cobaltstrike | 7400dd356ccd19d49549502af5e9bdfb216b24978bb97c2c43b47f149829a882

Analysis

max time kernel
139s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
Size

5.9MB
MD5

d71093a9e23c345b19ea0b7ca1811a1b
SHA1

42c29902468012f73c1a03492609ad2a141dc04f
SHA256

7400dd356ccd19d49549502af5e9bdfb216b24978bb97c2c43b47f149829a882
SHA512

8df25a693e5a57c6e2c810760bd80cce35dad86edd47b37c9ee5bbc9909b998fecdc8762842081ece25e03a760108ea77069c6d38f406f1d556a69ac8b35c619
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUH:E+b56utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000700000001211a-6.dat	cobalt_reflective_dll
behavioral1/files/0x0015000000016dd7-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ea4-13.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001706d-23.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173da-24.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f1-36.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f4-44.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173fc-49.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191ff-58.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019244-68.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019263-83.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019266-88.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001928c-98.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001936b-111.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019356-106.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019353-103.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019284-93.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-78.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019256-73.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001922c-63.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000191d4-53.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/2948-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/files/0x000700000001211a-6.dat	xmrig
behavioral1/files/0x0015000000016dd7-9.dat	xmrig
behavioral1/files/0x0008000000016ea4-13.dat	xmrig
behavioral1/memory/2712-18-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/files/0x000800000001706d-23.dat	xmrig
behavioral1/files/0x00070000000173da-24.dat	xmrig
behavioral1/memory/2948-31-0x00000000022C0000-0x0000000002614000-memory.dmp	xmrig
behavioral1/memory/2776-30-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/2948-33-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2672-32-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2828-35-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/files/0x00070000000173f1-36.dat	xmrig
behavioral1/files/0x00070000000173f4-44.dat	xmrig
behavioral1/files/0x00070000000173fc-49.dat	xmrig
behavioral1/files/0x00050000000191ff-58.dat	xmrig
behavioral1/files/0x0005000000019244-68.dat	xmrig
behavioral1/files/0x0005000000019263-83.dat	xmrig
behavioral1/files/0x0005000000019266-88.dat	xmrig
behavioral1/files/0x000500000001928c-98.dat	xmrig
behavioral1/files/0x000500000001936b-111.dat	xmrig
behavioral1/files/0x0005000000019356-106.dat	xmrig
behavioral1/files/0x0005000000019353-103.dat	xmrig
behavioral1/files/0x0005000000019284-93.dat	xmrig
behavioral1/files/0x0005000000019259-78.dat	xmrig
behavioral1/files/0x0005000000019256-73.dat	xmrig
behavioral1/files/0x000500000001922c-63.dat	xmrig
behavioral1/files/0x00070000000191d4-53.dat	xmrig
behavioral1/memory/2964-116-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2820-119-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2948-120-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2728-117-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2580-121-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/796-122-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2208-124-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1484-126-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2064-127-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2148-128-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1972-129-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2948-130-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2712-131-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2672-133-0x000000013FB10000-0x000000013FE64000-memory.dmp	xmrig
behavioral1/memory/2776-132-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/2964-134-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2828-135-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2728-136-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2820-137-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2580-138-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/796-139-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2208-140-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1484-141-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2064-142-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2148-143-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1972-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2712	yvEALTK.exe
2776	NPkDpUg.exe
2672	DpHcedr.exe
2964	ynyeceB.exe
2828	ZCCQrhs.exe
2728	QdFIiuS.exe
2820	WohLgGX.exe
2580	aiWPcVf.exe
796	BWBAltp.exe
2208	zXYMAsX.exe
1484	gEMBFlz.exe
2064	SgMsCaV.exe
2148	HfKjqUa.exe
1972	gCixJXO.exe
2540	gvbLNtu.exe
2784	cNgWRtU.exe
1708	PiYPYip.exe
1088	jRLShqz.exe
1740	qgjlsJV.exe
1132	RQuctUl.exe
2060	jywPzDx.exe

