cobaltstrike | 6567cbee45103b02d6e572d3d94e724c83dff28605c6733f4960b1494f76266c

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 14:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
Size

5.9MB
MD5

dc6f2698b6580c3554d9bd8fc16ef5e2
SHA1

85cff79c05d7f2ff88947c39a2763a5e59395e5a
SHA256

6567cbee45103b02d6e572d3d94e724c83dff28605c6733f4960b1494f76266c
SHA512

14bb8cc09494c3c374950b6188c1b9cef22d57f641577b6e110c73d99ff964729eea3c4ab48a5415becc451d8dd772d23e44a40385e9832943e954c5d88c0683
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUi:E+b56utgpPF8u/7i

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a0000000122f6-3.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001660d-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c88-22.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001688f-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016caa-38.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000162e3-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c9f-32.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016cef-51.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870a-93.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187c0-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b7f-127.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187ac-110.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871a-99.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001756f-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017226-88.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018708-85.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174f7-78.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001707e-71.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000170da-68.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d21-62.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187a7-115.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1088-0-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x000a0000000122f6-3.dat	xmrig
behavioral1/files/0x000800000001660d-11.dat	xmrig
behavioral1/memory/540-14-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/1732-10-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/files/0x0007000000016c88-22.dat	xmrig
behavioral1/files/0x000800000001688f-24.dat	xmrig
behavioral1/memory/2316-26-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2740-23-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2648-33-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/1088-35-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x0007000000016caa-38.dat	xmrig
behavioral1/memory/1732-39-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2800-42-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/540-44-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2160-49-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/files/0x00090000000162e3-47.dat	xmrig
behavioral1/files/0x0007000000016c9f-32.dat	xmrig
behavioral1/files/0x0009000000016cef-51.dat	xmrig
behavioral1/memory/2924-56-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/files/0x000500000001870a-93.dat	xmrig
behavioral1/files/0x00050000000187c0-114.dat	xmrig
behavioral1/memory/2588-117-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b7f-127.dat	xmrig
behavioral1/files/0x00050000000187ac-110.dat	xmrig
behavioral1/memory/1524-104-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/files/0x000500000001871a-99.dat	xmrig
behavioral1/memory/2800-138-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/files/0x000600000001756f-89.dat	xmrig
behavioral1/files/0x0006000000017226-88.dat	xmrig
behavioral1/files/0x0005000000018708-85.dat	xmrig
behavioral1/files/0x00060000000174f7-78.dat	xmrig
behavioral1/memory/1088-139-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/files/0x000600000001707e-71.dat	xmrig
behavioral1/files/0x00060000000170da-68.dat	xmrig
behavioral1/memory/2592-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2316-63-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d21-62.dat	xmrig
behavioral1/memory/1088-59-0x00000000023A0000-0x00000000026F4000-memory.dmp	xmrig
behavioral1/files/0x00050000000187a7-115.dat	xmrig
behavioral1/memory/2160-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2648-84-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2556-77-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2924-141-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2556-144-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2592-143-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2740-58-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1732-149-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/540-150-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2740-151-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2316-152-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2800-154-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2648-153-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2160-155-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2924-156-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2556-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/1524-159-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2592-158-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2588-160-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1732	yHCuTlu.exe
540	duEjqhP.exe
2740	yPIQcVY.exe
2316	PvbrcSX.exe
2648	rVQiLMW.exe
2800	cQLUOvi.exe
2160	pnpYZMu.exe
2924	obzPktY.exe
2592	anCpQGI.exe
2556	BvFUPNf.exe
2588	FCuDQMK.exe
1524	JcBxeuc.exe
2884	vGCYTon.exe
2904	NuTVnpv.exe
2724	yaxnDBS.exe
2612	eTmafOL.exe
3048	RvxMHpG.exe
1256	ugKsGpf.exe
2732	kNDnyiH.exe
1660	WUslXZu.exe
2440	wFLgVCw.exe

