cobaltstrike | 4996160b6e4270f2be77ea6bd5fa81165659fd54976f5fbf719dcb6350530fac

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
Size

5.9MB
MD5

6cbc57633a2fd7f059ba02b715ec2147
SHA1

39f4d196d68e41ca126db3d6bdbd6206ed747082
SHA256

4996160b6e4270f2be77ea6bd5fa81165659fd54976f5fbf719dcb6350530fac
SHA512

7bb17980d56b414a9268bea645f36bf3d2c738d0cab8d2b1fdf4804856563f72f4249f8daaaf6c162ba59927b15e12c081142bbffe0edeada973f81e63c48679
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUp:E+b56utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\yaUHmdl.exe	cobalt_reflective_dll
\Windows\system\DQCdGhK.exe	cobalt_reflective_dll
\Windows\system\TSRrDNu.exe	cobalt_reflective_dll
C:\Windows\system\RhNNaLC.exe	cobalt_reflective_dll
C:\Windows\system\vJPXqhD.exe	cobalt_reflective_dll
C:\Windows\system\yCaAycj.exe	cobalt_reflective_dll
C:\Windows\system\ozFnNiY.exe	cobalt_reflective_dll
C:\Windows\system\bdzAkWS.exe	cobalt_reflective_dll
\Windows\system\dowAmVQ.exe	cobalt_reflective_dll
\Windows\system\iXYiiay.exe	cobalt_reflective_dll
\Windows\system\ckUKpOh.exe	cobalt_reflective_dll
C:\Windows\system\ldsBuDC.exe	cobalt_reflective_dll
\Windows\system\wUYXfRR.exe	cobalt_reflective_dll
C:\Windows\system\tIbEZbb.exe	cobalt_reflective_dll
C:\Windows\system\bMKeTJF.exe	cobalt_reflective_dll
\Windows\system\PQVDvpE.exe	cobalt_reflective_dll
\Windows\system\jhlEoOD.exe	cobalt_reflective_dll
C:\Windows\system\VQDkrpG.exe	cobalt_reflective_dll
C:\Windows\system\SMzyLOQ.exe	cobalt_reflective_dll
C:\Windows\system\nHBXcWZ.exe	cobalt_reflective_dll
C:\Windows\system\pFkrhhn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2696-0-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
\Windows\system\yaUHmdl.exe	xmrig
\Windows\system\DQCdGhK.exe	xmrig
behavioral1/memory/1740-15-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2252-13-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
\Windows\system\TSRrDNu.exe	xmrig
behavioral1/memory/2924-27-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2648-28-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
C:\Windows\system\RhNNaLC.exe	xmrig
C:\Windows\system\vJPXqhD.exe	xmrig
C:\Windows\system\yCaAycj.exe	xmrig
behavioral1/memory/2680-120-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
C:\Windows\system\ozFnNiY.exe	xmrig
behavioral1/memory/2028-123-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2384-122-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2528-121-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
C:\Windows\system\bdzAkWS.exe	xmrig
\Windows\system\dowAmVQ.exe	xmrig
\Windows\system\iXYiiay.exe	xmrig
\Windows\system\ckUKpOh.exe	xmrig
C:\Windows\system\ldsBuDC.exe	xmrig
\Windows\system\wUYXfRR.exe	xmrig
C:\Windows\system\tIbEZbb.exe	xmrig
C:\Windows\system\bMKeTJF.exe	xmrig
\Windows\system\PQVDvpE.exe	xmrig
\Windows\system\jhlEoOD.exe	xmrig
behavioral1/memory/2696-118-0x0000000002210000-0x0000000002564000-memory.dmp	xmrig
behavioral1/memory/2388-117-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2696-111-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2992-110-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
C:\Windows\system\VQDkrpG.exe	xmrig
C:\Windows\system\SMzyLOQ.exe	xmrig
behavioral1/memory/2616-42-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
C:\Windows\system\nHBXcWZ.exe	xmrig
C:\Windows\system\pFkrhhn.exe	xmrig
behavioral1/memory/2696-134-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
behavioral1/memory/2252-135-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/1740-136-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2252-137-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2924-138-0x000000013FAF0000-0x000000013FE44000-memory.dmp	xmrig
behavioral1/memory/2648-139-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2616-140-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2388-141-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2680-142-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2992-144-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2528-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2384-145-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2028-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

