6e9cdaa1c49eb010a43352b74ea03591296a9d30cd46fd87824e227850440aef

Analysis

max time kernel
7s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Size

16KB
MD5

c864c8828e059980f239d8051acaca16
SHA1

0bdfc3112db27e52a02d8c91ac5ec334b6ed7d3b
SHA256

6e9cdaa1c49eb010a43352b74ea03591296a9d30cd46fd87824e227850440aef
SHA512

0fbfc505d8a3140b424f710106a02af8bc77c9bf511f0fb3bfced6f77085aa705451bf07ae13fec886f7dede5fadcb110fa78aab8e2e94abee9380d779cc86e3
SSDEEP

384:Ih0cHnCqLAtt6Xj/kwmF8d/c8T8PCBWwzcvdmkog:SAtt6XLktF8hcXPzwEdt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
5680	zxfhajpg.exe
5792	zxfhajpg.exe
5848	zxfhajpg.exe
5904	zxfhajpg.exe
5960	zxfhajpg.exe
5984	zxfhajpg.exe
6112	zxfhajpg.exe
5824	zxfhajpg.exe
2264	zxfhajpg.exe
1732	zxfhajpg.exe
2128	zxfhajpg.exe
2284	zxfhajpg.exe
380	zxfhajpg.exe

Loads dropped DLL 26 IoCs

pid	Process
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
5824	zxfhajpg.exe
5824	zxfhajpg.exe
2264	zxfhajpg.exe
2264	zxfhajpg.exe
1732	zxfhajpg.exe
1732	zxfhajpg.exe
2128	zxfhajpg.exe
2128	zxfhajpg.exe
2284	zxfhajpg.exe
2284	zxfhajpg.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File created	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File created	C:\Windows\SysWOW64\zxfhajpg.exe	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File created	C:\Windows\SysWOW64\yxfhdjpg.dll	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\zxfhajpg.exe	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\yxfhdjpg.dll	zxfhajpg.exe
File opened for modification	C:\Windows\SysWOW64\xzfhbjpg.sys	zxfhajpg.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxfhajpg.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ThreadingModel = "Apartment"	zxfhajpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{93BA45AF-FAAA-CDDD-BEEE-BCDE1234AB39}\InprocServer32\ = "C:\\Windows\\SysWow64\\yxfhdjpg.dll"	zxfhajpg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5680	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5792	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5848	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5904	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5960	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
5984	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
6112	zxfhajpg.exe
5824	zxfhajpg.exe
5824	zxfhajpg.exe
5824	zxfhajpg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1104	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	29
PID 848 wrote to memory of 1104	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	29
PID 848 wrote to memory of 1104	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	29
PID 848 wrote to memory of 1104	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	29
PID 848 wrote to memory of 5680	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	30
PID 848 wrote to memory of 5680	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	30
PID 848 wrote to memory of 5680	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	30
PID 848 wrote to memory of 5680	848	c864c8828e059980f239d8051acaca16_JaffaCakes118.exe	30
PID 5680 wrote to memory of 5764	5680	zxfhajpg.exe	32
PID 5680 wrote to memory of 5764	5680	zxfhajpg.exe	32
PID 5680 wrote to memory of 5764	5680	zxfhajpg.exe	32
PID 5680 wrote to memory of 5764	5680	zxfhajpg.exe	32
PID 5680 wrote to memory of 5792	5680	zxfhajpg.exe	34
PID 5680 wrote to memory of 5792	5680	zxfhajpg.exe	34
PID 5680 wrote to memory of 5792	5680	zxfhajpg.exe	34
PID 5680 wrote to memory of 5792	5680	zxfhajpg.exe	34
PID 5792 wrote to memory of 5840	5792	zxfhajpg.exe	35
PID 5792 wrote to memory of 5840	5792	zxfhajpg.exe	35
PID 5792 wrote to memory of 5840	5792	zxfhajpg.exe	35
PID 5792 wrote to memory of 5840	5792	zxfhajpg.exe	35
PID 5792 wrote to memory of 5848	5792	zxfhajpg.exe	36
PID 5792 wrote to memory of 5848	5792	zxfhajpg.exe	36
PID 5792 wrote to memory of 5848	5792	zxfhajpg.exe	36
PID 5792 wrote to memory of 5848	5792	zxfhajpg.exe	36
PID 5848 wrote to memory of 5896	5848	zxfhajpg.exe	37
PID 5848 wrote to memory of 5896	5848	zxfhajpg.exe	37
PID 5848 wrote to memory of 5896	5848	zxfhajpg.exe	37
PID 5848 wrote to memory of 5896	5848	zxfhajpg.exe	37
PID 5848 wrote to memory of 5904	5848	zxfhajpg.exe	38
PID 5848 wrote to memory of 5904	5848	zxfhajpg.exe	38
PID 5848 wrote to memory of 5904	5848	zxfhajpg.exe	38
PID 5848 wrote to memory of 5904	5848	zxfhajpg.exe	38
PID 5904 wrote to memory of 5952	5904	zxfhajpg.exe	39
PID 5904 wrote to memory of 5952	5904	zxfhajpg.exe	39
PID 5904 wrote to memory of 5952	5904	zxfhajpg.exe	39
PID 5904 wrote to memory of 5952	5904	zxfhajpg.exe	39
PID 5904 wrote to memory of 5960	5904	zxfhajpg.exe	40
PID 5904 wrote to memory of 5960	5904	zxfhajpg.exe	40
PID 5904 wrote to memory of 5960	5904	zxfhajpg.exe	40
PID 5904 wrote to memory of 5960	5904	zxfhajpg.exe	40
PID 5960 wrote to memory of 5984	5960	zxfhajpg.exe	41
PID 5960 wrote to memory of 5984	5960	zxfhajpg.exe	41
PID 5960 wrote to memory of 5984	5960	zxfhajpg.exe	41
PID 5960 wrote to memory of 5984	5960	zxfhajpg.exe	41
PID 5984 wrote to memory of 6104	5984	zxfhajpg.exe	45
PID 5984 wrote to memory of 6104	5984	zxfhajpg.exe	45
PID 5984 wrote to memory of 6104	5984	zxfhajpg.exe	45
PID 5984 wrote to memory of 6104	5984	zxfhajpg.exe	45
PID 5984 wrote to memory of 6112	5984	zxfhajpg.exe	46
PID 5984 wrote to memory of 6112	5984	zxfhajpg.exe	46
PID 5984 wrote to memory of 6112	5984	zxfhajpg.exe	46
PID 5984 wrote to memory of 6112	5984	zxfhajpg.exe	46
PID 6112 wrote to memory of 5816	6112	zxfhajpg.exe	47
PID 6112 wrote to memory of 5816	6112	zxfhajpg.exe	47
PID 6112 wrote to memory of 5816	6112	zxfhajpg.exe	47
PID 6112 wrote to memory of 5816	6112	zxfhajpg.exe	47
PID 6112 wrote to memory of 5824	6112	zxfhajpg.exe	48
PID 6112 wrote to memory of 5824	6112	zxfhajpg.exe	48
PID 6112 wrote to memory of 5824	6112	zxfhajpg.exe	48
PID 6112 wrote to memory of 5824	6112	zxfhajpg.exe	48
PID 5824 wrote to memory of 2632	5824	zxfhajpg.exe	49
PID 5824 wrote to memory of 2632	5824	zxfhajpg.exe	49
PID 5824 wrote to memory of 2632	5824	zxfhajpg.exe	49
PID 5824 wrote to memory of 2632	5824	zxfhajpg.exe	49

