latentbot | 6b10733733dc5ece7a19af5a04064be7e8e79ed26099f5a62ffb9542e88c1ff5

Analysis

max time kernel
147s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe
Size

764KB
MD5

689c2d3c50d6b1077bcc6bbf5b7b41d0
SHA1

eb65e48e4e0bb0f3320e3caa3dfe4bf41128f328
SHA256

6b10733733dc5ece7a19af5a04064be7e8e79ed26099f5a62ffb9542e88c1ff5
SHA512

384a552834935a2ae0087804dafeb02e2d91c8fdfe70f34fa00975585ec8a380e9278c943a01b9da12ed2d54cf33701646aa82a80109c136f5a20ef777de5414
SSDEEP

12288:A6U2k7rdxYpsuudHHjpagRRy829hdmvT0a8FGMU3ymAOoJ7QwAO3P1o4tUp3Uro1:jU2MPYq1HHggRRy8wiAa7Mfmw5LbtUpv

Score

10^/10

latentbot discovery evasion persistence trojan

Malware Config

Extracted

Family

latentbot

gfaghrtehxvdfsqaj.zapto.org

1gfaghrtehxvdfsqaj.zapto.org

2gfaghrtehxvdfsqaj.zapto.org

3gfaghrtehxvdfsqaj.zapto.org

4gfaghrtehxvdfsqaj.zapto.org

5gfaghrtehxvdfsqaj.zapto.org

6gfaghrtehxvdfsqaj.zapto.org

7gfaghrtehxvdfsqaj.zapto.org

8gfaghrtehxvdfsqaj.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\X68DO8IHKA.exe = "C:\\Users\\Admin\\AppData\\Roaming\\X68DO8IHKA.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\cvtres.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	mnIndex.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpMsEngX64 = "C:\\Users\\Admin\\AppData\\Roaming\\MpMsEngX64\\MpMsEngX64.exe"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MpMsEngX64 = "C:\\Users\\Admin\\AppData\\Roaming\\MpMsEngX64\\MpMsEngX64.exe"	mnIndex.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnIndex.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1636	reg.exe
1488	reg.exe
4924	reg.exe
4188	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe
4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe
Token: 1	5068	cvtres.exe
Token: SeCreateTokenPrivilege	5068	cvtres.exe
Token: SeAssignPrimaryTokenPrivilege	5068	cvtres.exe
Token: SeLockMemoryPrivilege	5068	cvtres.exe
Token: SeIncreaseQuotaPrivilege	5068	cvtres.exe
Token: SeMachineAccountPrivilege	5068	cvtres.exe
Token: SeTcbPrivilege	5068	cvtres.exe
Token: SeSecurityPrivilege	5068	cvtres.exe
Token: SeTakeOwnershipPrivilege	5068	cvtres.exe
Token: SeLoadDriverPrivilege	5068	cvtres.exe
Token: SeSystemProfilePrivilege	5068	cvtres.exe
Token: SeSystemtimePrivilege	5068	cvtres.exe
Token: SeProfSingleProcessPrivilege	5068	cvtres.exe
Token: SeIncBasePriorityPrivilege	5068	cvtres.exe
Token: SeCreatePagefilePrivilege	5068	cvtres.exe
Token: SeCreatePermanentPrivilege	5068	cvtres.exe
Token: SeBackupPrivilege	5068	cvtres.exe
Token: SeRestorePrivilege	5068	cvtres.exe
Token: SeShutdownPrivilege	5068	cvtres.exe
Token: SeDebugPrivilege	5068	cvtres.exe
Token: SeAuditPrivilege	5068	cvtres.exe
Token: SeSystemEnvironmentPrivilege	5068	cvtres.exe
Token: SeChangeNotifyPrivilege	5068	cvtres.exe
Token: SeRemoteShutdownPrivilege	5068	cvtres.exe
Token: SeUndockPrivilege	5068	cvtres.exe
Token: SeSyncAgentPrivilege	5068	cvtres.exe
Token: SeEnableDelegationPrivilege	5068	cvtres.exe
Token: SeManageVolumePrivilege	5068	cvtres.exe
Token: SeImpersonatePrivilege	5068	cvtres.exe
Token: SeCreateGlobalPrivilege	5068	cvtres.exe
Token: 31	5068	cvtres.exe
Token: 32	5068	cvtres.exe
Token: 33	5068	cvtres.exe
Token: 34	5068	cvtres.exe
Token: 35	5068	cvtres.exe
Token: SeDebugPrivilege	2796	mnIndex.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe
5068	cvtres.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 4636 wrote to memory of 5068	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	82
PID 5068 wrote to memory of 3648	5068	cvtres.exe	84
PID 5068 wrote to memory of 3648	5068	cvtres.exe	84
PID 5068 wrote to memory of 3648	5068	cvtres.exe	84
PID 5068 wrote to memory of 4860	5068	cvtres.exe	85
PID 5068 wrote to memory of 4860	5068	cvtres.exe	85
PID 5068 wrote to memory of 4860	5068	cvtres.exe	85