yaUHmdl.exeDQCdGhK.exeRhNNaLC.exeTSRrDNu.exepFkrhhn.exenHBXcWZ.exebMKeTJF.exetIbEZbb.exeldsBuDC.exeyCaAycj.exevJPXqhD.exebdzAkWS.exeSMzyLOQ.exeVQDkrpG.exejhlEoOD.exePQVDvpE.exewUYXfRR.execkUKpOh.exeiXYiiay.exedowAmVQ.exeozFnNiY.exe

pid	process
1740	yaUHmdl.exe
2252	DQCdGhK.exe
2924	RhNNaLC.exe
2648	TSRrDNu.exe
2616	pFkrhhn.exe
2388	nHBXcWZ.exe
2680	bMKeTJF.exe
2528	tIbEZbb.exe
2384	ldsBuDC.exe
2992	yCaAycj.exe
2028	vJPXqhD.exe
1372	bdzAkWS.exe
2400	SMzyLOQ.exe
2564	VQDkrpG.exe
2376	jhlEoOD.exe
2244	PQVDvpE.exe
2208	wUYXfRR.exe
1672	ckUKpOh.exe
1480	iXYiiay.exe
556	dowAmVQ.exe
2584	ozFnNiY.exe

Loads dropped DLL 21 IoCs

Processes:

6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

pid	process
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2696-0-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
\Windows\system\yaUHmdl.exe	upx
\Windows\system\DQCdGhK.exe	upx
behavioral1/memory/1740-15-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2252-13-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
\Windows\system\TSRrDNu.exe	upx
behavioral1/memory/2924-27-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2648-28-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
C:\Windows\system\RhNNaLC.exe	upx
C:\Windows\system\vJPXqhD.exe	upx
C:\Windows\system\yCaAycj.exe	upx
behavioral1/memory/2680-120-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
C:\Windows\system\ozFnNiY.exe	upx
behavioral1/memory/2028-123-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2384-122-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2528-121-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
C:\Windows\system\bdzAkWS.exe	upx
\Windows\system\dowAmVQ.exe	upx
\Windows\system\iXYiiay.exe	upx
\Windows\system\ckUKpOh.exe	upx
C:\Windows\system\ldsBuDC.exe	upx
\Windows\system\wUYXfRR.exe	upx
C:\Windows\system\tIbEZbb.exe	upx
C:\Windows\system\bMKeTJF.exe	upx
\Windows\system\PQVDvpE.exe	upx
\Windows\system\jhlEoOD.exe	upx
behavioral1/memory/2388-117-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2992-110-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
C:\Windows\system\VQDkrpG.exe	upx
C:\Windows\system\SMzyLOQ.exe	upx
behavioral1/memory/2616-42-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
C:\Windows\system\nHBXcWZ.exe	upx
C:\Windows\system\pFkrhhn.exe	upx
behavioral1/memory/2696-134-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
behavioral1/memory/2252-135-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/1740-136-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2252-137-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2924-138-0x000000013FAF0000-0x000000013FE44000-memory.dmp	upx
behavioral1/memory/2648-139-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2616-140-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2388-141-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2680-142-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2992-144-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2528-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2384-145-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2028-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System\iXYiiay.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\ozFnNiY.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\VQDkrpG.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\pFkrhhn.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\bMKeTJF.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\vJPXqhD.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\jhlEoOD.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\PQVDvpE.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\wUYXfRR.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\SMzyLOQ.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\yaUHmdl.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\RhNNaLC.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\nHBXcWZ.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\TSRrDNu.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\ldsBuDC.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\ckUKpOh.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\bdzAkWS.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\dowAmVQ.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\DQCdGhK.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\tIbEZbb.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
File created	C:\Windows\System\yCaAycj.exe	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