Loads dropped DLL 21 IoCs

pid	Process
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/files/0x000700000001211a-6.dat	upx
behavioral1/files/0x0015000000016dd7-9.dat	upx
behavioral1/files/0x0008000000016ea4-13.dat	upx
behavioral1/memory/2712-18-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/files/0x000800000001706d-23.dat	upx
behavioral1/files/0x00070000000173da-24.dat	upx
behavioral1/memory/2776-30-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/2672-32-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2828-35-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/files/0x00070000000173f1-36.dat	upx
behavioral1/files/0x00070000000173f4-44.dat	upx
behavioral1/files/0x00070000000173fc-49.dat	upx
behavioral1/files/0x00050000000191ff-58.dat	upx
behavioral1/files/0x0005000000019244-68.dat	upx
behavioral1/files/0x0005000000019263-83.dat	upx
behavioral1/files/0x0005000000019266-88.dat	upx
behavioral1/files/0x000500000001928c-98.dat	upx
behavioral1/files/0x000500000001936b-111.dat	upx
behavioral1/files/0x0005000000019356-106.dat	upx
behavioral1/files/0x0005000000019353-103.dat	upx
behavioral1/files/0x0005000000019284-93.dat	upx
behavioral1/files/0x0005000000019259-78.dat	upx
behavioral1/files/0x0005000000019256-73.dat	upx
behavioral1/files/0x000500000001922c-63.dat	upx
behavioral1/files/0x00070000000191d4-53.dat	upx
behavioral1/memory/2964-116-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2820-119-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2728-117-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2580-121-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/796-122-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2208-124-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1484-126-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2064-127-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2148-128-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/1972-129-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2948-130-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2712-131-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2672-133-0x000000013FB10000-0x000000013FE64000-memory.dmp	upx
behavioral1/memory/2776-132-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/2964-134-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2828-135-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2728-136-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2820-137-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2580-138-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/796-139-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2208-140-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1484-141-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2064-142-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2148-143-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/1972-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qgjlsJV.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\jywPzDx.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\DpHcedr.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\BWBAltp.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\HfKjqUa.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\gCixJXO.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\gvbLNtu.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\PiYPYip.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\ynyeceB.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\ZCCQrhs.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\gEMBFlz.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\jRLShqz.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\yvEALTK.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\NPkDpUg.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\QdFIiuS.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\WohLgGX.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\aiWPcVf.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\SgMsCaV.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\zXYMAsX.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\cNgWRtU.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
File created	C:\Windows\System\RQuctUl.exe	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2712	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2712	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2712	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2776	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	32
PID 2948 wrote to memory of 2776	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	32
PID 2948 wrote to memory of 2776	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	32
PID 2948 wrote to memory of 2672	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	33
PID 2948 wrote to memory of 2672	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	33
PID 2948 wrote to memory of 2672	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	33
PID 2948 wrote to memory of 2964	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	34
PID 2948 wrote to memory of 2964	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	34
PID 2948 wrote to memory of 2964	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	34
PID 2948 wrote to memory of 2828	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	35
PID 2948 wrote to memory of 2828	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	35
PID 2948 wrote to memory of 2828	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	35
PID 2948 wrote to memory of 2728	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	36
PID 2948 wrote to memory of 2728	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	36
PID 2948 wrote to memory of 2728	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	36
PID 2948 wrote to memory of 2820	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	37
PID 2948 wrote to memory of 2820	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	37