Loads dropped DLL 21 IoCs

pid	Process
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1088-0-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x000a0000000122f6-3.dat	upx
behavioral1/files/0x000800000001660d-11.dat	upx
behavioral1/memory/540-14-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/1732-10-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/files/0x0007000000016c88-22.dat	upx
behavioral1/files/0x000800000001688f-24.dat	upx
behavioral1/memory/2316-26-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2740-23-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2648-33-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/1088-35-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x0007000000016caa-38.dat	upx
behavioral1/memory/1732-39-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2800-42-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/540-44-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2160-49-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/files/0x00090000000162e3-47.dat	upx
behavioral1/files/0x0007000000016c9f-32.dat	upx
behavioral1/files/0x0009000000016cef-51.dat	upx
behavioral1/memory/2924-56-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/files/0x000500000001870a-93.dat	upx
behavioral1/files/0x00050000000187c0-114.dat	upx
behavioral1/memory/2588-117-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/files/0x0006000000018b7f-127.dat	upx
behavioral1/files/0x00050000000187ac-110.dat	upx
behavioral1/memory/1524-104-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x000500000001871a-99.dat	upx
behavioral1/memory/2800-138-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/files/0x000600000001756f-89.dat	upx
behavioral1/files/0x0006000000017226-88.dat	upx
behavioral1/files/0x0005000000018708-85.dat	upx
behavioral1/files/0x00060000000174f7-78.dat	upx
behavioral1/files/0x000600000001707e-71.dat	upx
behavioral1/files/0x00060000000170da-68.dat	upx
behavioral1/memory/2592-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2316-63-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/files/0x0008000000016d21-62.dat	upx
behavioral1/files/0x00050000000187a7-115.dat	upx
behavioral1/memory/2160-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2648-84-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2556-77-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2924-141-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2556-144-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2592-143-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2740-58-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1732-149-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/540-150-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2740-151-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2316-152-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2800-154-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2648-153-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2160-155-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2924-156-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2556-157-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/1524-159-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2592-158-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2588-160-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\duEjqhP.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\yPIQcVY.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\FCuDQMK.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\rVQiLMW.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\cQLUOvi.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\BvFUPNf.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\ugKsGpf.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\vGCYTon.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\kNDnyiH.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\yaxnDBS.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\WUslXZu.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\yHCuTlu.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\PvbrcSX.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\pnpYZMu.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\anCpQGI.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\eTmafOL.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\RvxMHpG.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\NuTVnpv.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\obzPktY.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\JcBxeuc.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
File created	C:\Windows\System\wFLgVCw.exe	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	33
PID 1088 wrote to memory of 1732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	33
PID 1088 wrote to memory of 1732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	33
PID 1088 wrote to memory of 540	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	34
PID 1088 wrote to memory of 540	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	34
PID 1088 wrote to memory of 540	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	34
PID 1088 wrote to memory of 2316	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	35
PID 1088 wrote to memory of 2316	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	35
PID 1088 wrote to memory of 2316	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	35
PID 1088 wrote to memory of 2740	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	36
PID 1088 wrote to memory of 2740	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	36
PID 1088 wrote to memory of 2740	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	36
PID 1088 wrote to memory of 2648	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	37
PID 1088 wrote to memory of 2648	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	37
PID 1088 wrote to memory of 2648	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	37
PID 1088 wrote to memory of 2800	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	38
PID 1088 wrote to memory of 2800	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	38
PID 1088 wrote to memory of 2800	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	38
PID 1088 wrote to memory of 2160	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	39
PID 1088 wrote to memory of 2160	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	39
PID 1088 wrote to memory of 2160	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	39
PID 1088 wrote to memory of 2924	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	40
PID 1088 wrote to memory of 2924	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	40
PID 1088 wrote to memory of 2924	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	40
PID 1088 wrote to memory of 2592	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	41
PID 1088 wrote to memory of 2592	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	41
PID 1088 wrote to memory of 2592	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	41
PID 1088 wrote to memory of 2556	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	42
PID 1088 wrote to memory of 2556	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	42
PID 1088 wrote to memory of 2556	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	42
PID 1088 wrote to memory of 2612	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	43
PID 1088 wrote to memory of 2612	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	43
PID 1088 wrote to memory of 2612	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	43
PID 1088 wrote to memory of 2588	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	44
PID 1088 wrote to memory of 2588	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	44
PID 1088 wrote to memory of 2588	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	44
PID 1088 wrote to memory of 3048	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	45
PID 1088 wrote to memory of 3048	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	45
PID 1088 wrote to memory of 3048	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	45
PID 1088 wrote to memory of 1524	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	46
PID 1088 wrote to memory of 1524	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	46
PID 1088 wrote to memory of 1524	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	46
PID 1088 wrote to memory of 1256	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	47
PID 1088 wrote to memory of 1256	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	47
PID 1088 wrote to memory of 1256	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	47
PID 1088 wrote to memory of 2884	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	48
PID 1088 wrote to memory of 2884	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	48
PID 1088 wrote to memory of 2884	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	48
PID 1088 wrote to memory of 2732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	49
PID 1088 wrote to memory of 2732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	49
PID 1088 wrote to memory of 2732	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	49
PID 1088 wrote to memory of 2904	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	50
PID 1088 wrote to memory of 2904	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	50
PID 1088 wrote to memory of 2904	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	50
PID 1088 wrote to memory of 1660	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	51
PID 1088 wrote to memory of 1660	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	51
PID 1088 wrote to memory of 1660	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	51
PID 1088 wrote to memory of 2724	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	52
PID 1088 wrote to memory of 2724	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	52
PID 1088 wrote to memory of 2724	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	52
PID 1088 wrote to memory of 2440	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	53
PID 1088 wrote to memory of 2440	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	53
PID 1088 wrote to memory of 2440	1088	dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe	53

