modiloader | 014ad1e790ce3f6bdcf39afbeec9731bcd48d39e470c80f9270336d9288a2b37

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
Size

667KB
MD5

186cfcb4cda2c80706fb9d1e0c9a7ae2
SHA1

306d417d4d57b3b8d2ba379250264456d152e3dc
SHA256

014ad1e790ce3f6bdcf39afbeec9731bcd48d39e470c80f9270336d9288a2b37
SHA512

2b57017135cd0b4db89a0b2a8e823d654cfe11fd322c32ca47403b224c2b8ee4e14784dfa60a040c66b4b36055549e5e7b96843cf66ea88f2c3f2880e749e3a5
SSDEEP

12288:WbMqmsEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIOEEb4Ev/ATEXKGVnGTzpA1Ec1A

Score

10^/10

modiloader evasion persistence spyware stealer trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

bohost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bohost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	bohost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

DV245F.exeboofek.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	DV245F.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	boofek.exe

ModiLoader Second Stage 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-11-0x0000000000400000-0x000000000041F000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
\Users\Admin\aohost.exe	modiloader_stage2
behavioral1/memory/2876-63-0x0000000000400000-0x000000000041E000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2
behavioral1/memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmp	modiloader_stage2

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
persistence

Active Setup
T1547.014

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe
Disables taskbar notifications via registry modification
evasion
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1452 cmd.exe
Executes dropped EXE 8 IoCs

Processes:

DV245F.exeboofek.exeaohost.exeaohost.exebohost.exedohost.exebohost.exebohost.exe

pid process

2556 DV245F.exe
2804 boofek.exe
2876 aohost.exe
240 aohost.exe
2656 bohost.exe
2040 dohost.exe
2136 bohost.exe
2336 bohost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

pid	process
1452	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.exe

pid	process
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2556	DV245F.exe
2556	DV245F.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2792-6-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2792-12-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2792-4-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2792-2-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/240-68-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/240-67-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/240-66-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/240-61-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/240-57-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/240-55-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2136-101-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2656-103-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2336-167-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2656-169-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2656-269-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/2656-275-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DV245F.exeboofek.exebohost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /P"	DV245F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /H"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /U"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /l"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /E"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /O"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /W"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /d"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /J"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Q"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /f"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /x"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /o"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /y"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /X"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Z"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /F"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /h"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /C"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /s"	boofek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E85.exe = "C:\\Program Files (x86)\\LP\\310D\\E85.exe"	bohost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /r"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /n"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /q"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /L"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /B"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /S"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /N"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /P"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /I"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /m"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /z"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /a"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /t"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /k"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /b"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /K"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /V"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /M"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /i"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /c"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /w"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /R"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /T"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /v"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /g"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Y"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /e"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /G"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /p"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /j"	boofek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /A"	boofek.exe

Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

aohost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aohost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aohost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	aohost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeaohost.exe

description	pid	process	target process
PID 2368 set thread context of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2876 set thread context of 240	2876	aohost.exe	aohost.exe

Drops file in Program Files directory 3 IoCs

Processes:

bohost.exe

description	ioc	process
File created	C:\Program Files (x86)\LP\310D\E85.exe	bohost.exe
File opened for modification	C:\Program Files (x86)\LP\310D\C552.tmp	bohost.exe
File opened for modification	C:\Program Files (x86)\LP\310D\E85.exe	bohost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2596 tasklist.exe
1596 tasklist.exe

pid	process
2596	tasklist.exe
1596	tasklist.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DV245F.exeboofek.exeaohost.exebohost.exe

pid	process
2556	DV245F.exe
2556	DV245F.exe
2804	boofek.exe
2804	boofek.exe
240	aohost.exe
2804	boofek.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2804	boofek.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe
2656	bohost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2456 explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

tasklist.exemsiexec.exeexplorer.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeRestorePrivilege	1432	msiexec.exe
Token: SeTakeOwnershipPrivilege	1432	msiexec.exe
Token: SeSecurityPrivilege	1432	msiexec.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeShutdownPrivilege	2456	explorer.exe
Token: SeShutdownPrivilege	2456	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.exeboofek.exedohost.exe

