cobaltstrike | dd917461b1f4b8b25524e9d7b08e5f4a2bff5453187f8aed9c21590ceb72d393

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
Size

5.9MB
MD5

c07d6f853368e800ba9c84a4f70444ea
SHA1

7976d0977574fc76e4ee6974471d9c44751142fd
SHA256

dd917461b1f4b8b25524e9d7b08e5f4a2bff5453187f8aed9c21590ceb72d393
SHA512

31a6962074a931bb266e521a279734186352610de2534500e885369b80b304433c8f7fae8c433e48125fae6c0cb3d8a83b2fa0d0858f6a846edc3e4fe1ffcd55
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUD:E+b56utgpPF8u/7D

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012029-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016148-8.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000162d8-14.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001661e-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c03-53.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019256-68.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193a2-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019385-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019358-106.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193c3-129.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019309-97.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019394-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019368-118.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019346-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019272-81.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192fe-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925b-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019253-60.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000166c7-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016884-41.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000164cf-39.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral1/memory/1368-0-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/files/0x000a000000012029-6.dat	xmrig
behavioral1/files/0x0008000000016148-8.dat	xmrig
behavioral1/files/0x00080000000162d8-14.dat	xmrig
behavioral1/memory/2044-13-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2220-45-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2448-31-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2724-49-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/files/0x000700000001661e-32.dat	xmrig
behavioral1/files/0x0007000000016c03-53.dat	xmrig
behavioral1/memory/1368-65-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/files/0x0005000000019256-68.dat	xmrig
behavioral1/memory/2636-78-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2788-94-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/1228-99-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/files/0x00050000000193a2-122.dat	xmrig
behavioral1/files/0x0005000000019385-113.dat	xmrig
behavioral1/files/0x0005000000019358-106.dat	xmrig
behavioral1/files/0x00050000000193c3-129.dat	xmrig
behavioral1/files/0x0005000000019309-97.dat	xmrig
behavioral1/files/0x0005000000019394-120.dat	xmrig
behavioral1/files/0x0005000000019368-118.dat	xmrig
behavioral1/files/0x0005000000019346-104.dat	xmrig
behavioral1/memory/2636-138-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/1368-137-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2724-87-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/1980-86-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/files/0x0005000000019272-81.dat	xmrig
behavioral1/files/0x00050000000192fe-90.dat	xmrig
behavioral1/memory/1368-77-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2732-72-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/files/0x000500000001925b-75.dat	xmrig
behavioral1/memory/2952-64-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2736-57-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/files/0x0006000000019253-60.dat	xmrig
behavioral1/files/0x00070000000166c7-26.dat	xmrig
behavioral1/memory/2836-47-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2336-46-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/files/0x0007000000016884-41.dat	xmrig
behavioral1/files/0x00080000000164cf-39.dat	xmrig
behavioral1/memory/1368-37-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/1684-17-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/1228-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2044-143-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/1684-144-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2448-145-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2220-146-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2336-148-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2836-147-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2724-149-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2952-151-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2736-150-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2732-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2636-153-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2788-155-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/1980-154-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/1228-156-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2044	cQTsSPw.exe
1684	jEyhyDz.exe
2448	HauDgFy.exe
2220	aOhUdmf.exe
2336	OgABnFO.exe
2836	tpsAvZS.exe
2724	sEHvsod.exe
2736	vPcQGhK.exe
2952	SrTrWYE.exe
2732	aGBOFEv.exe
2636	CkiZCFO.exe
1980	PEuGOXp.exe
2788	JSvjyio.exe
1228	mGMGGsr.exe
2948	WLBJbnz.exe
2012	GdVsSDL.exe
2860	LWwxiTI.exe
2464	lQeLSSf.exe
2868	rjzgHQz.exe
2084	Ninsmbm.exe
1812	njKbBSi.exe

