expiro | dcd7158bc52b2399c898f50d0f261d8001e2ab9035a233d607dd8cffae1aed13

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
Size

816KB
MD5

1be76c727a7fac2ed2e53f788a78e20d
SHA1

43b3bc6dddc029b5050f376fe43c745afd45cf08
SHA256

dcd7158bc52b2399c898f50d0f261d8001e2ab9035a233d607dd8cffae1aed13
SHA512

3ead315d752ad9360878ae65d2c7e4f1aee9b0cc4d0e936a5b1386b9cfacb2b76e155efa4f7f1678cb6dab70478d97dbf6122519c092802b11286ab3241ec6b5
SSDEEP

24576:7JW2KjJ4Td3kJnbsPhnzqQp0SQMmogiVm+:7InJ4Td3mbsPhne3S02m+

Score

10^/10

expiro backdoor discovery evasion trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 10 IoCs

backdoor

resource	yara_rule
behavioral1/memory/4188-0-0x00000000004CF000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-1-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-2-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-3-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-25-0x00000000004CF000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-26-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-27-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-28-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-30-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1
behavioral1/memory/4188-39-0x0000000000400000-0x0000000000562000-memory.dmp	family_expiro1

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4836	alg.exe
4900	DiagnosticsHub.StandardCollector.Service.exe
1144	fxssvc.exe
4880	elevation_service.exe
3496	elevation_service.exe
64	maintenanceservice.exe
1388	msdtc.exe
1440	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3442511616-637977696-3186306149-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\H:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\I:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\S:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\W:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\J:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\N:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\P:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\V:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\G:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\O:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\R:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\M:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\X:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\Y:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\E:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\K:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\L:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\Q:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\U:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened (read-only)	\??\Z:	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\diagsvcs\igmcogqe.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\perceptionsimulation\illainna.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\ekkgjbgj.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\eelgmfha.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\vds.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\bpicbldc.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\kodacncl.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\klfeocfn.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File created	\??\c:\windows\system32\ogkqjgme.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\niiabgdg.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File created	\??\c:\windows\system32\ibbknfmk.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\SysWOW64\gheppnca.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File created	\??\c:\windows\system32\olabhkne.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\oidigajl.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\openssh\ekonpfoe.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\glbkkfjh.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\SysWOW64\dobfmphp.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\system32\alg.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\windows\system32\jmdomfcp.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\nccafaqk.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\fcqojjjm.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Internet Explorer\hfoijjjp.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\gahajkdm.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\7-Zip\lncjookl.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	\??\c:\program files\windows media player\beapdgej.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\7-Zip\gkooamha.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\bqnfkhfd.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\cndpfbli.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4188	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
4188	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe
4836	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
Token: SeTakeOwnershipPrivilege	4188	JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
Token: SeAuditPrivilege	1144	fxssvc.exe
Token: SeTakeOwnershipPrivilege	4836	alg.exe
Token: SeSecurityPrivilege	1440	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1be76c727a7fac2ed2e53f788a78e20d.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4836

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:64

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
c6a755a59090a5d51a03af6d72c1737c

SHA1
8fcf8e172cf25013dde4d437bd29197e5af18347

SHA256
3204da479c15f03d937fe42989bd7b178718897a4b98080b41f8a62ba684c3b0

SHA512
c89ad4135b2c022ef5d87cfb9bd6fb0be853e3489ffaf6620f70c760af0cf4e50e54904cbd04a30eab8a1901020acd4d813dce160051c004bd2d295a0b6f590a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
8ac28237fad31931ff0e0b21a9db21e2

SHA1
b84e03ed008fa32e620c42816c9ad2a65434955b

SHA256
7e6f10141cc9907601366dd99341d71609d15e8c47c2e33063d7f9b82ccbd9db

SHA512
577b7952ef76b0bf92f276cd9aebf954f25ad5d8923e9910c1119164379994d75ee2999bde613cb63dbf48976e899d152421d32dc823521a65ee331f1e4ac760

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
e28f2293d467bf89939263a1b15d5972

SHA1
91673bc3882f5db6fa8056e8cbfe3b7990728707

SHA256
6123d4e2d89be828dbb83386541a35208253095206451cf8ab82741f07e351c6

SHA512
e7f42da4486667390ee863ca228968d2bd9b7235dcea79a3e56ba2949ecb69d31bf283d0a5e05373b596b997caf0a85c33a7fe11c4d0d4107d535a51ca693f82

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
4d83d7d9664e4b2d34eb33d6f5b9abde

SHA1
60a228798a233bb32d8f0c38aaba7597d943af8f

SHA256
8ee6a49c02b8a2836c94a9d7bb22c7aa1fb6b24a22564f0c08c2b14f39f02d9d

SHA512
6561832d38feea792d536983d5f172e362b84e23a2fd744ddc9bbb41e47d7b1775decd72c77a25ab29687582c54c2d034511f9c48398a7b9b035982ee15731d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
b2c0806842053fe4f030620efd346a84