pid process

2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2556 DV245F.exe
2804 boofek.exe
2040 dohost.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.execmd.exeaohost.exebohost.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2368 wrote to memory of 2792	2368	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
PID 2792 wrote to memory of 2556	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	DV245F.exe
PID 2792 wrote to memory of 2556	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	DV245F.exe
PID 2792 wrote to memory of 2556	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	DV245F.exe
PID 2792 wrote to memory of 2556	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	DV245F.exe
PID 2556 wrote to memory of 2804	2556	DV245F.exe	boofek.exe
PID 2556 wrote to memory of 2804	2556	DV245F.exe	boofek.exe
PID 2556 wrote to memory of 2804	2556	DV245F.exe	boofek.exe
PID 2556 wrote to memory of 2804	2556	DV245F.exe	boofek.exe
PID 2556 wrote to memory of 2564	2556	DV245F.exe	cmd.exe
PID 2556 wrote to memory of 2564	2556	DV245F.exe	cmd.exe
PID 2556 wrote to memory of 2564	2556	DV245F.exe	cmd.exe
PID 2556 wrote to memory of 2564	2556	DV245F.exe	cmd.exe
PID 2564 wrote to memory of 2596	2564	cmd.exe	tasklist.exe
PID 2564 wrote to memory of 2596	2564	cmd.exe	tasklist.exe
PID 2564 wrote to memory of 2596	2564	cmd.exe	tasklist.exe
PID 2564 wrote to memory of 2596	2564	cmd.exe	tasklist.exe
PID 2792 wrote to memory of 2876	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	aohost.exe
PID 2792 wrote to memory of 2876	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	aohost.exe
PID 2792 wrote to memory of 2876	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	aohost.exe
PID 2792 wrote to memory of 2876	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2876 wrote to memory of 240	2876	aohost.exe	aohost.exe
PID 2792 wrote to memory of 2656	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	bohost.exe
PID 2792 wrote to memory of 2656	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	bohost.exe
PID 2792 wrote to memory of 2656	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	bohost.exe
PID 2792 wrote to memory of 2656	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	bohost.exe
PID 2792 wrote to memory of 2040	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	dohost.exe
PID 2792 wrote to memory of 2040	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	dohost.exe
PID 2792 wrote to memory of 2040	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	dohost.exe
PID 2792 wrote to memory of 2040	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	dohost.exe
PID 2656 wrote to memory of 2136	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2136	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2136	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2136	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2336	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2336	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2336	2656	bohost.exe	bohost.exe
PID 2656 wrote to memory of 2336	2656	bohost.exe	bohost.exe
PID 2792 wrote to memory of 1452	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	cmd.exe
PID 2792 wrote to memory of 1452	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	cmd.exe
PID 2792 wrote to memory of 1452	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	cmd.exe
PID 2792 wrote to memory of 1452	2792	186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe	cmd.exe
PID 1452 wrote to memory of 1596	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1596	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1596	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1596	1452	cmd.exe	tasklist.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

bohost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bohost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	bohost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\DV245F.exe
C:\Users\Admin\DV245F.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\boofek.exe
"C:\Users\Admin\boofek.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\aohost.exe
C:\Users\Admin\aohost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\aohost.exe
aohost.exe
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Users\Admin\bohost.exe
C:\Users\Admin\bohost.exe
3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656

C:\Users\Admin\bohost.exe
C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\DB8BF\53731.exe%C:\Users\Admin\AppData\Roaming\DB8BF
4⤵
- Executes dropped EXE
PID:2136

C:\Users\Admin\bohost.exe
C:\Users\Admin\bohost.exe startC:\Program Files (x86)\BFFED\lvvm.exe%C:\Program Files (x86)\BFFED
4⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\dohost.exe
C:\Users\Admin\dohost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8B
Filesize
600B