description	pid	process
Token: SeLockMemoryPrivilege	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe

description	pid	process	target process
PID 2696 wrote to memory of 1740	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yaUHmdl.exe
PID 2696 wrote to memory of 1740	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yaUHmdl.exe
PID 2696 wrote to memory of 1740	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yaUHmdl.exe
PID 2696 wrote to memory of 2252	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	DQCdGhK.exe
PID 2696 wrote to memory of 2252	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	DQCdGhK.exe
PID 2696 wrote to memory of 2252	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	DQCdGhK.exe
PID 2696 wrote to memory of 2924	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	RhNNaLC.exe
PID 2696 wrote to memory of 2924	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	RhNNaLC.exe
PID 2696 wrote to memory of 2924	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	RhNNaLC.exe
PID 2696 wrote to memory of 2648	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	TSRrDNu.exe
PID 2696 wrote to memory of 2648	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	TSRrDNu.exe
PID 2696 wrote to memory of 2648	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	TSRrDNu.exe
PID 2696 wrote to memory of 2616	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	pFkrhhn.exe
PID 2696 wrote to memory of 2616	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	pFkrhhn.exe
PID 2696 wrote to memory of 2616	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	pFkrhhn.exe
PID 2696 wrote to memory of 2680	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bMKeTJF.exe
PID 2696 wrote to memory of 2680	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bMKeTJF.exe
PID 2696 wrote to memory of 2680	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bMKeTJF.exe
PID 2696 wrote to memory of 2388	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	nHBXcWZ.exe
PID 2696 wrote to memory of 2388	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	nHBXcWZ.exe
PID 2696 wrote to memory of 2388	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	nHBXcWZ.exe
PID 2696 wrote to memory of 2376	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	jhlEoOD.exe
PID 2696 wrote to memory of 2376	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	jhlEoOD.exe
PID 2696 wrote to memory of 2376	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	jhlEoOD.exe
PID 2696 wrote to memory of 2528	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	tIbEZbb.exe
PID 2696 wrote to memory of 2528	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	tIbEZbb.exe
PID 2696 wrote to memory of 2528	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	tIbEZbb.exe
PID 2696 wrote to memory of 2244	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	PQVDvpE.exe
PID 2696 wrote to memory of 2244	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	PQVDvpE.exe
PID 2696 wrote to memory of 2244	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	PQVDvpE.exe
PID 2696 wrote to memory of 2384	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ldsBuDC.exe
PID 2696 wrote to memory of 2384	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ldsBuDC.exe
PID 2696 wrote to memory of 2384	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ldsBuDC.exe
PID 2696 wrote to memory of 2208	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	wUYXfRR.exe
PID 2696 wrote to memory of 2208	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	wUYXfRR.exe
PID 2696 wrote to memory of 2208	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	wUYXfRR.exe
PID 2696 wrote to memory of 2992	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yCaAycj.exe
PID 2696 wrote to memory of 2992	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yCaAycj.exe
PID 2696 wrote to memory of 2992	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	yCaAycj.exe
PID 2696 wrote to memory of 1672	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ckUKpOh.exe
PID 2696 wrote to memory of 1672	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ckUKpOh.exe
PID 2696 wrote to memory of 1672	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ckUKpOh.exe
PID 2696 wrote to memory of 2028	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	vJPXqhD.exe
PID 2696 wrote to memory of 2028	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	vJPXqhD.exe
PID 2696 wrote to memory of 2028	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	vJPXqhD.exe
PID 2696 wrote to memory of 1480	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	iXYiiay.exe
PID 2696 wrote to memory of 1480	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	iXYiiay.exe
PID 2696 wrote to memory of 1480	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	iXYiiay.exe
PID 2696 wrote to memory of 1372	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bdzAkWS.exe
PID 2696 wrote to memory of 1372	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bdzAkWS.exe
PID 2696 wrote to memory of 1372	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	bdzAkWS.exe
PID 2696 wrote to memory of 556	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	dowAmVQ.exe
PID 2696 wrote to memory of 556	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	dowAmVQ.exe
PID 2696 wrote to memory of 556	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	dowAmVQ.exe
PID 2696 wrote to memory of 2400	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	SMzyLOQ.exe
PID 2696 wrote to memory of 2400	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	SMzyLOQ.exe
PID 2696 wrote to memory of 2400	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	SMzyLOQ.exe
PID 2696 wrote to memory of 2584	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ozFnNiY.exe
PID 2696 wrote to memory of 2584	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ozFnNiY.exe
PID 2696 wrote to memory of 2584	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	ozFnNiY.exe
PID 2696 wrote to memory of 2564	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	VQDkrpG.exe
PID 2696 wrote to memory of 2564	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	VQDkrpG.exe
PID 2696 wrote to memory of 2564	2696	6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe	VQDkrpG.exe

