troldesh | 52870f2e75fa9c8073182e6779708adea25e096036561e4099e81cf5975a33ec

Resubmissions

Analysis

max time kernel
1042s
max time network
1049s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
Size

1.1MB
MD5

97aa992d7a114b8bf08c4a03e3d13f13
SHA1

f457a5c6f3fbb3e9cccde160e82ed6520cafc2a7
SHA256

52870f2e75fa9c8073182e6779708adea25e096036561e4099e81cf5975a33ec
SHA512

252c5b2e1a8862a8936c51ea2927ee8888a9d006b6cb96fd2833bea7942402e12f7d0a7f419e318bb88e43f3b55a909d0fb19b415186d9e0d74df0246730ae2d
SSDEEP

24576:eHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0m+W:eHtV7GwBSTc8An/4YuW

Score

10^/10

troldesh defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies Installed Components in the registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1684-1-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-2-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-5-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-4-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-8-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-7-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-3-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-11-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-12-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-14-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-15-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-16-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-17-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-18-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-19-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-22-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-23-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-24-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-25-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-26-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-27-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-41-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-43-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-44-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-45-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-46-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-47-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-49-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-50-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-51-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-52-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-53-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-54-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-55-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-56-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-57-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-58-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-59-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-60-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-61-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-62-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-63-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-64-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-65-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-66-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-67-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-68-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-69-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-70-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-71-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-72-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-73-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-74-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-75-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-76-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1684-77-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description ioc process

File opened (read-only) \??\F: 97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\F:	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\C5B8B9BEC5B8B9BE.bmp"	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-lightunplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-400.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\VMRConfig.json	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-150.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-400.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-16_altform-lightunplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-100_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\dark.gif	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-400.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96_altform-unplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-logo-40.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Sunset.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-200_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-200.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\LargeTile.scale-200.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_fr-CA.json	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-150.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-colorize.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-black.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-lightunplated.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\16.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinOnboardingCommands.xml	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-150.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-200.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-200.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

5100 vssadmin.exe
1484 vssadmin.exe
3836 vssadmin.exe

pid	process
5100	vssadmin.exe
1484	vssadmin.exe
3836	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{A4B04FEF-CCF3-4DB1-B92B-798D7E46D63E}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exetaskmgr.exe

pid	process
1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1624 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskmgr.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1624	taskmgr.exe
Token: SeSystemProfilePrivilege	1624	taskmgr.exe
Token: SeCreateGlobalPrivilege	1624	taskmgr.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe
Token: SeShutdownPrivilege	1912	explorer.exe
Token: SeCreatePagefilePrivilege	1912	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe
1624	taskmgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe

description	pid	process	target process
PID 1684 wrote to memory of 5100	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe
PID 1684 wrote to memory of 5100	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe
PID 1684 wrote to memory of 1484	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe
PID 1684 wrote to memory of 1484	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe
PID 1684 wrote to memory of 3836	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe
PID 1684 wrote to memory of 3836	1684	97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97aa992d7a114b8bf08c4a03e3d13f13_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:5100

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1484

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:3836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System32\xfs
Filesize
153KB

MD5
f26f6e82ce5b8379498645fdb70d056b

SHA1
219e016a09aa134d0aa8f14e17db7982efc9167f

SHA256
32838c7855658d1b00de4117e7ffeada1192ac8f72fcfab191957cb685f1e82a

SHA512
e965581edc321947fe534185588f4f66779587b79bc4cdca30f67350e08ac89b800c488ceb2fc92f195113e4027b96f7eb20d550755db7c6a53009a969b070e1

Download Submit
C:\ProgramData\Windows\csrss.exe
Filesize
1.1MB

MD5
97aa992d7a114b8bf08c4a03e3d13f13

SHA1
f457a5c6f3fbb3e9cccde160e82ed6520cafc2a7

SHA256
52870f2e75fa9c8073182e6779708adea25e096036561e4099e81cf5975a33ec

SHA512
252c5b2e1a8862a8936c51ea2927ee8888a9d006b6cb96fd2833bea7942402e12f7d0a7f419e318bb88e43f3b55a909d0fb19b415186d9e0d74df0246730ae2d

Download Submit
memory/1624-30-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-34-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-35-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-36-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-37-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-38-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-39-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-40-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-28-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1624-29-0x0000011C7BA90000-0x0000011C7BA91000-memory.dmp

Filesize
4KB

Download
memory/1684-41-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-50-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-17-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-18-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-19-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-22-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-23-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-24-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-25-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-26-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-27-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-15-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-14-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-13-0x0000000002260000-0x0000000002335000-memory.dmp

Filesize
852KB

Download
memory/1684-12-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-11-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-3-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-7-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-8-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-4-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-5-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-0-0x0000000002260000-0x0000000002335000-memory.dmp

Filesize
852KB

Download
memory/1684-2-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-43-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-44-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-45-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-46-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-47-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-49-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-16-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-51-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-52-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-53-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-54-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-55-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-56-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-57-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-58-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-59-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-60-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-61-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-62-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-63-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-64-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-65-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-66-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-67-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-68-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-69-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-70-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-71-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-72-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-73-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-74-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-75-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-76-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-77-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1684-1-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download