MD5
a1121e5ecf6fb3921aa0d8c42c3c1989

SHA1
23273dea591ddbcf9be65ea2f7f043aa54e2eed5

SHA256
04b24d19d13f37f865591b4bf43fd83bc27210e17dd90e6698a11c7d151a2b7a

SHA512
9710477b44f65e21735fb71d1875f1218be9ec18cd6dc3871add1dc286262dbe58c1a19c6929da2683bed753b67c11c5d4a3bb174e954e962cb9160df81743cd

Download Submit
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8B
Filesize
996B

MD5
5e4fa84bc317cf15d5f452c36ca4691a

SHA1
1e7a4ccc2fbd81202ead80b823bcc503b8e75015

SHA256
63847c01baf5bf18d0a82a32b832053353ab2edaded1d833e2ed58728fe62f8c

SHA512
a0680a4d6330cab1ff3d7baae3f45d8afe6e980efed549f853420cfcdfd6539f4e7e68bcaa0736b1667ee13fe9452dcaa7d31664a1db9f516868d58039171d3d

Download Submit
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8B
Filesize
1KB

MD5
a386659e44c4d9cf7c4a77e37effe1f2

SHA1
41ab82ccaabbb12dbe0a467a76c458b9f45048ff

SHA256
481c09298989a35dcdb9afe952566514e12dd568e0515164cfcaf627cfb08d12

SHA512
0da0d873e39699cade14f5e030e8a41dddb34aaed3bad7f9624ecca75df1d1bcd17f7b784a393c2bfb1e3e4876143f070d34c76623767db0a0200563212aee28

Download Submit
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8B
Filesize
1KB

MD5
e0d638ae0e75100c1cb70ef38ee8c92b

SHA1
fdc0ce88721a62c5c6d9130b41d1df565097f64c

SHA256
e0b8f0517b6f1417dd2511ce5aaf3913a1762a6bf735f34e79f717fa292441e6

SHA512
9471a02c8b2448b7e9f047b0edd0d1c8926b27dcee1b190ee926913c93c39aaef4decd64d8d502d21f4d2d526870dc5cf2c176019b571dca7daaf23a8aa2a87b

Download Submit
\Users\Admin\DV245F.exe
Filesize
216KB

MD5
00b1af88e176b5fdb1b82a38cfdce35b

SHA1
c0f77262df92698911e0ac2f7774e93fc6b06280

SHA256
50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

SHA512
9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

Download Submit
\Users\Admin\aohost.exe
Filesize
152KB

MD5
4401958b004eb197d4f0c0aaccee9a18

SHA1
50e600f7c5c918145c5a270b472b114faa72a971

SHA256
4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

SHA512
f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

Download Submit
\Users\Admin\bohost.exe
Filesize
173KB

MD5
0578a41258df62b7b4320ceaafedde53

SHA1
50e7c0b00f8f1e5355423893f10ae8ee844d70f4

SHA256
18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

SHA512
5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

Download Submit
\Users\Admin\boofek.exe
Filesize
216KB

MD5
5624f404c4b9bfb034e7b17b22eb78bd

SHA1
8bec015f927c645ae74e73b9712934eaac045a9a

SHA256
a32f602a3432b38373e9d73da719d99a5b820b6741050b3675208a4d41bfa82e

SHA512
e2808013cd4696d10808334760ef39ad309e4d2e5e8789a9820c5c5c2610b4680938a2b847b5e6a953c47d980ab6eb0434b9973afd3c8aa9dfebd8aa06f53a15

Download Submit
\Users\Admin\dohost.exe
Filesize
24KB

MD5
d7390e209a42ea46d9cbfc5177b8324e

SHA1
eff57330de49be19d2514dd08e614afc97b061d2

SHA256
d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

SHA512
de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

Download Submit
memory/240-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-53-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-68-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/240-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2136-101-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2336-167-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2368-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-44-0x00000000041B0000-0x0000000004C6A000-memory.dmp

Filesize
10.7MB

Download
memory/2656-103-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2656-275-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2656-269-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2656-169-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2792-4-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-6-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-12-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-2-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2792-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2876-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download