C:\Users\Admin\AppData\Local\Temp\6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cbc57633a2fd7f059ba02b715ec2147_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System\yaUHmdl.exe
  C:\Windows\System\yaUHmdl.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\DQCdGhK.exe
  C:\Windows\System\DQCdGhK.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\RhNNaLC.exe
  C:\Windows\System\RhNNaLC.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\TSRrDNu.exe
  C:\Windows\System\TSRrDNu.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\pFkrhhn.exe
  C:\Windows\System\pFkrhhn.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\bMKeTJF.exe
  C:\Windows\System\bMKeTJF.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\nHBXcWZ.exe
  C:\Windows\System\nHBXcWZ.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\jhlEoOD.exe
  C:\Windows\System\jhlEoOD.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\tIbEZbb.exe
  C:\Windows\System\tIbEZbb.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\PQVDvpE.exe
  C:\Windows\System\PQVDvpE.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\ldsBuDC.exe
  C:\Windows\System\ldsBuDC.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\wUYXfRR.exe
  C:\Windows\System\wUYXfRR.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\yCaAycj.exe
  C:\Windows\System\yCaAycj.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\ckUKpOh.exe
  C:\Windows\System\ckUKpOh.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\vJPXqhD.exe
  C:\Windows\System\vJPXqhD.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\iXYiiay.exe
  C:\Windows\System\iXYiiay.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\bdzAkWS.exe
  C:\Windows\System\bdzAkWS.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\dowAmVQ.exe
  C:\Windows\System\dowAmVQ.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\SMzyLOQ.exe
  C:\Windows\System\SMzyLOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\ozFnNiY.exe
  C:\Windows\System\ozFnNiY.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\VQDkrpG.exe
  C:\Windows\System\VQDkrpG.exe
  2⤵
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\RhNNaLC.exe

Filesize
5.9MB

MD5
b76acdee8048ed28b3651ba2796e67bd

SHA1
e54ee146b22304f51643069dafe9ef9ca6e52ee7

SHA256
31d5d1077a771a4dbce79da8a5db01fe322d2aa54f8166343c1c98b71d34d8f5

SHA512
02bbef3e4f0eb95127364e7b4c7259b5ed3a6e17c827a7ded73a7e0cc3de1f16ee8b50b1965283ed67523bd54e1d9458980402d0a853065885bbc82a3bda0560

Download Submit
C:\Windows\system\SMzyLOQ.exe

Filesize
5.9MB

MD5
922dd13dcba45f3e093ef2d8f91d63f8

SHA1
07437ef0da2a20ada3214006837b5799db309c3f

SHA256
055d25784eaaecc0bdabdd7d480f83ff07d745faa984996ce82cf6131b024c2e

SHA512
10620a72a48a172f4bf2e5e02cee3bcf69ae46208fa5902d33af2a81885f6e2660e698bde0fc13de2df8741d7f1b09b17383f885000168bb6230df568ff0f3c2

