latentbot | f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Size

264KB
MD5

764bd0f47d395a4a3e4abdf501d48402
SHA1

ee6e39714fc6df19d0acf9a1a33494c82080580c
SHA256

f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705
SHA512

1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969
SSDEEP

6144:PIFqVA0HHhehYho+7VjNuBMNm2vOhxXbn4:k8DuBAOhRn4

Score

10^/10

latentbot discovery evasion persistence trojan upx

Malware Config

Extracted

Family

latentbot

rsbotsoultions.zapto.org

1rsbotsoultions.zapto.org

2rsbotsoultions.zapto.org

3rsbotsoultions.zapto.org

4rsbotsoultions.zapto.org

5rsbotsoultions.zapto.org

6rsbotsoultions.zapto.org

7rsbotsoultions.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\local.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winhv.exe764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exeHdAudio.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winhv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	HdAudio.exe

Executes dropped EXE 3 IoCs

Processes:

HdAudio.exewinhv.exeHdAudio.exe

pid process

4292 HdAudio.exe
456 winhv.exe
3568 HdAudio.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
4292	HdAudio.exe
456	winhv.exe
3568	HdAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HdAudio.exeHdAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\High Definition Audio Function Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\HdAudio.exe"	HdAudio.exe

Suspicious use of SetThreadContext 22 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exewinhv.exe

description	pid	process	target process
PID 2304 set thread context of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 456 set thread context of 1000	456	winhv.exe	vbc.exe
PID 456 set thread context of 1040	456	winhv.exe	vbc.exe
PID 456 set thread context of 2784	456	winhv.exe	vbc.exe
PID 456 set thread context of 3108	456	winhv.exe	vbc.exe
PID 456 set thread context of 1724	456	winhv.exe	vbc.exe
PID 456 set thread context of 2904	456	winhv.exe	vbc.exe
PID 456 set thread context of 1984	456	winhv.exe	vbc.exe
PID 456 set thread context of 2864	456	winhv.exe	vbc.exe
PID 456 set thread context of 3612	456	winhv.exe	vbc.exe
PID 456 set thread context of 4832	456	winhv.exe	vbc.exe
PID 456 set thread context of 1372	456	winhv.exe	vbc.exe
PID 456 set thread context of 436	456	winhv.exe	vbc.exe
PID 456 set thread context of 5028	456	winhv.exe	vbc.exe
PID 456 set thread context of 2332	456	winhv.exe	vbc.exe
PID 456 set thread context of 1080	456	winhv.exe	vbc.exe
PID 456 set thread context of 3408	456	winhv.exe	vbc.exe
PID 456 set thread context of 228	456	winhv.exe	vbc.exe
PID 456 set thread context of 768	456	winhv.exe	vbc.exe
PID 456 set thread context of 1220	456	winhv.exe	vbc.exe
PID 456 set thread context of 4064	456	winhv.exe	vbc.exe
PID 456 set thread context of 1096	456	winhv.exe	vbc.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1772-8-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-10-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-12-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-31-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-32-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-38-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1000-61-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-64-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1040-71-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/2784-79-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-81-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/3108-88-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1724-96-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-98-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/2904-105-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1984-113-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-116-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/2864-123-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/3612-131-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1772-133-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/4832-140-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1372-150-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/436-160-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/5028-169-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/2332-180-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1080-189-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/3408-199-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/228-208-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/768-218-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1220-227-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/4064-238-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/1096-247-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exevbc.exevbc.exevbc.exeHdAudio.exevbc.execmd.exereg.exereg.exewinhv.exeHdAudio.exevbc.exevbc.execmd.exevbc.exevbc.exevbc.exevbc.exevbc.exe764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exereg.execmd.exevbc.exevbc.exevbc.exevbc.execmd.execmd.exevbc.exevbc.exereg.exevbc.execmd.exevbc.exevbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HdAudio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HdAudio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3656 reg.exe
4852 reg.exe
2524 reg.exe
4036 reg.exe

pid	process
3656	reg.exe
4852	reg.exe
2524	reg.exe
4036	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe

pid	process
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exevbc.exeHdAudio.exewinhv.exeHdAudio.exe

description	pid	process
Token: SeDebugPrivilege	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
Token: 1	1772	vbc.exe
Token: SeCreateTokenPrivilege	1772	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1772	vbc.exe
Token: SeLockMemoryPrivilege	1772	vbc.exe
Token: SeIncreaseQuotaPrivilege	1772	vbc.exe
Token: SeMachineAccountPrivilege	1772	vbc.exe
Token: SeTcbPrivilege	1772	vbc.exe
Token: SeSecurityPrivilege	1772	vbc.exe
Token: SeTakeOwnershipPrivilege	1772	vbc.exe
Token: SeLoadDriverPrivilege	1772	vbc.exe
Token: SeSystemProfilePrivilege	1772	vbc.exe
Token: SeSystemtimePrivilege	1772	vbc.exe
Token: SeProfSingleProcessPrivilege	1772	vbc.exe
Token: SeIncBasePriorityPrivilege	1772	vbc.exe
Token: SeCreatePagefilePrivilege	1772	vbc.exe
Token: SeCreatePermanentPrivilege	1772	vbc.exe
Token: SeBackupPrivilege	1772	vbc.exe
Token: SeRestorePrivilege	1772	vbc.exe
Token: SeShutdownPrivilege	1772	vbc.exe
Token: SeDebugPrivilege	1772	vbc.exe
Token: SeAuditPrivilege	1772	vbc.exe
Token: SeSystemEnvironmentPrivilege	1772	vbc.exe
Token: SeChangeNotifyPrivilege	1772	vbc.exe
Token: SeRemoteShutdownPrivilege	1772	vbc.exe
Token: SeUndockPrivilege	1772	vbc.exe
Token: SeSyncAgentPrivilege	1772	vbc.exe
Token: SeEnableDelegationPrivilege	1772	vbc.exe
Token: SeManageVolumePrivilege	1772	vbc.exe
Token: SeImpersonatePrivilege	1772	vbc.exe
Token: SeCreateGlobalPrivilege	1772	vbc.exe
Token: 31	1772	vbc.exe
Token: 32	1772	vbc.exe
Token: 33	1772	vbc.exe
Token: 34	1772	vbc.exe
Token: 35	1772	vbc.exe
Token: SeDebugPrivilege	4292	HdAudio.exe
Token: SeDebugPrivilege	456	winhv.exe
Token: SeDebugPrivilege	3568	HdAudio.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid	process
1772	vbc.exe
1772	vbc.exe
1772	vbc.exe
1772	vbc.exe
1000	vbc.exe
1000	vbc.exe
1772	vbc.exe
1040	vbc.exe
1040	vbc.exe
2784	vbc.exe
2784	vbc.exe
3108	vbc.exe
3108	vbc.exe
1724	vbc.exe
1724	vbc.exe
2904	vbc.exe
2904	vbc.exe
1984	vbc.exe
1984	vbc.exe
1772	vbc.exe
2864	vbc.exe
2864	vbc.exe
3612	vbc.exe
3612	vbc.exe
4832	vbc.exe
4832	vbc.exe
1372	vbc.exe
1372	vbc.exe
436	vbc.exe
436	vbc.exe
5028	vbc.exe
5028	vbc.exe
1772	vbc.exe
2332	vbc.exe
2332	vbc.exe
1080	vbc.exe
1080	vbc.exe
3408	vbc.exe
3408	vbc.exe
228	vbc.exe
228	vbc.exe
768	vbc.exe
768	vbc.exe
1220	vbc.exe
1220	vbc.exe
1772	vbc.exe
4064	vbc.exe
4064	vbc.exe
1096	vbc.exe
1096	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exevbc.execmd.execmd.execmd.execmd.exeHdAudio.exewinhv.exe

