	svhost.exe
4468	PdPADSLdnsConNetSer .exe
2312	svhost.exe
2904	PdPADSLdnsConNetSer .exe
1328	svhost.exe
4220	PdPADSLdnsConNetSer .exe
3140	svhost.exe
208	PdPADSLdnsConNetSer .exe
3516	svhost.exe
4516	PdPADSLdnsConNetSer .exe
3064	svhost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PdPADSLdnsConNetSer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PdPADSLdnsConNetSer .exe"	PdPADSLdnsConNetSer .exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 1948 set thread context of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 5116 set thread context of 4596	5116	PdPADSLdnsConNetSer .exe	125
PID 4468 set thread context of 2312	4468	PdPADSLdnsConNetSer .exe	129
PID 2904 set thread context of 1328	2904	PdPADSLdnsConNetSer .exe	134
PID 4220 set thread context of 3140	4220	PdPADSLdnsConNetSer .exe	146
PID 208 set thread context of 3516	208	PdPADSLdnsConNetSer .exe	150
PID 4516 set thread context of 3064	4516	PdPADSLdnsConNetSer .exe	157

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdPADSLdnsConNetSer .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2040	PING.EXE
100	PING.EXE
2692	PING.EXE
4700	PING.EXE
1392	PING.EXE
3036	PING.EXE
4388	PING.EXE

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4416	reg.exe
3800	reg.exe
4176	reg.exe
1172	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE
4700	PING.EXE
1392	PING.EXE
3036	PING.EXE
4388	PING.EXE
2040	PING.EXE
100	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
1948	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
5116	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe
4468	PdPADSLdnsConNetSer .exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
Token: 1	3432	svhost.exe
Token: SeCreateTokenPrivilege	3432	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3432	svhost.exe
Token: SeLockMemoryPrivilege	3432	svhost.exe
Token: SeIncreaseQuotaPrivilege	3432	svhost.exe
Token: SeMachineAccountPrivilege	3432	svhost.exe
Token: SeTcbPrivilege	3432	svhost.exe
Token: SeSecurityPrivilege	3432	svhost.exe
Token: SeTakeOwnershipPrivilege	3432	svhost.exe
Token: SeLoadDriverPrivilege	3432	svhost.exe
Token: SeSystemProfilePrivilege	3432	svhost.exe
Token: SeSystemtimePrivilege	3432	svhost.exe
Token: SeProfSingleProcessPrivilege	3432	svhost.exe
Token: SeIncBasePriorityPrivilege	3432	svhost.exe
Token: SeCreatePagefilePrivilege	3432	svhost.exe
Token: SeCreatePermanentPrivilege	3432	svhost.exe
Token: SeBackupPrivilege	3432	svhost.exe
Token: SeRestorePrivilege	3432	svhost.exe
Token: SeShutdownPrivilege	3432	svhost.exe
Token: SeDebugPrivilege	3432	svhost.exe
Token: SeAuditPrivilege	3432	svhost.exe
Token: SeSystemEnvironmentPrivilege	3432	svhost.exe
Token: SeChangeNotifyPrivilege	3432	svhost.exe
Token: SeRemoteShutdownPrivilege	3432	svhost.exe
Token: SeUndockPrivilege	3432	svhost.exe
Token: SeSyncAgentPrivilege	3432	svhost.exe
Token: SeEnableDelegationPrivilege	3432	svhost.exe
Token: SeManageVolumePrivilege	3432	svhost.exe
Token: SeImpersonatePrivilege	3432	svhost.exe
Token: SeCreateGlobalPrivilege	3432	svhost.exe
Token: 31	3432	svhost.exe
Token: 32	3432	svhost.exe
Token: 33	3432	svhost.exe
Token: 34	3432	svhost.exe
Token: 35	3432	svhost.exe
Token: SeDebugPrivilege	1948	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	5116	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	4468	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	2904	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	4220	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	208	PdPADSLdnsConNetSer .exe
Token: SeDebugPrivilege	4516	PdPADSLdnsConNetSer .exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3432	svhost.exe
3432	svhost.exe
3432	svhost.exe
3432	svhost.exe
892	svhost.exe
892	svhost.exe
4596	svhost.exe
4596	svhost.exe
2312	svhost.exe
2312	svhost.exe
1328	svhost.exe
1328	svhost.exe
3140	svhost.exe
3140	svhost.exe
3516	svhost.exe
3516	svhost.exe
3064	svhost.exe
3064	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4840	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	86
PID 3404 wrote to memory of 4840	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	86
PID 3404 wrote to memory of 4840	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	86
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 3432	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	89
PID 3404 wrote to memory of 4704	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	90
PID 3404 wrote to memory of 4704	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	90
PID 3404 wrote to memory of 4704	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	90
PID 4840 wrote to memory of 4396	4840	cmd.exe	91
PID 4840 wrote to memory of 4396	4840	cmd.exe	91
PID 4840 wrote to memory of 4396	4840	cmd.exe	91
PID 3432 wrote to memory of 4940	3432	svhost.exe	92
PID 3432 wrote to memory of 4940	3432	svhost.exe	92
PID 3432 wrote to memory of 4940	3432	svhost.exe	92
PID 3432 wrote to memory of 4920	3432	svhost.exe	93
PID 3432 wrote to memory of 4920	3432	svhost.exe	93
PID 3432 wrote to memory of 4920	3432	svhost.exe	93
PID 3432 wrote to memory of 5020	3432	svhost.exe	94
PID 3432 wrote to memory of 5020	3432	svhost.exe	94
PID 3432 wrote to memory of 5020	3432	svhost.exe	94
PID 3432 wrote to memory of 1352	3432	svhost.exe	95
PID 3432 wrote to memory of 1352	3432	svhost.exe	95
PID 3432 wrote to memory of 1352	3432	svhost.exe	95
PID 4920 wrote to memory of 4416	4920	cmd.exe	100
PID 4920 wrote to memory of 4416	4920	cmd.exe	100
PID 4920 wrote to memory of 4416	4920	cmd.exe	100
PID 4940 wrote to memory of 3800	4940	cmd.exe	101
PID 4940 wrote to memory of 3800	4940	cmd.exe	101
PID 4940 wrote to memory of 3800	4940	cmd.exe	101
PID 1352 wrote to memory of 4176	1352	cmd.exe	102
PID 1352 wrote to memory of 4176	1352	cmd.exe	102
PID 1352 wrote to memory of 4176	1352	cmd.exe	102
PID 4396 wrote to memory of 4992	4396	wscript.exe	103
PID 4396 wrote to memory of 4992	4396	wscript.exe	103
PID 4396 wrote to memory of 4992	4396	wscript.exe	103
PID 5020 wrote to memory of 1172	5020	cmd.exe	104
PID 5020 wrote to memory of 1172	5020	cmd.exe	104
PID 5020 wrote to memory of 1172	5020	cmd.exe	104
PID 3404 wrote to memory of 4484	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	114
PID 3404 wrote to memory of 4484	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	114
PID 3404 wrote to memory of 4484	3404	abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe	114
PID 4484 wrote to memory of 4388	4484	cmd.exe	116
PID 4484 wrote to memory of 4388	4484	cmd.exe	116
PID 4484 wrote to memory of 4388	4484	cmd.exe	116
PID 4484 wrote to memory of 1948	4484	cmd.exe	117
PID 4484 wrote to memory of 1948	4484	cmd.exe	117
PID 4484 wrote to memory of 1948	4484	cmd.exe	117
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 892	1948	PdPADSLdnsConNetSer .exe	118
PID 1948 wrote to memory of 2844	1948	PdPADSLdnsConNetSer .exe	119
PID 1948 wrote to memory of 2844	1948	PdPADSLdnsConNetSer .exe	119
PID 1948 wrote to memory of 2844	1948	PdPADSLdnsConNetSer .exe	119