Download Submit
C:\Windows\system\VQDkrpG.exe

Filesize
5.9MB

MD5
fe437222622908034dde9ad1eb454eb5

SHA1
f3fd90605376e8a769a432b85aeb44868a4bdeac

SHA256
a583d4d9aa80777d033a49a53cc06f6f2f880949d96b9de3c61e73bdf7c94bca

SHA512
59e82dd02758be4ad0a8aad7671d576d9a57b8ab632c3e625e488d3a79e74df8792f8bb21e8ed1d86fdc887b4c478ecbe69c3c556e3e412389ad8a09cbc734e6

Download Submit
C:\Windows\system\bMKeTJF.exe

Filesize
5.9MB

MD5
b073203fed2985cbf7055fc49bf85a41

SHA1
f37d70fa7ee2e1ab8a1861b54319cb86f017c79d

SHA256
61e357bf3573ca1fe4adabef3e267bd3a4c6f9a64122eb935731f0681f45b6dd

SHA512
bd0bea54d56459448906c3ade4443c4487a1e347a26e0b36fc1a95ad174044053f51812aa02aa6e57968aed5d8efc82fae188866c617d4da6317c04c1a512bb2

Download Submit
C:\Windows\system\bdzAkWS.exe

Filesize
5.9MB

MD5
5d1e55e2e75332f5885a96a00a7939e4

SHA1
0ea87a4ca8b0ac9a51db1954b0fc4d1f59920bc5

SHA256
0c9d6fa03172aaa1f25eea0afab91352556f786568fe77bfd8302a9857011584

SHA512
1a1cf97724a00b2afbf1053056d9c5d471223b4eefde4b651a14714d327a8eb0edc381f1703bfd8ba629d0b2accf45807c0fe10a0bc387f7d30aac6ac20d8a07

Download Submit
C:\Windows\system\ldsBuDC.exe

Filesize
5.9MB

MD5
2b692a594c011ce6ae13c30fbb8895ad

SHA1
bd92104f75f50328f9e1a9fcaf559a507a11a964

SHA256
b1dabc31f25553bc8b1f5602e791507029dab518a6fb546a04821099cecec244

SHA512
6062ce9ca032ea48b455b7496649ae4aa7d38a71f9eb867bf38f2222a7130aba12773295202c0c426992f7b3d46b886753543cfabca85caf06be54baf7efa5e5

Download Submit
C:\Windows\system\nHBXcWZ.exe

Filesize
5.9MB

MD5
6ab2edeea24ef5f2eddbe11d26669151

SHA1
17d304e84a5b42476e4fd7351fa0e19396768b26

SHA256
f20f8b5d16b0f59262262ccdcb9800cac411dd923455b6fbac26c1b59a9c12a8

SHA512
66be70dc18d5bf2859938bb5a512cc1d1b113a10988efbcfd4517f2508bae91e8a3d59661aaf9d91a5be83d7c3ac9cd4993c5180b29730878886a24f480dc9f6

Download Submit
C:\Windows\system\ozFnNiY.exe

Filesize
5.9MB

MD5
4644f9bea31de61e126d7c9fe3927362

SHA1
c92f9345a3794025d4dba014853101f18b497a05

SHA256
3f8268c9f0088051738922dbd88a401764aee4375f80b7d0b6f39e4fa4c6c0f6

SHA512
976ee2b85b14a8e54675493894f0c314cb26cfd4e124b0d58f787516c1b284b561802a78811f4d16c2f86f818bda2dd8e52036299b278459860473dc763bd3a9