description	pid	process	target process
PID 2304 wrote to memory of 2852	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2304 wrote to memory of 2852	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2304 wrote to memory of 2852	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	cmd.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 1772	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	vbc.exe
PID 2304 wrote to memory of 4292	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2304 wrote to memory of 4292	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 2304 wrote to memory of 4292	2304	764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe	HdAudio.exe
PID 1772 wrote to memory of 1272	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 1272	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 1272	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 3528	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 3528	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 3528	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 4976	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 4976	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 4976	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 2272	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 2272	1772	vbc.exe	cmd.exe
PID 1772 wrote to memory of 2272	1772	vbc.exe	cmd.exe
PID 2272 wrote to memory of 2524	2272	cmd.exe	reg.exe
PID 3528 wrote to memory of 3656	3528	cmd.exe	reg.exe
PID 2272 wrote to memory of 2524	2272	cmd.exe	reg.exe
PID 2272 wrote to memory of 2524	2272	cmd.exe	reg.exe
PID 3528 wrote to memory of 3656	3528	cmd.exe	reg.exe
PID 3528 wrote to memory of 3656	3528	cmd.exe	reg.exe
PID 1272 wrote to memory of 4852	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 4852	1272	cmd.exe	reg.exe
PID 1272 wrote to memory of 4852	1272	cmd.exe	reg.exe
PID 4976 wrote to memory of 4036	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4036	4976	cmd.exe	reg.exe
PID 4976 wrote to memory of 4036	4976	cmd.exe	reg.exe
PID 4292 wrote to memory of 456	4292	HdAudio.exe	winhv.exe
PID 4292 wrote to memory of 456	4292	HdAudio.exe	winhv.exe
PID 4292 wrote to memory of 456	4292	HdAudio.exe	winhv.exe
PID 456 wrote to memory of 2640	456	winhv.exe	cmd.exe
PID 456 wrote to memory of 2640	456	winhv.exe	cmd.exe
PID 456 wrote to memory of 2640	456	winhv.exe	cmd.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1000	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 3568	456	winhv.exe	HdAudio.exe
PID 456 wrote to memory of 3568	456	winhv.exe	HdAudio.exe
PID 456 wrote to memory of 3568	456	winhv.exe	HdAudio.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 1040	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 2784	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 2784	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 2784	456	winhv.exe	vbc.exe
PID 456 wrote to memory of 2784	456	winhv.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\764bd0f47d395a4a3e4abdf501d48402_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\local.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5028
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HdAudio.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\HdAudio.exe

Filesize
13KB

MD5
3b7a912b974389998f9963e03fc20c32

SHA1
209d5061ac43d8aed3adac94686372f2b9817d28

SHA256
e90ae5939f92e8c0df41dc4e6b101912cb947d2d2339f07e8a1fa680feb34d42

SHA512
ea5ea60a35571e9a4dd0151af4238df3e6c7996f918cffbfbb1262f90609be36d6ea122123409c7ea3920f4ce9d1f4c17b2b41f3d7503d1fb039009f2d0ec51b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winhv.exe

Filesize
264KB

MD5
764bd0f47d395a4a3e4abdf501d48402

SHA1
ee6e39714fc6df19d0acf9a1a33494c82080580c

SHA256
f6df2a467533efa9839443780f837572e796f599c8c1549cd8241cacbd531705

SHA512
1edcdc167ca6d35fdfd4a32ad1535649dd49a0389461c498bffed11dfc43ab33d7c3c20dc85759cc87c594c228725f36c578d4e8b37cc11e1c20afcfb35f9969

Download Submit
memory/228-208-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/436-160-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/768-218-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1000-61-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1040-71-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1080-189-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1096-247-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1220-227-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1372-150-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1724-96-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-81-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-133-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-12-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-116-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-38-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-98-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-10-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-8-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-32-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-64-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1772-31-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1984-113-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2304-2-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2304-3-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/2304-4-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2304-41-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2304-1-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2304-0-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/2332-180-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2784-79-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2864-123-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2904-105-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3108-88-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3408-199-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3612-131-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4064-238-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4292-42-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4292-36-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4292-34-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/4292-30-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4292-29-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4292-28-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/4832-140-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5028-169-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download