Loads dropped DLL 21 IoCs

pid	Process
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1368-0-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/files/0x000a000000012029-6.dat	upx
behavioral1/files/0x0008000000016148-8.dat	upx
behavioral1/files/0x00080000000162d8-14.dat	upx
behavioral1/memory/2044-13-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2220-45-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2448-31-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2724-49-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/files/0x000700000001661e-32.dat	upx
behavioral1/files/0x0007000000016c03-53.dat	upx
behavioral1/memory/1368-65-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/files/0x0005000000019256-68.dat	upx
behavioral1/memory/2636-78-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2788-94-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/1228-99-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/files/0x00050000000193a2-122.dat	upx
behavioral1/files/0x0005000000019385-113.dat	upx
behavioral1/files/0x0005000000019358-106.dat	upx
behavioral1/files/0x00050000000193c3-129.dat	upx
behavioral1/files/0x0005000000019309-97.dat	upx
behavioral1/files/0x0005000000019394-120.dat	upx
behavioral1/files/0x0005000000019368-118.dat	upx
behavioral1/files/0x0005000000019346-104.dat	upx
behavioral1/memory/2636-138-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2724-87-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/1980-86-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/files/0x0005000000019272-81.dat	upx
behavioral1/files/0x00050000000192fe-90.dat	upx
behavioral1/memory/2732-72-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/files/0x000500000001925b-75.dat	upx
behavioral1/memory/2952-64-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2736-57-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/files/0x0006000000019253-60.dat	upx
behavioral1/files/0x00070000000166c7-26.dat	upx
behavioral1/memory/2836-47-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2336-46-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/files/0x0007000000016884-41.dat	upx
behavioral1/files/0x00080000000164cf-39.dat	upx
behavioral1/memory/1684-17-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/1228-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2044-143-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/1684-144-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2448-145-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2220-146-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2336-148-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2836-147-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2724-149-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2952-151-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2736-150-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2732-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2636-153-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2788-155-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/1980-154-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/1228-156-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sEHvsod.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\CkiZCFO.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\Ninsmbm.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\LWwxiTI.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\cQTsSPw.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\jEyhyDz.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\tpsAvZS.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\vPcQGhK.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\SrTrWYE.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\WLBJbnz.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\lQeLSSf.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\HauDgFy.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\aOhUdmf.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\PEuGOXp.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\JSvjyio.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\mGMGGsr.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\OgABnFO.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\aGBOFEv.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\rjzgHQz.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\GdVsSDL.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
File created	C:\Windows\System\njKbBSi.exe	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2044	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	31
PID 1368 wrote to memory of 2044	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	31
PID 1368 wrote to memory of 2044	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	31
PID 1368 wrote to memory of 1684	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	32
PID 1368 wrote to memory of 1684	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	32
PID 1368 wrote to memory of 1684	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	32
PID 1368 wrote to memory of 2448	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	33
PID 1368 wrote to memory of 2448	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	33
PID 1368 wrote to memory of 2448	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	33
PID 1368 wrote to memory of 2336	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	34
PID 1368 wrote to memory of 2336	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	34
PID 1368 wrote to memory of 2336	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	34
PID 1368 wrote to memory of 2220	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	35
PID 1368 wrote to memory of 2220	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	35
PID 1368 wrote to memory of 2220	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	35
PID 1368 wrote to memory of 2724	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	36
PID 1368 wrote to memory of 2724	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	36
PID 1368 wrote to memory of 2724	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	36