Download Submit
C:\Windows\system\pFkrhhn.exe

Filesize
5.9MB

MD5
11e6cb52d7b762ff4c12b107536ff8b1

SHA1
530363794ee392f6a37ad4f0880dd34e9d0b5ce5

SHA256
a22b98381a2ec7e76bc344ccdb052ce82a9d1be70b141834f4ce413f956c3873

SHA512
1bb481c9e2638379124c1351dc99ea12bd7fdbb80d3cda9f8fe6395e52c684ee914247ca697bbc2fbc950e41af72146be7bfd6566a80694c0f386926aac44a8c

Download Submit
C:\Windows\system\tIbEZbb.exe

Filesize
5.9MB

MD5
fbfbd6a9a23bab262b848eff0e6f92d4

SHA1
b596bb21d6302b397bb30071b90d1c5de2b9256d

SHA256
0e90d5d9ae5ab462b1298ddf3d7115d40b7cf631290cc5cefeb24b62f6b99cbf

SHA512
fd5575d0c4ec3b1b953bac531b1fb0894d4f243d4d0a29c2c6141dcd2dfee1c3bea7761a9b92f55a703c8f94078fdf2e7c02681c82c289f22102e048f0d9e6d9

Download Submit
C:\Windows\system\vJPXqhD.exe

Filesize
5.9MB

MD5
895d162afe76618b5e1097a181a4b21a

SHA1
1264357ed69b9ce82aae5eb24484ba45cff8361e

SHA256
6c8042fb0c1b37171630f8b021050defc2ed948196f764f001b13d845de433bc

SHA512
34c9bae3de38239851415296e67d2c8e24fece10cc4017959af203a4754d7ccdf8b499fd3f61190fb5eb958e354597bba54d43f4f266fdadd70548d30b6c5569

Download Submit
C:\Windows\system\yCaAycj.exe

Filesize
5.9MB

MD5
d483849e34faf5c8fbe662b07c927ded

SHA1
999f46cce4c4ecec46c0170aa4188d7c817e5d91

SHA256
53d4d657e8a0ca7c17c79522c9617121d14fe58535a2deba1019d5e5c7c04565

SHA512
857a5c96c513715b110d7330c030f104996aa8e0787e19b4423d95d1154dada76c7a9fcbb44cbd900a5b649e9671d6f695e9450ec73127dea7096f190d687c4e

Download Submit
\Windows\system\DQCdGhK.exe

Filesize
5.9MB

MD5
57762e13d147efae276fb92fb25b78e9

SHA1
542d24a043ae1b58b871dc6d84c433a1dc6ee835

SHA256
b8a6020600f5d40cd5f7cbc08a75a67560ce079d49b23ef7aadf44a37e3f5184

SHA512
2314575ddd18c44bb1f974bc4f708a332c2a01f68fde8e25d24b67fd5fe7b5168702124dfd5273c32b7a928361eaff3cfd1015dd20f5ab83433c3819f71ab05d

Download Submit
\Windows\system\PQVDvpE.exe

Filesize
5.9MB

MD5
b10f1415362add422f45b5f27dc6f131

SHA1
eb03f6ebaf9999c3197caa114a2ddca063009b23

SHA256
66768efb70efde41c465751983090b6c2be42246bc7641c59323bd68c0d8ea0a

SHA512
e7423f98b963810f7e24c107a9b5649fd5d40432d85684ba1c65b71233136669fb8a53d80d8ed937fc40b0e0e45654d9a3073cf3b5b7879c754b24c25cf11cda

Download Submit
\Windows\system\TSRrDNu.exe

Filesize
5.9MB

MD5
90fec9d5aba0939551b0730f0e2e7001

SHA1
6fb50300ed80e4ce260d1e22ce006a34076dad22

SHA256
5808a92b1a36bbba3cb14f511d40e6dc8679724b9f88ce6370beebde4f1b09fc

SHA512
d06c9818573e213e186c0fc64bcf6eee08eba332bf9b5a394209095148c0998a20d6133e5516fc1fcbe2e0c44c5ba2c8373b0e62842591e5dbed5d2ebbfa847b