PID 2948 wrote to memory of 2820	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	37
PID 2948 wrote to memory of 2580	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	38
PID 2948 wrote to memory of 2580	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	38
PID 2948 wrote to memory of 2580	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	38
PID 2948 wrote to memory of 796	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	39
PID 2948 wrote to memory of 796	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	39
PID 2948 wrote to memory of 796	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	39
PID 2948 wrote to memory of 2208	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	40
PID 2948 wrote to memory of 2208	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	40
PID 2948 wrote to memory of 2208	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	40
PID 2948 wrote to memory of 1484	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	41
PID 2948 wrote to memory of 1484	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	41
PID 2948 wrote to memory of 1484	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	41
PID 2948 wrote to memory of 2064	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	42
PID 2948 wrote to memory of 2064	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	42
PID 2948 wrote to memory of 2064	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	42
PID 2948 wrote to memory of 2148	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	43
PID 2948 wrote to memory of 2148	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	43
PID 2948 wrote to memory of 2148	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	43
PID 2948 wrote to memory of 1972	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	44
PID 2948 wrote to memory of 1972	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	44
PID 2948 wrote to memory of 1972	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	44
PID 2948 wrote to memory of 2540	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	45
PID 2948 wrote to memory of 2540	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	45
PID 2948 wrote to memory of 2540	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	45
PID 2948 wrote to memory of 2784	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	46
PID 2948 wrote to memory of 2784	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	46
PID 2948 wrote to memory of 2784	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	46
PID 2948 wrote to memory of 1708	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	47
PID 2948 wrote to memory of 1708	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	47
PID 2948 wrote to memory of 1708	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	47
PID 2948 wrote to memory of 1088	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	48
PID 2948 wrote to memory of 1088	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	48
PID 2948 wrote to memory of 1088	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	48
PID 2948 wrote to memory of 1740	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	49
PID 2948 wrote to memory of 1740	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	49
PID 2948 wrote to memory of 1740	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	49
PID 2948 wrote to memory of 2060	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	50
PID 2948 wrote to memory of 2060	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	50
PID 2948 wrote to memory of 2060	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	50
PID 2948 wrote to memory of 1132	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	51
PID 2948 wrote to memory of 1132	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	51
PID 2948 wrote to memory of 1132	2948	d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d71093a9e23c345b19ea0b7ca1811a1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System\yvEALTK.exe
  C:\Windows\System\yvEALTK.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\NPkDpUg.exe
  C:\Windows\System\NPkDpUg.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\DpHcedr.exe
  C:\Windows\System\DpHcedr.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\ynyeceB.exe
  C:\Windows\System\ynyeceB.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\ZCCQrhs.exe
  C:\Windows\System\ZCCQrhs.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\QdFIiuS.exe
  C:\Windows\System\QdFIiuS.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\WohLgGX.exe
  C:\Windows\System\WohLgGX.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\aiWPcVf.exe
  C:\Windows\System\aiWPcVf.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\BWBAltp.exe
  C:\Windows\System\BWBAltp.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\zXYMAsX.exe
  C:\Windows\System\zXYMAsX.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\gEMBFlz.exe
  C:\Windows\System\gEMBFlz.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\SgMsCaV.exe
  C:\Windows\System\SgMsCaV.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\HfKjqUa.exe
  C:\Windows\System\HfKjqUa.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\gCixJXO.exe
  C:\Windows\System\gCixJXO.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\gvbLNtu.exe
  C:\Windows\System\gvbLNtu.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\cNgWRtU.exe
  C:\Windows\System\cNgWRtU.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\PiYPYip.exe
  C:\Windows\System\PiYPYip.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\jRLShqz.exe
  C:\Windows\System\jRLShqz.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\qgjlsJV.exe
  C:\Windows\System\qgjlsJV.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\jywPzDx.exe
  C:\Windows\System\jywPzDx.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\RQuctUl.exe
  C:\Windows\System\RQuctUl.exe
  2⤵
  - Executes dropped EXE
  PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BWBAltp.exe

