cobaltstrike | 07550514d8fdb63065da5a8f06185dc69193b2188c42b0fa984bea87f10dc22c

Analysis

max time kernel
135s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
Size

5.9MB
MD5

df9990dd4f2c4b0fccbf37f69004f242
SHA1

0d6d5eb4e019fc556f11971b5d11550694907bd0
SHA256

07550514d8fdb63065da5a8f06185dc69193b2188c42b0fa984bea87f10dc22c
SHA512

91b2df2c717de6416be6243922642e67ba52a6fe106b3a0e8a08f26ed1ef0f50e4e8c8a115cb1030f0a7263d11c31dcd87d92dc8d505d143a16d495c6f1d8baf
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUK:E+b56utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c0000000122ce-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d68-17.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d78-34.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001749c-47.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015da1-63.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174bf-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d70-33.dat	cobalt_reflective_dll
behavioral1/files/0x0014000000018657-60.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d19-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d48-18.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001867d-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-116.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878d-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019220-121.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191fd-112.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c6-100.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186c8-99.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018662-98.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c9-97.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f3-117.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015cdd-82.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/2524-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/files/0x000c0000000122ce-3.dat	xmrig
behavioral1/files/0x0007000000015d68-17.dat	xmrig
behavioral1/memory/2844-28-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d78-34.dat	xmrig
behavioral1/memory/2524-40-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/files/0x000600000001749c-47.dat	xmrig
behavioral1/memory/2344-61-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015da1-63.dat	xmrig
behavioral1/memory/2804-46-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/836-58-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2712-54-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x00060000000174bf-51.dat	xmrig
behavioral1/memory/3000-68-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d70-33.dat	xmrig
behavioral1/memory/2524-30-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2844-67-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2736-65-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2524-62-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/files/0x0014000000018657-60.dat	xmrig
behavioral1/memory/836-19-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2524-25-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/2344-23-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/2348-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d19-13.dat	xmrig
behavioral1/memory/2524-9-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d48-18.dat	xmrig
behavioral1/memory/584-71-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x000500000001867d-87.dat	xmrig
behavioral1/files/0x0005000000019217-116.dat	xmrig
behavioral1/files/0x000500000001878d-128.dat	xmrig
behavioral1/files/0x0005000000019220-121.dat	xmrig
behavioral1/memory/2180-114-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x00050000000191fd-112.dat	xmrig
behavioral1/memory/2912-101-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/files/0x00060000000190c6-100.dat	xmrig
behavioral1/files/0x00050000000186c8-99.dat	xmrig
behavioral1/files/0x000d000000018662-98.dat	xmrig
behavioral1/files/0x00060000000190c9-97.dat	xmrig
behavioral1/memory/2524-140-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2524-132-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/1144-131-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/files/0x00050000000191f3-117.dat	xmrig
behavioral1/memory/2712-141-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0009000000015cdd-82.dat	xmrig
behavioral1/memory/2736-142-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/3000-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2348-145-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2344-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/836-148-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2844-147-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2804-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
behavioral1/memory/2712-150-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/584-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/3000-152-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2736-153-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2912-154-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2180-155-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/1144-156-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2348	YiTEZQG.exe
836	wKWmTWi.exe
2344	LbpBmZe.exe
2844	nrbLCxz.exe
584	xHTcZYk.exe
2804	KMdJYgx.exe
2712	yZgjNOw.exe
2736	MmlYyni.exe
3000	HQGnnrE.exe
2912	XTxQkrG.exe
2180	RrkBMVd.exe
1144	XvIkWNw.exe
2420	nuOtTFg.exe
2864	gUxQtTQ.exe
2328	GyNKxbe.exe
2316	NaOkRzh.exe
536	qfkVZyu.exe
2032	ZTYIlIV.exe
1836	IApJVCn.exe
532	yFRzKjJ.exe
1936	jrWhkJd.exe

