Malware Analysis Report

2025-04-03 10:25

Sample ID 250311-kqhxgayxcv
Target JaffaCakes118_6453b926503f0a47ace96ee12c18bc33
SHA256 a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f
Tags
blackshades latentbot credential_access defense_evasion discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f

Threat Level: Known bad

The file JaffaCakes118_6453b926503f0a47ace96ee12c18bc33 was found to be: Known bad.

Malicious Activity Summary

blackshades latentbot credential_access defense_evasion discovery persistence rat spyware stealer trojan

Latentbot family

Blackshades family

Blackshades payload

LatentBot

Modifies firewall policy service

Blackshades

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Reads local data of messenger clients

Drops startup file

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-11 08:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-11 08:48

Reported

2025-03-11 08:50

Platform

win7-20240903-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2908 set thread context of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1820 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2788 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"

C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

"C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

"C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

"C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 softwaredev.zapto.org udp

Files

\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

MD5 02172c9f873de4309101c7b0aa635bb7
SHA1 fc33532d22494d1c5e841961e21dd3fcac6154cf
SHA256 cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13
SHA512 bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754

memory/2576-64-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-61-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-59-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-57-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\license.dll

MD5 b5afa963a369efefb8f905594bafa2df
SHA1 18a2375501100007a067944f6c2f494fd085528e
SHA256 58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95
SHA512 7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de

memory/2288-39-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2288-36-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

MD5 cc3f40aaa43594aa6bdeb476e1e734c6
SHA1 e2268857d09aa6179f6bc50579c616f34d912545
SHA256 622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd
SHA512 0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77

memory/2288-31-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2288-29-0x0000000000400000-0x0000000000458000-memory.dmp

\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

MD5 a1fbc2ee381a4981c973ad8efd275e92
SHA1 ddc036889893267d8917facc48b1e3eea380f6f0
SHA256 2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72
SHA512 b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277

memory/2576-76-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-77-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-79-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-80-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-81-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-83-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-85-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-89-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-92-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2576-93-0x0000000000400000-0x0000000000459000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-11 08:48

Reported

2025-03-11 08:50

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC} C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe" C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3988 set thread context of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 4012 set thread context of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1948 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1948 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
PID 1948 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1948 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 1948 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 3988 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 4012 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
PID 1544 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1944 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4752 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4752 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4752 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"

C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

"C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

"C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

"C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 95.100.153.184:443 www.bing.com tcp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp
US 8.8.8.8:53 softwaredev.zapto.org udp

Files

C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

MD5 a1fbc2ee381a4981c973ad8efd275e92
SHA1 ddc036889893267d8917facc48b1e3eea380f6f0
SHA256 2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72
SHA512 b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277

C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

MD5 cc3f40aaa43594aa6bdeb476e1e734c6
SHA1 e2268857d09aa6179f6bc50579c616f34d912545
SHA256 622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd
SHA512 0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77

memory/4012-19-0x0000000073A72000-0x0000000073A73000-memory.dmp

memory/4012-23-0x0000000073A70000-0x0000000074021000-memory.dmp

memory/4012-24-0x0000000073A70000-0x0000000074021000-memory.dmp

memory/4016-27-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4016-30-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4016-31-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4016-34-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\license.dll

MD5 b5afa963a369efefb8f905594bafa2df
SHA1 18a2375501100007a067944f6c2f494fd085528e
SHA256 58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95
SHA512 7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de

memory/1544-49-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

MD5 02172c9f873de4309101c7b0aa635bb7
SHA1 fc33532d22494d1c5e841961e21dd3fcac6154cf
SHA256 cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13
SHA512 bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754

memory/1544-53-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4012-59-0x0000000073A72000-0x0000000073A73000-memory.dmp

memory/4012-60-0x0000000073A70000-0x0000000074021000-memory.dmp

memory/4012-61-0x0000000073A70000-0x0000000074021000-memory.dmp

memory/1544-62-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-63-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-65-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-66-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-69-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-70-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-71-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-73-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-74-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-76-0x0000000000400000-0x0000000000459000-memory.dmp

memory/1544-78-0x0000000000400000-0x0000000000459000-memory.dmp