C:\Users\Admin\AppData\Local\Temp\abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abcad621757e5245711c18b4c3a1c289_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:4992
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\svhost.exe" /t REG_SZ /d "C:\Windows\Temp\svhost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\PdPADSLdnsConfNet.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4176
- C:\Windows\Temp\svhost.exe
  C:\Windows\Temp\svhost.exe
  2⤵
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:892
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4596
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:100
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2312
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:3440
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1328
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3140
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:208
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3516
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:4496
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe
    "C:\Users\Admin\AppData\Local\Temp\PdPADSLdnsConNetSer .exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3064
  - - C:\Windows\Temp\svhost.exe
      C:\Windows\Temp\svhost.exe
      4⤵
      PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PdPADSLdnsConNetSer .exe.log

Filesize
588B

MD5
bbc3cfe1a58732a0477f72ea3d36c7bf

SHA1
fb801263330aa243f63270138ab467a627dffc2e

SHA256
9269d4383b8effa928b7b4a7b38ffa07587b23851f9430fbfe8e7284f845e722

SHA512
5bfdc6520a7a0884e3ccdf26ab0fe536327c9f3330f7f78bed2ed4c89fc31b04ad0c4b4bd6f8f1bca08ef04e46b833b798726dca7f40ccc27c871847ec041be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca.bat

Filesize
47B

MD5
58ccb87aa1da4939df403810f1e68b6b

SHA1
dc8551f41682e5cb1dd25af3f11a789b1d37b295

SHA256
eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

SHA512
17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\caca2.bat

Filesize
173B

MD5
236c25bb7937d845004e48da5c0c691f

SHA1
a324af5b92c7399c6f24314ec155364ff045b785

SHA256
ef042cdd5d0c6e0490969e76d8587a8559ac1d4165535582cac2731e4f5c4852

SHA512
32f6c877953ab2d9a889b97f524803cdd737c3a0f976d6e52049d087368cd5b522ebaa39c99c3f771d717325012e28bffe12403f916fd721f34cce775caf5c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\per.bat

Filesize
122B

MD5
79de65b41aa667fffeed2da4bc54653e

SHA1
76153364791bceff63281427abc916d7a850b6cf

SHA256
dd54cf19657eb7fb1bf3b9e85914701a4a9fb70582778217774cc24f4547b2af

SHA512
d434a011856174095b5a6f5527c0cc360404c1100799ea63fa1d0b04b90ab00b9246e7ed396136d0978f16dee8b5d5e885b16cb53f558dc1a57f9581802080ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

Filesize
972KB

MD5
abcad621757e5245711c18b4c3a1c289

SHA1
ecb70053895dd4e0a5936c7545a665b1bb742187

SHA256
07f7d5301f0e28754cc7ad1884a6f2210dee5da60dcb7dc3b05602f1197b9d77

SHA512
48770f5df2dd2b57cec2681716faf8991ac82608f3b9eefec02f4b142df14d7176b8890ce6d3119b46f9bb0a76b339d5d5dfc4a72dfe65329af90c0efc65394c

Download Submit
C:\Windows\Temp\svhost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/892-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1328-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2312-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-133-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3140-108-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3404-1-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-10-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-4-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-36-0x0000000074E22000-0x0000000074E23000-memory.dmp

Filesize
4KB

Download
memory/3404-37-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-44-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-2-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/3404-0-0x0000000074E22000-0x0000000074E23000-memory.dmp

Filesize
4KB

Download
memory/3432-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-85-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-110-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3432-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3516-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4596-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download