latentbot | f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Size

264KB
MD5

764bd0f47d395a4a3e4abdf501d48402
SHA1

ee6e39714fc6df19d0acf9a1a33494c82080580c
SHA256

f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
SHA512

1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969
SSDEEP

6144:PIFqVA0HHhehYho+7VjNuBMNm2vOhxXbn4:k8DuBAOhRn4

Score

10^/10

latentbot discovery evasion persistence trojan upx

Malware Config

Extracted

Family

latentbot

rsbotsoultions.zapto.org

1rsbotsoultions.zapto.org

2rsbotsoultions.zapto.org

3rsbotsoultions.zapto.org

4rsbotsoultions.zapto.org

5rsbotsoultions.zapto.org

6rsbotsoultions.zapto.org

7rsbotsoultions.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\local.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

Processes:

HdAudio.exewinhv.exeHdAudio.exe

pid process

3024 HdAudio.exe
1984 winhv.exe
2364 HdAudio.exe
Loads dropped DLL 2 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exeHdAudio.exe

pid process

2280 764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
3024 HdAudio.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
3024	HdAudio.exe
1984	winhv.exe
2364	HdAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HdAudio.exeHdAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe

Suspicious use of SetThreadContext 22 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exewinhv.exe

description	pid	process	target process
PID 2280 set thread context of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 1984 set thread context of 840	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1180	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1800	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1716	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1488	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2356	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1340	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1564	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2964	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1192	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2832	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2740	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 384	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1728	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1520	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1016	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 824	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2044	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2452	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 2264	1984	winhv.exe	vbc.exe
PID 1984 set thread context of 1720	1984	winhv.exe	vbc.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2752-15-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-11-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-9-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-20-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-19-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-18-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-17-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-33-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/3024-38-0x00000000020E0000-0x0000000002120000-memory.dmp	upx
behavioral1/memory/2752-39-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/840-54-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-56-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1180-71-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1800-86-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2752-88-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1716-104-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1488-120-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2356-137-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1340-153-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1564-171-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2964-187-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1192-204-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2832-220-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2740-237-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/384-253-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1728-271-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1520-287-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/1016-304-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/824-321-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2044-337-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2452-354-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/2264-371-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeHdAudio.exevbc.exevbc.exevbc.exevbc.exeHdAudio.exevbc.exevbc.exevbc.exevbc.exereg.exevbc.exevbc.exevbc.exevbc.exereg.exereg.exewinhv.execmd.exevbc.exevbc.execmd.execmd.exevbc.exevbc.exevbc.exevbc.exevbc.exe764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.execmd.execmd.exereg.exevbc.exevbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HdAudio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HdAudio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1872 reg.exe
2844 reg.exe
2832 reg.exe
2952 reg.exe

pid	process
1872	reg.exe
2844	reg.exe
2832	reg.exe
2952	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe

pid	process
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exevbc.exeHdAudio.exewinhv.exeHdAudio.exe

description	pid	process
Token: SeDebugPrivilege	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Token: 1	2752	vbc.exe
Token: SeCreateTokenPrivilege	2752	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2752	vbc.exe
Token: SeLockMemoryPrivilege	2752	vbc.exe
Token: SeIncreaseQuotaPrivilege	2752	vbc.exe
Token: SeMachineAccountPrivilege	2752	vbc.exe
Token: SeTcbPrivilege	2752	vbc.exe
Token: SeSecurityPrivilege	2752	vbc.exe
Token: SeTakeOwnershipPrivilege	2752	vbc.exe
Token: SeLoadDriverPrivilege	2752	vbc.exe
Token: SeSystemProfilePrivilege	2752	vbc.exe
Token: SeSystemtimePrivilege	2752	vbc.exe
Token: SeProfSingleProcessPrivilege	2752	vbc.exe
Token: SeIncBasePriorityPrivilege	2752	vbc.exe
Token: SeCreatePagefilePrivilege	2752	vbc.exe
Token: SeCreatePermanentPrivilege	2752	vbc.exe
Token: SeBackupPrivilege	2752	vbc.exe
Token: SeRestorePrivilege	2752	vbc.exe
Token: SeShutdownPrivilege	2752	vbc.exe
Token: SeDebugPrivilege	2752	vbc.exe
Token: SeAuditPrivilege	2752	vbc.exe
Token: SeSystemEnvironmentPrivilege	2752	vbc.exe
Token: SeChangeNotifyPrivilege	2752	vbc.exe
Token: SeRemoteShutdownPrivilege	2752	vbc.exe
Token: SeUndockPrivilege	2752	vbc.exe
Token: SeSyncAgentPrivilege	2752	vbc.exe
Token: SeEnableDelegationPrivilege	2752	vbc.exe
Token: SeManageVolumePrivilege	2752	vbc.exe
Token: SeImpersonatePrivilege	2752	vbc.exe
Token: SeCreateGlobalPrivilege	2752	vbc.exe
Token: 31	2752	vbc.exe
Token: 32	2752	vbc.exe
Token: 33	2752	vbc.exe
Token: 34	2752	vbc.exe
Token: 35	2752	vbc.exe
Token: SeDebugPrivilege	3024	HdAudio.exe
Token: SeDebugPrivilege	1984	winhv.exe
Token: SeDebugPrivilege	2364	HdAudio.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid	process
2752	vbc.exe
2752	vbc.exe
2752	vbc.exe
2752	vbc.exe
840	vbc.exe
840	vbc.exe
2752	vbc.exe
1180	vbc.exe
1180	vbc.exe
1800	vbc.exe
1800	vbc.exe
1716	vbc.exe
1716	vbc.exe
1488	vbc.exe
1488	vbc.exe
2356	vbc.exe
2356	vbc.exe
1340	vbc.exe
1340	vbc.exe
2752	vbc.exe
1564	vbc.exe
1564	vbc.exe
2964	vbc.exe
2964	vbc.exe
1192	vbc.exe
1192	vbc.exe
2832	vbc.exe
2832	vbc.exe
2740	vbc.exe
2740	vbc.exe
384	vbc.exe
384	vbc.exe
2752	vbc.exe
1728	vbc.exe
1728	vbc.exe
1520	vbc.exe
1520	vbc.exe
1016	vbc.exe
1016	vbc.exe
824	vbc.exe
824	vbc.exe
2044	vbc.exe
2044	vbc.exe
2452	vbc.exe
2452	vbc.exe
2752	vbc.exe
2264	vbc.exe
2264	vbc.exe
1720	vbc.exe
1720	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exevbc.execmd.execmd.execmd.execmd.exeHdAudio.exewinhv.exe