Loads dropped DLL 21 IoCs

pid	Process
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/files/0x000c0000000122ce-3.dat	upx
behavioral1/files/0x0007000000015d68-17.dat	upx
behavioral1/memory/2844-28-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/files/0x0009000000015d78-34.dat	upx
behavioral1/memory/2524-40-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/files/0x000600000001749c-47.dat	upx
behavioral1/memory/2344-61-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0008000000015da1-63.dat	upx
behavioral1/memory/2804-46-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/836-58-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2712-54-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x00060000000174bf-51.dat	upx
behavioral1/memory/3000-68-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/files/0x0007000000015d70-33.dat	upx
behavioral1/memory/2524-30-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2844-67-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2736-65-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2524-62-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/files/0x0014000000018657-60.dat	upx
behavioral1/memory/836-19-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2344-23-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/2348-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/files/0x0008000000015d19-13.dat	upx
behavioral1/memory/2524-9-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/files/0x0007000000015d48-18.dat	upx
behavioral1/memory/584-71-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x000500000001867d-87.dat	upx
behavioral1/files/0x0005000000019217-116.dat	upx
behavioral1/files/0x000500000001878d-128.dat	upx
behavioral1/files/0x0005000000019220-121.dat	upx
behavioral1/memory/2180-114-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x00050000000191fd-112.dat	upx
behavioral1/memory/2912-101-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/files/0x00060000000190c6-100.dat	upx
behavioral1/files/0x00050000000186c8-99.dat	upx
behavioral1/files/0x000d000000018662-98.dat	upx
behavioral1/files/0x00060000000190c9-97.dat	upx
behavioral1/memory/1144-131-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/files/0x00050000000191f3-117.dat	upx
behavioral1/memory/2712-141-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0009000000015cdd-82.dat	upx
behavioral1/memory/2736-142-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/3000-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2348-145-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2344-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/836-148-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2844-147-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2804-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
behavioral1/memory/2712-150-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/584-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/3000-152-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2736-153-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2912-154-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2180-155-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/1144-156-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XvIkWNw.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\gUxQtTQ.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\GyNKxbe.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\MmlYyni.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\RrkBMVd.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\nuOtTFg.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\qfkVZyu.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\nrbLCxz.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\HQGnnrE.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\IApJVCn.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\yZgjNOw.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\ZTYIlIV.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\xHTcZYk.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\KMdJYgx.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\XTxQkrG.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\NaOkRzh.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\yFRzKjJ.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\YiTEZQG.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\wKWmTWi.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\LbpBmZe.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
File created	C:\Windows\System\jrWhkJd.exe	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2348	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2348	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2348	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	32
PID 2524 wrote to memory of 836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	33
PID 2524 wrote to memory of 836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	33
PID 2524 wrote to memory of 836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2344	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2344	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2344	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2844	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	35
PID 2524 wrote to memory of 2844	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	35
PID 2524 wrote to memory of 2844	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	35
PID 2524 wrote to memory of 584	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	36
PID 2524 wrote to memory of 584	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	36
PID 2524 wrote to memory of 584	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	36
PID 2524 wrote to memory of 2804	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	37
PID 2524 wrote to memory of 2804	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	37
PID 2524 wrote to memory of 2804	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	37
PID 2524 wrote to memory of 2736	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	38
PID 2524 wrote to memory of 2736	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	38
PID 2524 wrote to memory of 2736	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	38
PID 2524 wrote to memory of 2712	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	39
PID 2524 wrote to memory of 2712	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	39
PID 2524 wrote to memory of 2712	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	39
PID 2524 wrote to memory of 3000	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	40
PID 2524 wrote to memory of 3000	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	40
PID 2524 wrote to memory of 3000	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	40
PID 2524 wrote to memory of 2912	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2912	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2912	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2180	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	42
PID 2524 wrote to memory of 2180	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	42
PID 2524 wrote to memory of 2180	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	42
PID 2524 wrote to memory of 2420	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2420	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2420	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	43
PID 2524 wrote to memory of 1144	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	44
PID 2524 wrote to memory of 1144	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	44
PID 2524 wrote to memory of 1144	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	44
PID 2524 wrote to memory of 2864	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2864	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2864	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2032	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	46
PID 2524 wrote to memory of 2032	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	46
PID 2524 wrote to memory of 2032	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	46
PID 2524 wrote to memory of 2328	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2328	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2328	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	47
PID 2524 wrote to memory of 1836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	48
PID 2524 wrote to memory of 1836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	48
PID 2524 wrote to memory of 1836	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	48
PID 2524 wrote to memory of 2316	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	49
PID 2524 wrote to memory of 2316	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	49
PID 2524 wrote to memory of 2316	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	49
PID 2524 wrote to memory of 532	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	50
PID 2524 wrote to memory of 532	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	50
PID 2524 wrote to memory of 532	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	50
PID 2524 wrote to memory of 536	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	51
PID 2524 wrote to memory of 536	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	51
PID 2524 wrote to memory of 536	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	51
PID 2524 wrote to memory of 1936	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	52
PID 2524 wrote to memory of 1936	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	52
PID 2524 wrote to memory of 1936	2524	df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df9990dd4f2c4b0fccbf37f69004f242_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System\YiTEZQG.exe
  C:\Windows\System\YiTEZQG.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\wKWmTWi.exe
  C:\Windows\System\wKWmTWi.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\LbpBmZe.exe
  C:\Windows\System\LbpBmZe.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\nrbLCxz.exe
  C:\Windows\System\nrbLCxz.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\xHTcZYk.exe
  C:\Windows\System\xHTcZYk.exe
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\System\KMdJYgx.exe
  C:\Windows\System\KMdJYgx.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\MmlYyni.exe
  C:\Windows\System\MmlYyni.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\yZgjNOw.exe
  C:\Windows\System\yZgjNOw.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\HQGnnrE.exe
  C:\Windows\System\HQGnnrE.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\XTxQkrG.exe
  C:\Windows\System\XTxQkrG.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\RrkBMVd.exe
  C:\Windows\System\RrkBMVd.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\nuOtTFg.exe
  C:\Windows\System\nuOtTFg.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\XvIkWNw.exe
  C:\Windows\System\XvIkWNw.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\gUxQtTQ.exe
  C:\Windows\System\gUxQtTQ.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\ZTYIlIV.exe
  C:\Windows\System\ZTYIlIV.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\GyNKxbe.exe
  C:\Windows\System\GyNKxbe.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\IApJVCn.exe
  C:\Windows\System\IApJVCn.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\NaOkRzh.exe
  C:\Windows\System\NaOkRzh.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\yFRzKjJ.exe
  C:\Windows\System\yFRzKjJ.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\qfkVZyu.exe
  C:\Windows\System\qfkVZyu.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\jrWhkJd.exe
  C:\Windows\System\jrWhkJd.exe
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GyNKxbe.exe