PID 5068 wrote to memory of 4060	5068	cvtres.exe	86
PID 5068 wrote to memory of 4060	5068	cvtres.exe	86
PID 5068 wrote to memory of 4060	5068	cvtres.exe	86
PID 5068 wrote to memory of 4864	5068	cvtres.exe	87
PID 5068 wrote to memory of 4864	5068	cvtres.exe	87
PID 5068 wrote to memory of 4864	5068	cvtres.exe	87
PID 3648 wrote to memory of 4924	3648	cmd.exe	92
PID 3648 wrote to memory of 4924	3648	cmd.exe	92
PID 3648 wrote to memory of 4924	3648	cmd.exe	92
PID 4860 wrote to memory of 4188	4860	cmd.exe	93
PID 4860 wrote to memory of 4188	4860	cmd.exe	93
PID 4860 wrote to memory of 4188	4860	cmd.exe	93
PID 4060 wrote to memory of 1636	4060	cmd.exe	94
PID 4060 wrote to memory of 1636	4060	cmd.exe	94
PID 4060 wrote to memory of 1636	4060	cmd.exe	94
PID 4864 wrote to memory of 1488	4864	cmd.exe	95
PID 4864 wrote to memory of 1488	4864	cmd.exe	95
PID 4864 wrote to memory of 1488	4864	cmd.exe	95
PID 4636 wrote to memory of 3400	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	96
PID 4636 wrote to memory of 3400	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	96
PID 4636 wrote to memory of 3400	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	96
PID 4636 wrote to memory of 2796	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	97
PID 4636 wrote to memory of 2796	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	97
PID 4636 wrote to memory of 2796	4636	JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689c2d3c50d6b1077bcc6bbf5b7b41d0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\X68DO8IHKA.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\X68DO8IHKA.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\X68DO8IHKA.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\X68DO8IHKA.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1488
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" //E:vbscript "C:\Users\Admin\AppData\Roaming\MpMsEngX64\3184.txt"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3400
- C:\Users\Admin\AppData\Roaming\MpMsEngX64\mnIndex.exe
  C:\Users\Admin\AppData\Roaming\MpMsEngX64\mnIndex.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MpMsEngX64\3184.txt

Filesize
973B

MD5
fa277271f0b544c7757462f094732c9e

SHA1
eb23b0b8e0afce40024146b9f925e90a3070a928

SHA256
bab17b2b77526c49b11f4c3edf143c06484c7bdb0292cc0e6a09dacc82d9a081

SHA512
133e1f5a69e4eaebdb25b03739dcced730e7b8c6c44072acc92c443ab78edbb039250678527a370226761980b93d6234e2bbed3bf4719fd5f05b662dd5f22956

Download Submit
C:\Users\Admin\AppData\Roaming\MpMsEngX64\mnIndex.exe

Filesize
764KB

MD5
689c2d3c50d6b1077bcc6bbf5b7b41d0

SHA1
eb65e48e4e0bb0f3320e3caa3dfe4bf41128f328

SHA256
6b10733733dc5ece7a19af5a04064be7e8e79ed26099f5a62ffb9542e88c1ff5

SHA512
384a552834935a2ae0087804dafeb02e2d91c8fdfe70f34fa00975585ec8a380e9278c943a01b9da12ed2d54cf33701646aa82a80109c136f5a20ef777de5414

Download Submit
memory/4636-19-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/4636-1-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-2-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-0-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/4636-24-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-20-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-25-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-30-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-28-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-29-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-33-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-34-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-37-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-38-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-41-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-42-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download