SHA1
a29be868568bb985ea14f9d0fb61b5bcdc8d1cb1

SHA256
5e9ceaca2070b818942d5ac4a6c4b6a48a3e6cc8f39e58cd984f315f491aa6d1

SHA512
9f8c0b49e361e05d207275f215ac1be36feb3d5bb96d9381768f595cf9a0f0e875484c67156af43ae4a3ef3b584829c8b336b34f9efdeaca3c2f57e2cd8ee0f1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
0471ea3a1527ed010f4b10526947eecf

SHA1
823f4d35db3f2a0d7e9f720c76adc1f522ef51dd

SHA256
3950d0a412b44340d060dcd5314355091cbb40647f77e5f75701c1b7b620e442

SHA512
11f84bafdd30f58d155f12465ba85e967a89366c9fb379a0fc81d8925a06c9c5decd239b64c55f390246c8a5e2df7e79efea2c46df42f6211a4338605d5ce209

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
5bedca68ebfa4d3f6ca3f02e488a4e30

SHA1
46a5a30298409f65dac2e74da299e50b9396a63f

SHA256
20e43f0614b9d3e260f906439cd064254bc6d4350a4f495f56bc9bac25b58e83

SHA512
088ce5f8425ae3abd4b0dfd7afdb99f4fcd4fa755c847a178389664fd28ecce2de6d1561e650cb9e4f26da78abc86d993bba1c58688f0d7865abb414bb61bc2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
67be5fac97e25b2752bd86437c230ed0

SHA1
60aec595db98520eb6c76f01a2f1334700835f1f

SHA256
2cd9fc900c4ff88d84bc6bdf5e42c293ce34b8d86f14f060dd06e3f3f25b56ed

SHA512
f4e2ce967d9f65e344b1f7b9cafa0f66eeca24571c843819b4b2be786c5e9a23eed1f345270c839fd94435272e126bb5b3bfdae8e58e00bd8e04e7effd8cd35e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
dac6307c9c23f1161423f212b7bcff44

SHA1
a88523036764a786a4e100c71435bbaf304b8ce3

SHA256
61ec01ff747decf4fd89d33ecfb0bbb1ee9ee2a04d92de04f85a257ee5ac9337

SHA512
f2d6f2f8de9163d8d3aa5a9be91f50fe174ea91c372f77aeb7d54b5ff353b403cdea8076085956922a3bc4a163f4ab30be97450c67463d2893c069353f3e2d1a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
af2c86c5ea8c528af3440c47f61bf958

SHA1
f759432dd11ea993e92d2f047c0f18a2adb52177

SHA256
03f188170d78744a040514e926728afb4af505b55bf5a8b278cf1e8f3f6d632f

SHA512
95304343c986a31aa5ab526f9f5bb37e0b7389b17ea61ea1fe41fad948876d40434497d388579943cc8e93c4da2aa8918a9168307a098e2139f25064d2ccb9ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
e551c06d446fc13049325ad9a841642e

SHA1
18b73b63193f71eabd24f4f747a625e6a15bf488

SHA256
dce7f1a655cde4d1f0dd42d8e7cf71c034f78dabc5f7cfcd3917cdb1d2ab861d

SHA512
7552703bc1afabc75587acaff6c06bcd16c7e9fe50fdf9ca5576cad201052ebf2b77e81b770956245c075069ae4eaf54c8f035be5c1210cc517ddb5f77216524

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\gahajkdm.tmp

Filesize
637KB

MD5
26a674438b8d87049998f0ca0e22e3d7

SHA1
65272a45ca8d6e288beef75a43af02a077edc2e1

SHA256
0f81857f1f542ca5ae94b749bee932bc765f7d119c2d78f56d7c9fc899280a16

SHA512
08636996cf9405bc577b84f5d5f259e7b08da03d9e51661be286f0106d64c321b51ffba83c54ab4c88666c89f7621f89de9bc4471270413c187c86a94b1157ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
de841716e45bfe4ef5fbc523fddbd69b

SHA1
46decc13310d214ca44d2456b67e21409d65b6dd

SHA256
4b81884f4772935537bcc2a763e3834e1f6e914cfaf3aecc3362b0f2dfe5250b

SHA512
eb697bba3b82e6ad6b08ba541366c68cdb8416ec878abe481d2d54bc0b868bbdaf58f023f91121d6e14cf20997f333dcdfdb09643abd163bdc678d3adb2b58c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5x4jluc.cns.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\qrmklidm\jhghfpic.tmp

Filesize
625KB

MD5
75db72ed8d7eabbf9d8c9634753c3a7f

SHA1
dc92327b7e675c0f5e867b142a7b9eb4ab9882dc

SHA256
4ddd7417cd2426d6c8429629693642f2cd23972ca653d2c607fb217f968bc5cd

SHA512
7f7159e22c9f08682f763f6eeb06fea0e9d9cf8994ea505a712c82f445672c204b2cd197ffed66b4716c14812ecdaa260069b33278c9b12afdc977c5ee230474