C:\Users\Admin\AppData\Local\Temp\dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc6f2698b6580c3554d9bd8fc16ef5e2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System\yHCuTlu.exe
  C:\Windows\System\yHCuTlu.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\duEjqhP.exe
  C:\Windows\System\duEjqhP.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\PvbrcSX.exe
  C:\Windows\System\PvbrcSX.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\yPIQcVY.exe
  C:\Windows\System\yPIQcVY.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\rVQiLMW.exe
  C:\Windows\System\rVQiLMW.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\cQLUOvi.exe
  C:\Windows\System\cQLUOvi.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\pnpYZMu.exe
  C:\Windows\System\pnpYZMu.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\obzPktY.exe
  C:\Windows\System\obzPktY.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\anCpQGI.exe
  C:\Windows\System\anCpQGI.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\BvFUPNf.exe
  C:\Windows\System\BvFUPNf.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\eTmafOL.exe
  C:\Windows\System\eTmafOL.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\FCuDQMK.exe
  C:\Windows\System\FCuDQMK.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\RvxMHpG.exe
  C:\Windows\System\RvxMHpG.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\JcBxeuc.exe
  C:\Windows\System\JcBxeuc.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\ugKsGpf.exe
  C:\Windows\System\ugKsGpf.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\vGCYTon.exe
  C:\Windows\System\vGCYTon.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\kNDnyiH.exe
  C:\Windows\System\kNDnyiH.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\NuTVnpv.exe
  C:\Windows\System\NuTVnpv.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\WUslXZu.exe
  C:\Windows\System\WUslXZu.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\yaxnDBS.exe
  C:\Windows\System\yaxnDBS.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\wFLgVCw.exe
  C:\Windows\System\wFLgVCw.exe
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BvFUPNf.exe

Filesize
5.9MB

MD5
d254e9abee1069e5a3531f37c0e82e02

SHA1
4b186a993efb86177d346e7aea5cf25616d0f815

SHA256
5b44d8b6e8ad3149922d4765e78119c9b91cb2b72ba7e605072900c279a7c912

SHA512
ee6c21642a2095acb085b6605efcb69583f8634fe948ec23ff72f209cbd2677fe6ae8236c06b740461ebda0efa8d11da553c305de4746e9d98c6c6c2cd699a57