Filesize
5.9MB

MD5
12fb2dfdc2f6f19da7532393f3f052b0

SHA1
aaf789aadd529702993c5ad1715637de5d8801b9

SHA256
1a3fb42c946bb7dc72c1b8348ad64614fa7c01ac889d7d40be6e3f126b62afbe

SHA512
e8c9ae791275fc881c6076a3b11d04cdd9002f0ed5b7474dc92f0764b88888c8aff002312e079e2c84b4a699e8fb0041eea78cc3258fe3cc67ff337192384437

Download Submit
C:\Windows\system\HfKjqUa.exe

Filesize
5.9MB

MD5
d8fd47db70b9e5222392d1cab567afc3

SHA1
aefd76216aaed21b3080baba43f72e897ff5859c

SHA256
f559e17db6c522deb90258e66195781a3b4aa4866fb5ed6f04d5b789c0b7a141

SHA512
ad32261547913af14bbae8d7a53df56c25e29b18201f5f693710a4bf4fb193ccb55351a142af106483baa7c88c64fee561b5cdca2f396bf7bb78e03e0d479531

Download Submit
C:\Windows\system\PiYPYip.exe

Filesize
5.9MB

MD5
f355e3fa76f65fbb154a61d38911c644

SHA1
d36642723ef3dc53b85cc9c87e2f101e9574620c

SHA256
009b9a94c9a9fff67f07a2121ff9b162b493f099cf5aa006779b23643f903da9

SHA512
abcf2f322f7e826b177c1b6bf13c49750a28fc45643fdabed22f3359f05440374a1315b2b0058c24dea0cb19ffe38d3ea7dc53e426972d6deb56299adf8e8854

Download Submit
C:\Windows\system\RQuctUl.exe

Filesize
5.9MB

MD5
87b2d08c847b9bf674ab7b70ce5ea1b6

SHA1
1a2d374a7398eb4bde98ee344b91ac5ecd9a54e9

SHA256
de0a6115959c8b06cfe2d43413f76cec7d02b6b32c5b31a36df1f8b79b6a1e30

SHA512
6f47f9a371581ffe2b152acc661dec2fff2de5c56da5ab74518ab53191fef0f1f7bc2a3172bbadb5478874ba9e5cd98b541aab9c2896148f3c3c27b6b7713fc0

Download Submit
C:\Windows\system\SgMsCaV.exe

Filesize
5.9MB

MD5
2a697849b4957c0e85801f7fc088ae2b

SHA1
f7cf996f5c8f80d6649b4551473c4e5d21fbdd43

SHA256
2a019931eb48ceb4bb6f95a41aec935cee21ca984a059bb37c260a8a65eee2f1

SHA512
711c45b52feb6ac6bb5d017e66d11eed7d35dac5485cbb8180fe389452c164e1d89fe0017a0aba9a0ac0730fb4f9f4fe41f670cce38312bda073a2824e195314

Download Submit
C:\Windows\system\WohLgGX.exe

Filesize
5.9MB

MD5
f4e2cfa9ba43e3373ec196cb99583121

SHA1
b305769f1213f83fddfbf3e29d6e97da15c9a8d3

SHA256
14414290987a7affbf03f4afdbd762aa3d97d654b19da6b7ffacd4b70ba5cbaa

SHA512
fee19f87a8a5cf0627b71d020080cf80a7ed26ecb1da107fd0a51c1dff93ac6afa573c4186cbaab4046dec84d558123d2e7b52f5175a76bfdbec0984887d9b82

Download Submit
C:\Windows\system\aiWPcVf.exe

Filesize
5.9MB

MD5
aa3e16ab6a1660792ad365f9e938b122

SHA1
10729a6683c93b7062fc5793eb7e06af357d857e

SHA256
67da0324e9a99ad99dcb49be34c0869575dbc39881c373ba838b47af5cb05acd

SHA512
39530687e9792d1ff9303870ac954d5a02ac4149b0eee946092b7b5a25c49efa313b8419d7dce18fba3eb2cd486fb1dea4370fac34d7f6d7b72e6e3277c1284f

Download Submit
C:\Windows\system\cNgWRtU.exe

Filesize
5.9MB

MD5
58b6d5065da71bddfb2644099cf7b504

SHA1
f1b115b12d9910f741875ee675d585689d822ff9

SHA256
625422c422551fb8d1e2b7617f19e8377173e73675d1032ae501019fcb78ee0d

SHA512
160d24b9e45b9c3eedbbb2f4326b873ce45f0d5eb4b0a9e98ff3054857ea56ec8cafc281be7f4a1b0efef4bee92267bab36a55bc95cbe9f6ae5f3deb58b5e015

Download Submit
C:\Windows\system\gCixJXO.exe

Filesize
5.9MB

MD5
fc88f1683fde027e71c15d2b527e7a55

SHA1
61426cd969ca19b2ca4af4f39e36359f830089e4

SHA256
9bd95342f7c14a764d86680d2974863a2a5cbecc054eabcbbb669e668927f62c

SHA512
e4ff948ec3b45eee33afe618fc485d9e0f575d55f609d7f9a6759cb67871170af9129257163acab8fd4888011e664ffb306aec9c7076c470cdffca8205a7c6bd