Filesize
5.9MB

MD5
e1082ed37760dac15601c1380e040fba

SHA1
de5a3b0d0a5b15bf42de8a4217692425cc59b441

SHA256
da0f6b98a31503a44b23801820c9128847c0f8743db8efb995a47eeeeb47cc22

SHA512
6e75e1d3cdf2394c4cb953216cb31237277e12bb9564277051f10116587233a17a182ad0fe47ea9de8c4619d3d02f9e34e9795b7f8f4a3f8a031ef56607932a6

Download Submit
C:\Windows\system\LbpBmZe.exe

Filesize
5.9MB

MD5
5bf2eef001f0d57e7814ff6efecf723b

SHA1
a52089d2295335136fefd0253341feb21643f5e3

SHA256
d336d25862eda6e1e074da8c6b00c568cd2ff9985ac46983d72ad241fbee7bdf

SHA512
ddcd6018fa6ac59c512e8589f0ee0d19fa9f3e54f926f2fc2d60007c1f9ac832e32261a0c8a8a62d06acc80de0d00ce7f0a284d27d5514326bc6d0ee37a292d3

Download Submit
C:\Windows\system\MmlYyni.exe

Filesize
5.9MB

MD5
b6e70e02cfaa5b6eada55662795ccd6f

SHA1
90c95d51c1b3dc991bd9b0d7dab26f2a3a14185a

SHA256
7732bd5268f10c9e82b2fa0fb01aeaf07d54741b93fac1a72654d79c35d5042c

SHA512
e61e56e053c6321bd1c00f5f84e74242e398b51eb2c8ff35cb6962d42fcd9f46cde2056d0572633cb8ecccc74903eab936329228b86ba1a2411061a00c6c95e2

Download Submit
C:\Windows\system\NaOkRzh.exe

Filesize
5.9MB

MD5
7a7fab2ac0a5d6c0981d99edfaee28f2

SHA1
5b15d28b531b5d75e0c16b38c5c1b3c03d43a08d

SHA256
e30ef11c235ed7d17eda7bb656721de70173cc68538f281923345708d5d22597

SHA512
0b65cec2e0ec42fdab466f1743d5897b760a5d751f14f3f25f92ae4435a17476cb8f3640d40ee2d0dad7d170b365d184f6716b4025e9746856069b0db8731684