Download Submit
C:\Windows\system\FCuDQMK.exe

Filesize
5.9MB

MD5
16b991e5becabbcf6e36e11e2e72cc96

SHA1
5aefcee1c3cb9b6d04a5c050ed458d3b566e0828

SHA256
677b59899c13fc24cb80ce5199f4681f303ef0f5bddbfb4af441e707f7f534ef

SHA512
74350c88ba5354677250b2f3d1668ee49d8d1b0e80f158c500c9f29912aa78b2f51fe0b602484bfdf43695d11ac9f3a0d946cb82184d5c901397cfd9852acdfd

Download Submit
C:\Windows\system\JcBxeuc.exe

Filesize
5.9MB

MD5
a5c3875ca0eb2a80225fa1a79f244dd6

SHA1
c4fde0a7a6f6bce3b361a38731af9f9e68cce115

SHA256
d6c52715f1fe304bddcb2f38683f0ae6498fa52159073479b235beec9810a7de

SHA512
074c613476d0d94e9664e3195d63aa2ce1ba13e5aa077f155e7986f1fa9be00e07eadb32703a6cda7668895bfff0f1d665e1cab4a0a89a202ce0ee25ae8417a3

Download Submit
C:\Windows\system\NuTVnpv.exe

Filesize
5.9MB

MD5
b272de5f676f6aaf612882610cbf59c8

SHA1
12fe836c188afd44a7d1a91b8050220436859d76

SHA256
ed5f521536ea6b9257f831321456f51462cc7da2f7891c97501c07cb97f74007

SHA512
2ce5721bf2457e45230f00561e119005b716ad255a51e479ac951364de5df0f6d80a6cc79cb9d3efe0a59f509fcf8b049ded118c2c82a75d3c20d154100403c1

Download Submit
C:\Windows\system\PvbrcSX.exe

Filesize
5.9MB

MD5
2ed68baa1c5afe772278bb55f99fe347

SHA1
af5bbe642f5ca002148bf72b373bfd1c29182cd8

SHA256
b1b15b868d7cdadf0e672628747f71ee64317713f812d407922e1740943a083d

SHA512
a4577de16af5ac75f2e5c2d6d811c716ba42677cdd7ea9e695c3b47e945d4103cba34e892e104eb820e55f1a724f72f645716a495c4d0fc6531d6d5b7e5f28c7

Download Submit
C:\Windows\system\anCpQGI.exe

Filesize
5.9MB

MD5
318879380850466a57c40d4e3270ecf6

SHA1
fe1771c6685a576f752f15770c41fb33daa4d30f

SHA256
9fcf65b92bb743ca1415db9fa5d314ee826b7c76779e07666db60615004cec71

SHA512
eedf5e7df2458710054379898c5bbaf563c945afc9af1b80b9f136565de6a92ebd026fbb917072987e640a9f42a704942a682bd039041de3a2d68be641220245

Download Submit
C:\Windows\system\cQLUOvi.exe

Filesize
5.9MB

MD5
38df85ccca4f43c764259bf4c73a10d5

SHA1
c0590d7a1a6ed9a2ea67638513d1eaf3a28b1227

SHA256
ca36979b0627bc8c55a324f84166c02eeab6192775e3dac8686abfa2d15c62fc

SHA512
9bb37fef930acc0e161d68fc7922d5cafa1dc98700626f8dae73fc2669bc6ebed539852b18641f38353576773313599e4b88555e77cef6f45dd7081c50a574ff

Download Submit
C:\Windows\system\duEjqhP.exe

Filesize
5.9MB

MD5
d623dad02ca786da7db12173083f6716

SHA1
34a9dc9a462e6a83e38dbe83a0945d0125b473a2

SHA256
a5a8b0424654c4b6b88ff2406821bad6b0905b6222c6b07bd5a00e0ca801e835

SHA512
4dece08ccf4666759cb6a397b933f221c499202dd80f8a7c29034bbb6235b32d2dabb6aff15c7f3b8f0fda4b1a4e547ca2ae3d49472d1c9e47c21caf8d93b1c3