PID 1368 wrote to memory of 2836	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	37
PID 1368 wrote to memory of 2836	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	37
PID 1368 wrote to memory of 2836	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	37
PID 1368 wrote to memory of 2736	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	38
PID 1368 wrote to memory of 2736	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	38
PID 1368 wrote to memory of 2736	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	38
PID 1368 wrote to memory of 2952	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	39
PID 1368 wrote to memory of 2952	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	39
PID 1368 wrote to memory of 2952	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	39
PID 1368 wrote to memory of 2732	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	40
PID 1368 wrote to memory of 2732	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	40
PID 1368 wrote to memory of 2732	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	40
PID 1368 wrote to memory of 2636	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	41
PID 1368 wrote to memory of 2636	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	41
PID 1368 wrote to memory of 2636	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	41
PID 1368 wrote to memory of 1980	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	42
PID 1368 wrote to memory of 1980	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	42
PID 1368 wrote to memory of 1980	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	42
PID 1368 wrote to memory of 2788	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	43
PID 1368 wrote to memory of 2788	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	43
PID 1368 wrote to memory of 2788	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	43
PID 1368 wrote to memory of 1228	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	44
PID 1368 wrote to memory of 1228	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	44
PID 1368 wrote to memory of 1228	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	44
PID 1368 wrote to memory of 2948	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	45
PID 1368 wrote to memory of 2948	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	45
PID 1368 wrote to memory of 2948	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	45
PID 1368 wrote to memory of 2868	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	46
PID 1368 wrote to memory of 2868	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	46
PID 1368 wrote to memory of 2868	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	46
PID 1368 wrote to memory of 2012	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	47
PID 1368 wrote to memory of 2012	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	47
PID 1368 wrote to memory of 2012	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	47
PID 1368 wrote to memory of 2084	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	48
PID 1368 wrote to memory of 2084	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	48
PID 1368 wrote to memory of 2084	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	48
PID 1368 wrote to memory of 2860	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	49
PID 1368 wrote to memory of 2860	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	49
PID 1368 wrote to memory of 2860	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	49
PID 1368 wrote to memory of 1812	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	50
PID 1368 wrote to memory of 1812	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	50
PID 1368 wrote to memory of 1812	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	50
PID 1368 wrote to memory of 2464	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	51
PID 1368 wrote to memory of 2464	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	51
PID 1368 wrote to memory of 2464	1368	c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c07d6f853368e800ba9c84a4f70444ea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System\cQTsSPw.exe
  C:\Windows\System\cQTsSPw.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\jEyhyDz.exe
  C:\Windows\System\jEyhyDz.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\HauDgFy.exe
  C:\Windows\System\HauDgFy.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\OgABnFO.exe
  C:\Windows\System\OgABnFO.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\aOhUdmf.exe
  C:\Windows\System\aOhUdmf.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\sEHvsod.exe
  C:\Windows\System\sEHvsod.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\tpsAvZS.exe
  C:\Windows\System\tpsAvZS.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\vPcQGhK.exe
  C:\Windows\System\vPcQGhK.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\SrTrWYE.exe
  C:\Windows\System\SrTrWYE.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\aGBOFEv.exe
  C:\Windows\System\aGBOFEv.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\CkiZCFO.exe
  C:\Windows\System\CkiZCFO.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\PEuGOXp.exe
  C:\Windows\System\PEuGOXp.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\JSvjyio.exe
  C:\Windows\System\JSvjyio.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\mGMGGsr.exe
  C:\Windows\System\mGMGGsr.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\WLBJbnz.exe
  C:\Windows\System\WLBJbnz.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\rjzgHQz.exe
  C:\Windows\System\rjzgHQz.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\GdVsSDL.exe
  C:\Windows\System\GdVsSDL.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\Ninsmbm.exe
  C:\Windows\System\Ninsmbm.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\LWwxiTI.exe
  C:\Windows\System\LWwxiTI.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\njKbBSi.exe
  C:\Windows\System\njKbBSi.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\lQeLSSf.exe
  C:\Windows\System\lQeLSSf.exe
  2⤵
  - Executes dropped EXE
  PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CkiZCFO.exe