C:\Users\Admin\AppData\Local\Temp\c864c8828e059980f239d8051acaca16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c864c8828e059980f239d8051acaca16_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259571966.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\Windows\SysWOW64\zxfhajpg.exe
  C:\Windows\system32\zxfhajpg.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572138.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5764
- - C:\Windows\SysWOW64\zxfhajpg.exe
    C:\Windows\system32\zxfhajpg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572153.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5840
  - - C:\Windows\SysWOW64\zxfhajpg.exe
      C:\Windows\system32\zxfhajpg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572169.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
    - - C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5904
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572185.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
      - C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572247.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572263.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572278.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572325.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572356.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572387.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572419.bat
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572465.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        15⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259642682.bat
        16⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        16⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259643243.bat
        17⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        17⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259653165.bat
        18⤵
        
        PID:560
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        18⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259653227.bat
        19⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        19⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259654834.bat
        20⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        20⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259655474.bat
        21⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        21⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259655536.bat
        22⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        22⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259655552.bat
        23⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        23⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259656722.bat
        24⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        24⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259656878.bat
        25⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        25⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259657330.bat
        26⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        26⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259657673.bat
        27⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        27⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259658984.bat
        28⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        28⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259659732.bat
        29⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        29⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259660278.bat
        30⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        30⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259660310.bat
        31⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        31⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259660466.bat
        32⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        32⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259661417.bat
        33⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        33⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259665598.bat
        34⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        34⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259667205.bat
        35⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        35⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259668219.bat
        36⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        36⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259669171.bat
        37⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        37⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259671370.bat
        38⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        38⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259673461.bat
        39⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        39⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259675317.bat
        40⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        40⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259675894.bat
        41⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        41⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259676924.bat
        42⤵
        
        PID:636
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        42⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259677142.bat
        43⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        43⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259677407.bat
        44⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        44⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259679420.bat
        45⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        45⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259679935.bat
        46⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        46⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259680980.bat
        47⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        47⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259682275.bat
        48⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        48⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259683881.bat
        49⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\zxfhajpg.exe
        