Download Submit
C:\Windows\system\gEMBFlz.exe

Filesize
5.9MB

MD5
5a47817a3e5b1fcf1979beb1164772d7

SHA1
f88ca650b7c9a07b5d3df4fca09fbb03279c3c58

SHA256
6b247d55041badb0d71a1506bdfb5f3bdb78d5010327e9ab5e1a499ac44e09e3

SHA512
bbc25243cf5eb42c52aef99511fa2a08171c2d87bc38e6b11cc7c4085f735975ee4a463c9858ddd13a834d4fb28aa5584b0e83084bd0bb9c03b80fc5d17a7470

Download Submit
C:\Windows\system\gvbLNtu.exe

Filesize
5.9MB

MD5
8bc9921eb4c87d3f214318ac3a5e5deb

SHA1
11d3a61cadc85336d6218af2621a5a03229cbf3f

SHA256
dac46479fa20044056c24090960b3eff682994b72c1193ebf39f60d9a73c5310

SHA512
a73b43fba2a3c83af191205346665c2d0740d1eda07d62ca481bf7f438fc7e6f6ab2d94b4d6323ac55b8ec7c1126d81b23b6ee3052c5741fb4e3ad5e98edd5be

Download Submit
C:\Windows\system\jRLShqz.exe

Filesize
5.9MB

MD5
f1f896fd7ffa2d18a4a24fd52e80aa1b

SHA1
a3cfbdcf5d2abcd1917e7cb47f679f184f0d8c5e

SHA256
4cdfb484c20b11de2dc23893c18c22ae09b7b925835f8ff77299a20eed5f4c45

SHA512
423b6468d13d841020072c7f6531cbcd55664838bb2447ebc765e1f91c2c8bb05df76abeb88517cc581847eb50cc1e0171de8b96543b2aa1a7012c6373101859

Download Submit
C:\Windows\system\qgjlsJV.exe

Filesize
5.9MB

MD5
7d3a62409b8a34b9d8d255f8b866aead

SHA1
f6642fa41d8e05a89f8b0136b6e3d8036d20bde8

SHA256
c86ca131a976f296d3377cbfc059ea5e4321787c767c3789dd875f6492cf32ad

SHA512
a649f2c5f49405553f4557e2b24df057000caedd43cb251d950533e193a20272e38395ccfd3a931b264d90ee74c7aa1d7607895d4c4f0b6f49c0f8bd608c6b08

Download Submit
C:\Windows\system\ynyeceB.exe

Filesize
5.9MB

MD5
3c0189b4b5a76f59ab1a0cd15675dab4

SHA1
7da09fb2b9bdacb76e74b3dc415425537b982364

SHA256
2a75d6e5bc3d023c0f63aacde10966fd3f1e7a5a23a0f30b2256a09be30a5006

SHA512
9616e4a467ce82755410a05155899ee58fb8f3facb432623de68e04194ae4b5b152138626c646e75db90843ce598dde806e48d17f326f24cfcd9f36ef831e280

Download Submit
C:\Windows\system\yvEALTK.exe

Filesize
5.9MB

MD5
0157c557311fc6326cfec660873f4581

SHA1
7a089dbb08c8867f30a3609e97eba9a9b0cf6097

SHA256
e907bbf339095e7e47c6951f95776ccc31e2cbb1329e00368d92bf86d562baa5

SHA512
5343ff373fbc3af52fcb93f6812fb56ab9ae6488b795f1111186014acd3405e1393d331fadebbf8525415287b7486f4da5fa6de294365ce1febe25dae4c945bb

Download Submit
C:\Windows\system\zXYMAsX.exe

Filesize
5.9MB

MD5
dfc30be3bcb5db642f94c034ce5767a4

SHA1
0a7b8c2ce76a18736db2908b7c5521451052c530

SHA256
f83038d889c1be5d99e245de40b87e1df0d8ef6df7c678485ce4b35379c09fe8

SHA512
285c32cd405d469f7fb7f2a3b0f2c840fee136a175706393da6f46ec41af977c3159e1a3ebe8e2d9e4178c5c69619fee396cd11318243263123cfb1a1d985ea9