Download Submit
C:\Windows\system\pnpYZMu.exe

Filesize
5.9MB

MD5
d2c410d84c8f89cc374a78250f40b663

SHA1
af6e23fd9bf979731396b7a113e5a31bc58d974b

SHA256
4f2042fb053184ad030833468bb2a9a6b071503458fafb45dc1a89ce60bb709c

SHA512
e8b792500790ae5f564b3c7b8f55d2492a9a5f3d88f40603fafb53a57f3f577004559c76e89e7a748cc13f068cf0c6d27609758794fa9476c079dece4c7c905b

Download Submit
C:\Windows\system\rVQiLMW.exe

Filesize
5.9MB

MD5
66b9c77320d87a652ad3774e1610ed13

SHA1
0c39edb7885cea1c79c05014bf8e65f841323c76

SHA256
08e69916b09e72f5ac1e6b4f4231405a28b446fb2719d25d4faf60ff19a4e4ab

SHA512
89b687b77f2d31372fbfec7ffbbb0616feed707dcd0b4e5fbe90553c422dfa9cc6216ba5e0fa789c1e68e992bddaac3d1ca30e39e08f3a956cd86f4b21826681

Download Submit
C:\Windows\system\yPIQcVY.exe

Filesize
5.9MB

MD5
1c5d2c793f33c9556e5b11f2e5042ff5

SHA1
39f7e3eb882c3db12144717a569c38e4a565322e

SHA256
13be1e46daaf60b6d516c648c5bfa4a189b65940c36354d962cc9b2779084a3f

SHA512
3b22a02e2f430a29d80d64902234647898234e637b16c76bb4ca10a895099effa140fa8ebd92cbae20df156cb08147b22cc483f8af4bba44b51e9d9c19d01dbc

Download Submit
\Windows\system\RvxMHpG.exe

Filesize
5.9MB

MD5
eafc362b3894b2b30ad830b62795c893

SHA1
286d547f9dfc3d878a25278bba55d95d1f69e9c1

SHA256
20b8219e0f5ceced25a01262947ec17bc742fbec9b170926b464032635d48827

SHA512
15833482ae5c065639ef82402982945c91279338a27cf9bd84a2c723cc03522cdbad798a1603607dbea41656193d8537987362ffd8247a652792f4b8a77392a7

Download Submit
\Windows\system\WUslXZu.exe

Filesize
5.9MB

MD5
8f95e7e145dbb41da5860cb53e357e60

SHA1
8712d8ef2a421f7bcb75928f7a11e3d66580f41d

SHA256
7650fbb8f5a014194eb375059414bd5019bf7b9845ee29cb7658aa44d43892f9

SHA512
b6e2d30ef540dc08e738c171ab5c8a72ed9fb5831818c604ad4ed0ba6deb80f7a9868d5c40475fcf5ceb716530251b3234bde0e0e267c725ba112081099159f9

Download Submit
\Windows\system\eTmafOL.exe

Filesize
5.9MB

MD5
9ec03c1156819fc24c013f4c34fd4ebb

SHA1
34c7f24f83f9572826696ae5c11df5101e43e5da

SHA256
80ca65e9d13e3d60c104b15348a549bb12b772e68350575e189e37184b65a93c

SHA512
91e88c06fd62b1baf989b75a5dd0aeeec9dccb045c689807a4051188dc92fda8f3ca6d28641f53c05aaf9446b127b792de46e887f5d3cbada6e981fa1219ddaf

Download Submit
\Windows\system\kNDnyiH.exe

Filesize
5.9MB

MD5
7104483bea5f7763a4891e88e5f5a5bc

SHA1
eb686e1609f21fb4942dfb3c44ba7da77ba9197e

SHA256
024eefacb5566b0f2d84406e41be27888e33138ef153cb382512de6c57c2218b

SHA512
fa3bc10520a9cd6bcc415962fc93635c703f755096a7aa14bb56112c05c466573926f2f00333269f888f7c4319aada4ee2ceadc21cccd40431144bf6a0e01a41