        C:\Windows\system32\zxfhajpg.exe
        49⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259691447.bat
        50⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259711322.bat
        46⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259710698.bat
        44⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259707765.bat
        43⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259707672.bat
        42⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259708998.bat
        41⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259706174.bat
        40⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259707375.bat
        39⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259703959.bat
        38⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259702430.bat
        37⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259699653.bat
        36⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259700496.bat
        35⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259697719.bat
        34⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259698795.bat
        33⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259691681.bat
        32⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259690870.bat
        31⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259690823.bat
        30⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259690449.bat
        29⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259690106.bat
        28⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259689482.bat
        27⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259688171.bat
        26⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259687766.bat
        25⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259687298.bat
        24⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259687235.bat
        23⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259686081.bat
        22⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259686065.bat
        21⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259685972.bat
        20⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259685332.bat
        19⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259683803.bat
        18⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259683819.bat
        17⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259673414.bat
        16⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259673149.bat
        15⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259603088.bat
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259603073.bat
        11⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259602870.bat
        10⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259602808.bat
        9⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259603276.bat
        8⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259602745.bat
        7⤵
        
        PID:5836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259602698.bat
        5⤵
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259602683.bat
      4⤵
      PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259571966.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259602698.bat

Filesize
121B

MD5
0d5305be611a1c60a0dd8ca486823283

SHA1
334e534ac18e3b510a3e52b721c83ba3a88385bd

SHA256
8323f82d9bedd0feef83182d2c61baa6e6b197464fc1ed9a8415070924736512

SHA512
3961a5f1cd78a9143a4a414db98cb19d3b3bf2828bc3defe01657c986df7705d6275d6b16b24b333222370661006c8cab17c9d30c4f8264036dbe86909099310

Download Submit
C:\Windows\SysWOW64\xzfhbjpg.sys

Filesize
520B

MD5
f0562eca8b51a090127b1d2ac146f5a7

SHA1
1ea61285236435374a3350d436cc53ec75d66ff7

SHA256
5d8e07875f501f119e306964851266ff969f1565ee6db7ce918851e2d5279402

SHA512
4d69efccd28eaebc5979da990eb63d4c88bac8b583c7ae7aae9163b9baddf82c5b1c5fbf53218a04006202bce026503f451c9427b731e9efbde328bb7b99ff7a

Download Submit
C:\Windows\SysWOW64\yxfhdjpg.dll

Filesize
521KB

MD5
8ddb6d4364d9e46f941d3d32acae8a18

SHA1
f5f9f4e26af330c69e36faaff107a0b58e182e25

SHA256
3d292ce3e0fd94c4aceed08f7594aceb1c6c6a9425870cfd59d0f8b02df19905

SHA512
e506d1e7f6716af2bf99bc4492d85ef553f022eaff7c70315e0056e2924dfb2f0e0af435b8222feba4a8c9102113c09dcff5e48dadae8a2b7af79bd9f9b6c347

Download Submit
C:\Windows\SysWOW64\zxfhajpg.exe

Filesize
16KB

MD5
c864c8828e059980f239d8051acaca16

SHA1
0bdfc3112db27e52a02d8c91ac5ec334b6ed7d3b

SHA256
6e9cdaa1c49eb010a43352b74ea03591296a9d30cd46fd87824e227850440aef

SHA512
0fbfc505d8a3140b424f710106a02af8bc77c9bf511f0fb3bfced6f77085aa705451bf07ae13fec886f7dede5fadcb110fa78aab8e2e94abee9380d779cc86e3

Download Submit
memory/380-3299-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/380-3779-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/380-1172-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-1651-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-1031-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1392-9442-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1392-7387-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1392-7388-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1392-9443-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1392-5349-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1404-9440-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1404-4331-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1404-5348-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1404-9439-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1404-5347-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1732-1606-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1732-1161-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1732-1138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1732-1605-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1732-1707-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1924-7402-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1924-7401-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1924-4327-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1924-4328-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1924-3303-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2128-1706-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2128-1162-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2128-1607-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2264-1136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2264-1696-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2284-1164-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2284-1163-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2284-1608-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2284-1697-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2292-9441-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2292-12500-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2292-8423-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2524-33209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2820-3302-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2820-3301-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2820-3300-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3900-9444-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/3900-9445-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/3900-7389-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3900-7390-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/3900-7391-0x00000000003A0000-0x00000000003BC000-memory.dmp

Filesize
112KB

Download
memory/3984-4329-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3984-4330-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/3984-7421-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/4460-12498-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/4460-11482-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4460-12499-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5680-1079-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5680-1595-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5680-1032-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5680-1650-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5792-1081-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/5792-1598-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/5792-1648-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5792-1080-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5792-1597-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/5824-1130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5824-1686-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5848-1659-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5848-1082-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5848-1599-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/5904-1083-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5904-1600-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5904-1669-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5916-12501-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5916-10462-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5960-1601-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5960-1084-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5960-1667-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5960-1602-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5960-1085-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/5984-1723-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5984-1127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6112-1677-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6112-1128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6112-1603-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/6284-33191-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6724-33192-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/6992-11481-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/7252-13533-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/7252-13534-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/8268-13531-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/8268-13532-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/8560-33188-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/8960-9446-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/8960-7392-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/9004-10732-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/9004-7410-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/9004-7400-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/9116-7411-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/9116-8422-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/9116-8421-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/9116-11479-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/9116-11480-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download