Download Submit
\Windows\system\DpHcedr.exe

Filesize
5.9MB

MD5
a99db546655684211eb19cad27a7b4d2

SHA1
f0108c33506b0fc64a4b66978d866b9375ba7d42

SHA256
118746f1124e41839486b50a497947d30ea4dd270e36175e57f22f40e2a71a6c

SHA512
f2ac2799b75b9b62271e502d536f8e75519eda924dfc01d90869eef04287d012b6e0ba865dd025787b658b3a1a5cb49472caab698746858b5b2cee8278a0c367

Download Submit
\Windows\system\NPkDpUg.exe

Filesize
5.9MB

MD5
44f089de7344426a965bc8251bdb2075

SHA1
7d69ff027f2fb80791ec0adb4139577f27868134

SHA256
9adb0571974b6152bd0304faf508b5397835b0871eb20b57c12ad14af1077b51

SHA512
853464ef535f534a9cb5d62c596cb0aa1bfad820c5a885b1bf75f544d8afa427b9c94c5d1fa5bd25ac90766287c33b37098861048b88b160dbaa63184902626e

Download Submit
\Windows\system\QdFIiuS.exe

Filesize
5.9MB

MD5
7f5d78d131db75b8fde20f70c9f0ab2f

SHA1
194c0d5573e660bc883b9712a3924dc823c83549

SHA256
c1d706b545c6066469b4c1baa274b97c56593fc33b8679b87a6042853f90ffff

SHA512
e74f3bd3db72dbd156269e9a41dea64d3a4c112dba925321bc0ae4d990a4a59426e73b9a6ceaf4d56da8fc1599e9c9d8cf5a347b036333f0dac6d281fec6bfd7

Download Submit
\Windows\system\ZCCQrhs.exe

Filesize
5.9MB

MD5
46ecd210a1ccd80c2eb9f64518986117

SHA1
0ecea8da5e899f2db7d5edd6304fb9f311f241fe

SHA256
aa46d1e8c69998483da39ce324955d296ae0b7c69b96f33db774ef6bc5ede7a2

SHA512
f4281c9e9eec847cd13a0a2a7bd87eeec7fdc3e814822cf340920057e6ddc9d538a55692b050a9aa9ebcb9bf3ef5b419c61c0ddbcf2f21bc2d81470484287c7c

Download Submit
\Windows\system\jywPzDx.exe

Filesize
5.9MB

MD5
b99d85655294155e2b7276a70de5d272

SHA1
c861586f7a0b11ca46b19abeecf7653228fb02bd

SHA256
0210852502d89658064de6bcb4db67ae8341c4391e115fd5803167965e2ba07b

SHA512
0574a51c9f3edebfcc7ad46efd6bac87d041afd1280cfe1f6276ee1391976e39e5379c212a279e867790640dbc0d279064e8650ca7aacf9a7b8b42db28134f4d

Download Submit
memory/796-139-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/796-122-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1484-126-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1484-141-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1972-129-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1972-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2064-127-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2064-142-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2148-128-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2148-143-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2208-124-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2208-140-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-138-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2580-121-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2672-133-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2672-32-0x000000013FB10000-0x000000013FE64000-memory.dmp

Filesize
3.3MB

Download
memory/2712-131-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2712-18-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-136-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2728-117-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2776-132-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/2776-30-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/2820-119-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2820-137-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2828-135-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-35-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2948-7-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2948-115-0x00000000022C0000-0x0000000002614000-memory.dmp

Filesize
3.3MB

Download
memory/2948-125-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2948-34-0x00000000022C0000-0x0000000002614000-memory.dmp

Filesize
3.3MB

Download
memory/2948-123-0x00000000022C0000-0x0000000002614000-memory.dmp

Filesize
3.3MB

Download
memory/2948-120-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2948-118-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2948-130-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2948-33-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2948-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2948-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2948-31-0x00000000022C0000-0x0000000002614000-memory.dmp

Filesize
3.3MB

Download
memory/2964-116-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-134-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download