Filesize
5.9MB

MD5
f1b9d2a4e7ea4f81b1f4354cd31000bb

SHA1
55daeaf49c0860a9e47e362e5a7229ebbd5965b1

SHA256
d283369d850e506a8ff79655bacbaf68f9d546f039606dc8c848d04c4f5b4491

SHA512
52eb8db38ffc6e18658447f65094825ab12a215a714f0dda997a8f207c28dfbbd6ccfc2436f1f53193f2937130dbbfde4abbc10c68e1ef45fa17ad88b6a23f0d

Download Submit
C:\Windows\system\GdVsSDL.exe

Filesize
5.9MB

MD5
5c8526841d8863a36626c94dadf07e75

SHA1
0c70d764e58aa970159597ca4d26ba427f938148

SHA256
2fea0c82108a0782f3d032cda413e5109ad5845f69973fb715d677c657771700

SHA512
6342ca8c3f72692c1f1305eed32958961d7c093b3e77001b37c2f4e8dfab9cad84700671198dc1ed91676fe1f1b015077155276961a613038dc99e42ddc9d092

Download Submit
C:\Windows\system\JSvjyio.exe

Filesize
5.9MB

MD5
0a599237852f0232b50fc60da5922458

SHA1
8158c945bd31c86defc62036373d4b630b2f7bfd

SHA256
d74708fd93038e9a4ff10d5b437b08b124ba74749e80f51ac0b8330af5bf76d4

SHA512
ef6f4bd56045ea80c6da24f6771d5c3ba01b3f58a11bc93bfb986fb992d87de93e182adfc8168dffeb6d2e7d8fd643a2eae7259b911d4d431e9378d193ce78fa

Download Submit
C:\Windows\system\LWwxiTI.exe

Filesize
5.9MB

MD5
528e1fcf4bae43de4948384c36e2b5c6

SHA1
337705ae0f9e0e5e61d35baa8ea7af2a321f9427

SHA256
3aa5ef4c133e1cdb9f78f3b96957f67ad42cee1d2e4e55d7e934c16ed92d6552

SHA512
83af62cbe24a1b9025a6930d392142350a5caeca74bc03e2f0e5f56bafe0fbeb0672f53cef195b48064e3f25172fbc94fa0131140e040f67ab93bf943d69cddc

Download Submit
C:\Windows\system\OgABnFO.exe

Filesize
5.9MB

MD5
8543a4ac071f89ad2835c23e0a588581

SHA1
a954a8a7f45e6bc4fdb589b2cd545c7aef0046ac

SHA256
f37713a9900d8d0ad180b2c82c82726dfbae87ec6f310fbb0860861af0ab3c38

SHA512
c00e6afeda5d7ee710a9bcfec68d61dfd49dfa410814022d3d7681eaf38e3f6d50a6cd717f7713c30fc211cfcc0f8ecc5caae5821cc43399accf6565b1f23d5b

Download Submit
C:\Windows\system\PEuGOXp.exe

Filesize
5.9MB

MD5
2f6ec47030a66c80295960bdbd0ebba0

SHA1
05386558c1a532f97e830a40524f414ae79b388a

SHA256
47347c793b7744f11a52fd0c0c7212e38640073b19a31cca4fd06790eabc4353

SHA512
d59c8bd90cc1602a505586f9d663f6774ed2d3e34c74178ca863468942aefab9569c9266a249223885a84ed87f461a53f42802ab8c365d7376a33947c7b4106e

Download Submit
C:\Windows\system\SrTrWYE.exe

Filesize
5.9MB

MD5
ba50b1154263d15250c23f20c2fffb9e

SHA1
9fce59cfd4a3d818ffe06f1cbfb9740a2440e3b6

SHA256
622d42b41d441e03d1d7cd91cf4e10073d563257569259587afb26d5135c6112

SHA512
aa7712f0d5512fcc8ecdb92e991612b09c768ab3b7ea9eb47b63b3c0afefb381cd02d36bbc530e75e39d76021e284dc2bc50275a36c2fe83335576e79b4dbb87

Download Submit
C:\Windows\system\WLBJbnz.exe

Filesize
5.9MB

MD5
e6129af82964b95a27263d8a772c16c1

SHA1
1b85f6ad502b64a0c0ad955a935db9221dd8e466

SHA256
f9c5231689ec78bf1eed4a7e74d9321eee228f2732b702ae63054958560d5e23

SHA512
b0c565d48758800c5c4aa1cfdc1e9a3b740f5755844d0ed80e9c0cc0b88c608348beae5d520129b3471cddcb963e7d1eba34ec6a27832af1a53f977183f42948