Download Submit
\Windows\system\ckUKpOh.exe

Filesize
5.9MB

MD5
e397acd21657b3b8c9e1f911b1c4b83e

SHA1
da4bbd4f15658ec87429e985acd0dd007fb626f4

SHA256
b0d009bd299781ba6185cb9591118bcb1ab656c19ffa1e379adf0549ea8b5a1a

SHA512
c891b5da6712c5437c2dc6ed6f8bab13a17b0ef7c05e2543024dd75b062b16adaac06105a40cca72708491390f392c906e683391764a30bea5b402e0295a12ff

Download Submit
\Windows\system\dowAmVQ.exe

Filesize
5.9MB

MD5
c41d0f7ab7c642fe582f836ebc0478e9

SHA1
072304bf47bad7fbc47d92fbef196583e5d02d7f

SHA256
32e2ca49f97ad763994cbedf4ecd70b819eb7507e1c8fd26c92135cc1d76f868

SHA512
b0f394ffb0f700e4e218a1b50d4d1e3d8b844e6a8851b4caa67afb1b4988be737049683dadd66a7f0d47187c3d8679cbe8e7b694d7d26a8dd80d373dbac8e34c

Download Submit
\Windows\system\iXYiiay.exe

Filesize
5.9MB

MD5
fafc0207ccef4441752287a52fd52ce4

SHA1
9182e6dc554c96e0981552aa9e48c358e2b44f3c

SHA256
770dfc24887ee45b81e2547a4ceec636d7130439a78a4361d0d9152045e2054f

SHA512
0904e069084edbeb362fe7bf9d06ac197e0c5ef316911527ceb63f595dac629d5dc4828997b941d433252d666330aebbe5755959aba46732bdf464cca1a8d812

Download Submit
\Windows\system\jhlEoOD.exe

Filesize
5.9MB

MD5
b651d5db4474f1bed345fe87961afc8e

SHA1
73f4da068ef97605bc84db997bee164ad82533bb

SHA256
dbf15d86c29f7ac6f25da201962e5292807a95f497d8e8228fab9475d22ec885

SHA512
2a7e1a50dadefb5cfe92296254619a1e59488dd3c050e7876d6b961834872e431523c336ce6575828fd539a0c6696f66e9b80f2e2d146c48eb9bf61d9a99b113

Download Submit
\Windows\system\wUYXfRR.exe

Filesize
5.9MB

MD5
631c2e84837963f121a6faf1826231c5

SHA1
b4d2eb1ec349f255685bf0993022ae23f0b80955

SHA256
3ad5dad182f08c9c867da7a9dcf4a2e16abd8ec59ea24607f69a7f5187644076

SHA512
8ef914da094a723b446a5ded19921f15dcbba3faf8f2946063e16d5db1038e8222ff240732de405fc0f5f703c02c89a11dac9c4072a57b30077d959292e898bf

Download Submit
\Windows\system\yaUHmdl.exe

Filesize
5.9MB

MD5
3bc50b259d1ee02762d63af5ea2c3044

SHA1
438a7216791833cc1b093912a2d4c0656d06d5de

SHA256
0d8d6bffa454519e0ee683c348a677a038e80506e80be50d8f12d755add2b642

SHA512
2de4327ab32aa327ddcde856d3bab41541238f6e3faceadc08e5f006758ab39163f4c86baa59e2a548bfc870bbb048acbfd420b1ea16fd502e4c24b653d04c15

Download Submit
memory/1740-15-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-136-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-123-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2028-146-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2252-135-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2252-13-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2252-137-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2384-122-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2384-145-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2388-141-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2388-117-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-121-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-42-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2616-140-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2648-28-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-139-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-120-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2680-142-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2696-108-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/2696-56-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-115-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2696-107-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2696-116-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-118-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/2696-50-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2696-29-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/2696-119-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2696-134-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2696-109-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-12-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2696-21-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2696-0-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2696-111-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2696-112-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/2696-114-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/2696-113-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2924-27-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2924-138-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2992-144-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-110-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download