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
818KB

MD5
a49f7ebc5724984ddf2d4e2953c2b1fe

SHA1
14c27c3aaa43503db051f1930a3c1d0b8766fed4

SHA256
e401a14616b677ce547639e2dab49a9ba6d96f32fea0ebc4eff137742297ffad

SHA512
69960f8e2e54f158ca85057312778ba50b6ec46af980e1045db236ff95327255ce5db1463b7ad274bcfa7ef344b16e81ba0e045eae912f4129f252d34841afb3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
faadd9e3f5cb58d417c8bf82bc71c7ce

SHA1
ae1dcd06dc7b5580b6133c5effdd0c6efb2a5719

SHA256
26ee7cb2d2fcb4ef0b2fd7cffbcc598759fcf3867b169e0c79ab31a58d1c52ea

SHA512
5147f959e6dfca320614cf4fc04d747929bfd395bdc87c3171187b1b1773f8b44b67854bbd7af26c25b29f7ebd3ed7f49648a3d8dd850426b829da8968c9418b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
39409f0e0b529c99e682fe2a874358d3

SHA1
a001f874a109e826e53d7ef43f14da71ad994984

SHA256
1a0c6ec5f46ac9e439821fbf3b17c78a2026daea4a8bc94f2f9c4a821de94cc9

SHA512
02799aa68f753106a3db45eeff346bb37675784e22e1a3a1373f2d4705ce512c1e0752d76677b4ada4b9b7c1b01a5414a45c442998fdaaa868bb822a9afbe38d

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
85542d028c7ed86ca9ebdce8be6c10a4

SHA1
58d1898280c3fc107492ffb1f513a7ce4d92702c

SHA256
adb6c1e21410893a8f774b2fbdcb24f398d5153f9e6c94f2ad5931067a696632

SHA512
f5a9e556b7c4c81a6d5be791e7e6bc1a167b8fbe615bff761769ec4690da2d464b6175220ef77c7022a56fe339c1eeaf3acacd6cdb69a2b5fc068b1a4f2f52a9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
e6eb6cb4d821a027e3528e0b4bbaa8fc

SHA1
578089d2fca704771cad50a852ab3d9825e02aa2

SHA256
0811f113353b5203db8df970bd58517263f5d19bf042247a6e1db67cb2d5a774

SHA512
1459049eccd40c20440d3a78717c904830bd97885fba474f73a3394cfa3153a6f04a0948ead4568dd592bdb542c8c4c262ac3318475c44861b038a367e1b87da

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
0b1ebafd98a653e3c6aedc68616e83fc

SHA1
69c88ba6b4f1af6a844993f9fbcd7c0ff9d43a1c

SHA256
268b186d800b19ab3f6820b3019f2d0298e8b5e11d9c47010845ffe58f59b919

SHA512
a78cedef8d31a012dfc0e8274eb5387e64bb53ba511fb6b2c70f9e9c3526c2d20f0edad90ca31b9df1677b4141045cb6de93c736f576365f1462f2a2d17e37d2

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
85c954d9ca66590ac05cf4e94cc392d4

SHA1
2eb152db29387e20be544e3adc1174de5fb1efb2

SHA256
5a9009cbfeb1bef7cad0dfbc409418454dbe888ab5ff7fef9df180d128868eaf

SHA512
7b23ce4c648c871795e03fcf325916aad240d164f1f5625f0051847e2a040d49fb9930e2fc4c8caf1d2fb027d00023605406c722133061b1316aafc8d419ef02

Download Submit
memory/1144-77-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1144-75-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4188-20-0x0000000007180000-0x00000000071CC000-memory.dmp

Filesize
304KB

Download
memory/4188-22-0x0000000007BF0000-0x0000000007C66000-memory.dmp

Filesize
472KB

Download
memory/4188-39-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-1-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-30-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-28-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-27-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-26-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-2-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-25-0x00000000004CF000-0x0000000000562000-memory.dmp

Filesize
588KB

Download
memory/4188-4-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/4188-24-0x00000000085B0000-0x00000000085CA000-memory.dmp

Filesize
104KB

Download
memory/4188-23-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/4188-3-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4188-5-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4188-21-0x0000000007010000-0x0000000007054000-memory.dmp

Filesize
272KB

Download
memory/4188-0-0x00000000004CF000-0x0000000000562000-memory.dmp

Filesize
588KB

Download
memory/4188-19-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/4188-14-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/4188-7-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4188-8-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4188-6-0x0000000005ED0000-0x0000000005EF2000-memory.dmp

Filesize
136KB

Download
memory/4836-51-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4836-91-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4836-84-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/4900-107-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4900-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download