Download Submit
C:\Windows\system\aGBOFEv.exe

Filesize
5.9MB

MD5
cb0f92dfa590abe8af0236787bea9ef7

SHA1
d074aeb84fb1d098877cafcf8b6083d94bf71fd7

SHA256
3f36aaec9e69514a09705ac0e8e2960d922f8000bcdfd941e2018d3f2c51aa12

SHA512
55bd199f353ad13296c33b827ec21f447a9687db6a6f95d1b8d862f128c44b6bcaa0e5cbc4ee27c951648eed857e404554a233c521693bc263a31676edc694c6

Download Submit
C:\Windows\system\aOhUdmf.exe

Filesize
5.9MB

MD5
df4c6838be135350af76a97e51429d55

SHA1
a77233137ac3d7cc0b477f85fc6866ceccf25103

SHA256
072d08723692b9987ea0fdd9e589a46b5f423af454dc8b2b9061b2824d7ce99c

SHA512
b627d42cb0fa10c1682eed4f5dca9d067d09735b728b0ffd7c90f9af2e092f44b8d68800dc7746268f6408feb5ca8cf8d3e50057ed8df2011e133b84e51af7c2

Download Submit
C:\Windows\system\cQTsSPw.exe

Filesize
5.9MB

MD5
20eb7e67ca8c985dfdc8288e24c42265

SHA1
4f3ca566af53b59bd448257b57373abb1f81e728

SHA256
b2ab76f795f85247b2eac93520e3706422573c1a9b519d068ac7e814af35c588

SHA512
a2e9c4303db2c1164ae56bbb16c126a49b77e55b7b748327599cf3f5b3afc7b335d895b5c2097ccfe2dc27562881ad76f87e1cf36facc43ad3c17668361c8b45

Download Submit
C:\Windows\system\lQeLSSf.exe

Filesize
5.9MB

MD5
850549f53fe7213a8846fac000d70d8e

SHA1
b3345b23dfa9a96c8d3f582e1de98a2881ab7a74

SHA256
24a783920ca762c2159654fd68046158b0b02a0cc13bc65c70c69e762cc5921b

SHA512
b038dcb1ea8a7d304e7f276aa358aa1a3aa2061a22621e30f1fca43a36d43c27171e793826efd5bdb1d18d166f5140f566a11a59a814e34a9653f1ca7a354e62

Download Submit
C:\Windows\system\mGMGGsr.exe

Filesize
5.9MB

MD5
3c3ac5e72269829e31ba38b81e7f5c65

SHA1
c572f0141afeff746076500ae014cc29809e296c

SHA256
8a19cda6a699fc0559a08e58dc5fdea54e9219119a7f23eb4de696269bea0d65

SHA512
ad674b10fb09b63e32481562d76c2f4f3956798d505fc665f47a530780a614d2178f333fa4b93d5a42a4b17385e232c270029d6f6d17398dd24de39809d401dc

Download Submit
C:\Windows\system\tpsAvZS.exe

Filesize
5.9MB

MD5
7aff4557403f37d81c27820951680188

SHA1
5d113be166813a5af9171c61ee7962dbad5eab82

SHA256
60193b951a91c32c8ffe0083448798e7d846966346162e0962932f0fba6c7c31

SHA512
d8eff4b7ea82b5b83dc6d33177c57bda4546d74ccf839b2ce3a9019666654c098ff4c8d256ff3206f156d2d6c86806b11b6e602ca20f3b7c290604ca1e8884bf

Download Submit
C:\Windows\system\vPcQGhK.exe

Filesize
5.9MB

MD5
b25e76fc4eb60b887e21ea21c2f3997f

SHA1
25a05bd84226d685630509b92e05ac85f5d9d853

SHA256
6306e94a64767e028291c5ced1e431e63a8d1b5314a67c6a2eb6fbf094744d56

SHA512
452ccd95f69d5e4e70c774ab2f7997930b0bb74aa4bb8e41c0ca50bffe7d9e5e9174db0e0a517a0061d339c267f25392fc337ca1de00b9454659eb64bf7bf7b4