Download Submit
\Windows\system\obzPktY.exe

Filesize
5.9MB

MD5
5e007c4e182d6ef724d34b40337e7dff

SHA1
ab959b59aa7b225db09f60af55eee651c71a4e04

SHA256
ce89726bc3889e850f2295133c5a2b6c41ab8a87b33fb721972bd27990da030c

SHA512
cb1a8c4185e7c89ed1976a7a7793b0ad991f0272f44d0ec97acc26ab81db24bfadf348caaca865486125d195a835e227cb1777800ef4cbe481be2f712e2b51c7

Download Submit
\Windows\system\ugKsGpf.exe

Filesize
5.9MB

MD5
a4ed38fc14d9a967fdd30ca736aa7161

SHA1
085f1aea274f7fca1949172a36d17e8348f9c950

SHA256
79bc1df3b76cd08b1b8485832f2191f1bb781a2e67c4b52bcf5ad87a14413ef9

SHA512
c2d96ad0318d5df5ecaf729960bf3433db2b164dbce3bf143be8b432ac406681b19be88f9cd6a8a6aadbd306f85ca45990d69797b10edaba3223bd48240fce70

Download Submit
\Windows\system\vGCYTon.exe

Filesize
5.9MB

MD5
7475b139452cd077d9010c6bdd82c502

SHA1
ab96cf6ae45545837a8f292adb042e70b5297252

SHA256
204b8902d3ee6d97e7a65abeef919f3137eaf0012f25c95e3d9cab428e980d99

SHA512
6d2a60810ed3455c432bce66a061d96dcf043f30646329b0b2bf7f54406af4a29dde7b08421acea060e36d8a00190d24610d408a1bed5810f8cbb8bc62303338

Download Submit
\Windows\system\wFLgVCw.exe

Filesize
5.9MB

MD5
d1b80fc5df3a939eaeb6832f120eea84

SHA1
dd0609e8cf039edbec64a992cc4c0b1f49392f08

SHA256
cdf3c029966b349bb780adbf0a0e681706d69b02c8daf80d63a8a1a405ac2b96

SHA512
e6113b43a8b67291ba7fa1a929087e0dd032e82737a1e2445aa7af56209d1502c831242456b97645dc0d0da987fe5c8c91e51c888ff6ae5d767b618bba5a477d

Download Submit
\Windows\system\yHCuTlu.exe

Filesize
5.9MB

MD5
6e6a5bbc94b35296eaad42ede13772d8

SHA1
1966bfe63aa80dda7cdb84eaa7a10e39e28e1739

SHA256
71b42179d75f2872349d4a051fff47a4a07a6fc30d227288c881b4e9e4f85afb

SHA512
5bcd240af450dc3da8aea3de527790f8bead5382c1214ba86976bfb1188b1809e9fdc964ca67a6de38ff85c529bfb76e922f75df7a262f7a4b737c5ae81b90a0

Download Submit
\Windows\system\yaxnDBS.exe

Filesize
5.9MB

MD5
8919fe0d11f46e1b6ad57f00a15b5ce3

SHA1
834f7414cabc12e14619083562d6107b1da834ac

SHA256
255cab6dad9a7e1533f5cd01f663c0cace5f61b6b999f66c61ddf7fcdddd5ea9

SHA512
a4193d6eab22409159f29de05774553dd272982300a02453449a2b6f2af0854ebf0d13fb9996f789781033139087027a3102a2f7829026736143733fb89862ae

Download Submit
memory/540-44-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/540-14-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/540-150-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/1088-139-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/1088-148-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/1088-147-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-118-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/1088-116-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1088-31-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-113-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1088-0-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1088-146-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-102-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-48-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-145-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-91-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/1088-90-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-142-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-52-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1088-109-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1088-59-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-72-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-15-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-35-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1524-104-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1524-159-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1732-10-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/1732-149-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/1732-39-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2160-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2160-49-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2160-155-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2316-152-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-26-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-63-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-157-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-144-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-77-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-160-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2588-117-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2592-143-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-158-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-84-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2648-33-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2648-153-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2740-58-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2740-151-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2740-23-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2800-154-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2800-138-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2800-42-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2924-56-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2924-156-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2924-141-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download