description	pid	process	target process
PID 2280 wrote to memory of 2940	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2280 wrote to memory of 2940	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2280 wrote to memory of 2940	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2280 wrote to memory of 2940	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 2752	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2280 wrote to memory of 3024	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 3024	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 3024	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 3024	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2752 wrote to memory of 2692	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2740	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2740	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2740	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 2740	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 772	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 772	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 772	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 772	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 1104	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 1104	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 1104	2752	vbc.exe	cmd.exe
PID 2752 wrote to memory of 1104	2752	vbc.exe	cmd.exe
PID 2692 wrote to memory of 2844	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2844	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2844	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 2844	2692	cmd.exe	reg.exe
PID 1104 wrote to memory of 1872	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1872	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1872	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1872	1104	cmd.exe	reg.exe
PID 772 wrote to memory of 2832	772	cmd.exe	reg.exe
PID 772 wrote to memory of 2832	772	cmd.exe	reg.exe
PID 772 wrote to memory of 2832	772	cmd.exe	reg.exe
PID 772 wrote to memory of 2832	772	cmd.exe	reg.exe
PID 2740 wrote to memory of 2952	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2952	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2952	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2952	2740	cmd.exe	reg.exe
PID 3024 wrote to memory of 1984	3024	HdAudio.exe	winhv.exe
PID 3024 wrote to memory of 1984	3024	HdAudio.exe	winhv.exe
PID 3024 wrote to memory of 1984	3024	HdAudio.exe	winhv.exe
PID 3024 wrote to memory of 1984	3024	HdAudio.exe	winhv.exe
PID 2280 wrote to memory of 2364	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 2364	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 2364	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2280 wrote to memory of 2364	2280	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 1984 wrote to memory of 2404	1984	winhv.exe	cmd.exe
PID 1984 wrote to memory of 2404	1984	winhv.exe	cmd.exe
PID 1984 wrote to memory of 2404	1984	winhv.exe	cmd.exe
PID 1984 wrote to memory of 2404	1984	winhv.exe	cmd.exe
PID 1984 wrote to memory of 840	1984	winhv.exe	vbc.exe
PID 1984 wrote to memory of 840	1984	winhv.exe	vbc.exe
PID 1984 wrote to memory of 840	1984	winhv.exe	vbc.exe
PID 1984 wrote to memory of 840	1984	winhv.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2832
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1720
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
264KB

MD5
764bd0f47d395a4a3e4abdf501d48402

SHA1
ee6e39714fc6df19d0acf9a1a33494c82080580c

SHA256
f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705

SHA512
1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
13KB

MD5
3b7a912b974389998f9963e03fc20c32

SHA1
209d5061ac43d8aed3adac94686372f2b9817d28

SHA256
e90ae5939f92e8c0df41dc4e6b101912cb947d2d2339f07e8a1fa680feb34d42

SHA512
ea5ea60a35571e9a4dd0151af4238df3e6c7996f918cffbfbb1262f90609be36d6ea122123409c7ea3920f4ce9d1f4c17b2b41f3d7503d1fb039009f2d0ec51b

Download Submit
memory/384-253-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/824-321-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/840-54-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1016-304-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1180-71-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1192-204-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1340-153-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1488-120-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1520-287-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1564-171-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1716-104-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1728-271-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1800-86-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2044-337-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2264-371-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2280-0-0x00000000741C1000-0x00000000741C2000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2280-2-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2280-1-0x00000000741C0000-0x000000007476B000-memory.dmp

Filesize
5.7MB

Download
memory/2356-137-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2452-354-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2740-237-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-20-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-7-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-56-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-39-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-15-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-33-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-11-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-88-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-17-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-18-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-19-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-9-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2832-220-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2964-187-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3024-30-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download
memory/3024-38-0x00000000020E0000-0x0000000002120000-memory.dmp

Filesize
256KB

Download