Download Submit
\Windows\system\HauDgFy.exe

Filesize
5.9MB

MD5
a1f1c94fd50da2e35e0834d7d6a79e15

SHA1
930361e8647891be8bf250557f190e73a6832365

SHA256
be723cce85a1c5007602f316abee3e704149f1474d25763a354e00a91c1e64c6

SHA512
80a409d28573ebea0fb7127712a08bab0f3f7bca507ae12f156a1b4a7ef0cd3e1f2a1a8b14ffda83cd8c2c402a5d297e608fb2e522f018adc2cdb2524a7dc93a

Download Submit
\Windows\system\Ninsmbm.exe

Filesize
5.9MB

MD5
a218e93d979c7f5170229a75f7411394

SHA1
b53bc7ccf41ef18d96defa9479b17fadb7a0648e

SHA256
0759b25b529674aad9e28e841711762106aa56a2d3b01ef40288c3744726a8d8

SHA512
a18efa3faa03ce8e5c63c4d20f5aa828de3cab9f665c4eb6502bb5952b9bc23af75b8a16c75501542f3374e1c890fb09eb7fde4ae4a73bf72292b6e77f2967fc

Download Submit
\Windows\system\jEyhyDz.exe

Filesize
5.9MB

MD5
5a14eb4cf5ac3f2f6addadd23dee706e

SHA1
62a99e5b7a9302c86ae32fb08a6b2d0aed95a1cb

SHA256
513deb0bb9fded14ec234a0b2925051c7d72a146861ccd259fb28b6de0949e08

SHA512
2ef08a7a1c13d3d7de43e98018da4a033c5238b0d84d8647047877b8199b8237d8c12667b6de9850a2fe18434b72401936ceb5f1958d630cbfb4e5e29720b975

Download Submit
\Windows\system\njKbBSi.exe

Filesize
5.9MB

MD5
d030b2f06d4046874ba9b18117078b03

SHA1
13d307822c2c854ed2867f3b1e89da779ac49090

SHA256
5c7d1c2886f397680549255e53f3a1030680ec4141a6bfe058174a3292f7440e

SHA512
e4063eee8085bcc1faedd1a8a9e4b7a78ec8f4feb153ff314b81f7ce252b7faece3725c1941e7b9a260c5d78b948c53c093a16a6cd2cba209e2bab1291dabb92

Download Submit
\Windows\system\rjzgHQz.exe

Filesize
5.9MB

MD5
b24bdad7d4697e46fe11ace65344eadc

SHA1
069846c0fc1f01f36900f22f076fc8aa1c35a3e6

SHA256
9e572330d689fe6ff2aff7ccd7ccdca15185bc425beaf1b9da2caf9a33c8beed

SHA512
48c001445f83ab0b875c0848b509558cb73f13cf8e931b0ff45e0b639b39b3b99a1cb46c37a5d486a70bf8c5f9c004409f7de3dd2d0f35df23978eac29c84b34

Download Submit
\Windows\system\sEHvsod.exe

Filesize
5.9MB

MD5
5250b4ef1a758c267579eb08505ff942

SHA1
283816069fb1f7ea984a4710497ea232e7457f35

SHA256
8d87e636523ba8ff44ca171cbc22e275667092e6f9acce15f98a3097f5bbd0bd

SHA512
3221d96fb9981927e039c6faf2297e53f6d4376cef995ee550df434663a2be9b68626e695924f8f92e6e23ee8a083466d50dd3b7ae6a71bf1fba86df642e8889

Download Submit
memory/1228-99-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1228-142-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1228-156-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1368-71-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-77-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/1368-109-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1368-137-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/1368-93-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-40-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/1368-38-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-42-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1368-85-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1368-139-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1368-140-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-98-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-0-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/1368-37-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-141-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-63-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-21-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1368-56-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/1368-65-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/1368-30-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/1684-17-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1684-144-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1980-86-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1980-154-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2044-13-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-143-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2220-45-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2220-146-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2336-46-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2336-148-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2448-31-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2448-145-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2636-138-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2636-78-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2636-153-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2724-149-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-49-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-87-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-72-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-150-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2736-57-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2788-94-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-155-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-147-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-47-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-64-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-151-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download