Download Submit
C:\Windows\system\RrkBMVd.exe

Filesize
5.9MB

MD5
d39234eaf577aea81496cdd997d4f42c

SHA1
caac17b92d4cf3e4177feb9f4a083025807049c5

SHA256
49bd3fd6d48e5d2eac0c076aee8af3b0a916c065d15b9ee92a4d1d7f6ed9774d

SHA512
84051368e23f7f78c5d6098f93806197e886d998bccb6beb54a32d2493b5b2554dbf3578add678f65a13879a8154e230852aaeee09ebde8152bacafd2f823825

Download Submit
C:\Windows\system\XvIkWNw.exe

Filesize
5.9MB

MD5
3b1264baee10a610cbd9d7d67a764883

SHA1
67593606c70b71fb18fcb5e18eb5f1c8d285b0bf

SHA256
b2e9beaceb0961b89565616fadd244ca1e3a14ffeb3a6b8c70faafb2cc0ff0c7

SHA512
fc2ba766a97a85e73bf710dc11521ed663a73b934c7549e64a775fac41f15168c7d8f493c2566965fe81993f5b74ecef87775db25da658c2a249b82210a203c2

Download Submit
C:\Windows\system\ZTYIlIV.exe

Filesize
5.9MB

MD5
b00e4cef55f900ac48fd9bb852d2ec62

SHA1
7541bb16d58747778554c72a14c93c0849e0ce58

SHA256
23199efdf38e71ee70c59876728a175b2b7ab687b2ce446fdbb36e1ff84a9e93

SHA512
771294e43e3fc34a02a401afc1d2fa43a3cf1110b490edef5c5feb35ed32a6b1cb7b55a81ab9c686a97f7a5aa0dc92adbefc77482f17d845964e4845f805ef0b

Download Submit
C:\Windows\system\gUxQtTQ.exe

Filesize
5.9MB

MD5
b77311f6b4065b5640847c740ba3b2b1

SHA1
34281420e8892d2a98ba55b955f4c6d1b6e2907d

SHA256
99261d8caeb25ebff1348b884ab093577436d2832099fe887cb9b861bc3781b9

SHA512
d5339a3f81f486dc711df0674e6329185b623b52f78a95d2305930c0477cd53dbe5635c0c258ca90d99cd719ecd43835c32c0ba0aebb817075891d5b9db816a1

Download Submit
C:\Windows\system\nrbLCxz.exe

Filesize
5.9MB

MD5
4081445847453ebeed010c6cc9393562

SHA1
111a4b2acfde9ecf1040054f84e52f9b9394e4a0

SHA256
57815df41b9e6a2c0ad6dde306acca39a678c1193a868df5cca169ddcce5b2a4

SHA512
2764ae00b86d2db4836b1f8e92079d633fe0efe7c9f7a507f1f362a2f62ca9c755ce26f6837e95a1fb6c4c5aaecf85f02235bb99906bbdab82e1a3b131b2a807

Download Submit
C:\Windows\system\nuOtTFg.exe

Filesize
5.9MB

MD5
17a681381121487f61239a7156436fa2

SHA1
9ed1419730eeb3dcf57e208f72bf629d9ef7c514

SHA256
d7676d4f75e8f87e73ba3d1809102a9849cb2960fa591b2f01e462b6a60a8a62

SHA512
f1edbc7f6fb7fbeccbc80c2c7ec247a9a291bfcea9d498e141b0f19a2b428df6940b4e1d250889370ffb6c5f6beecf8ab15267c6cb19004876412de08c8d25d6

Download Submit
C:\Windows\system\wKWmTWi.exe

Filesize
5.9MB

MD5
b378ad8c2d7322243424e6176b88b4b9

SHA1
3e75a62eeb01bc55f72bb0747c48a9edfeca0f05

SHA256
3d2f346b64e2cdfdbf5800c37beab01da4e949e17aa0ee726a07aaeb7395d0fc

SHA512
2c9f9bf48150dfb34c71eb685924a2910455cb66936456e89cb60e6f75f7582fd9426c2f85450e673ca243ee6c3ccdf4aeb5db1bc3fa17c0eb7020a2d43b043c

Download Submit
C:\Windows\system\xHTcZYk.exe

Filesize
5.9MB

MD5
896080ce943c2f98d87ed82b959625ae

SHA1
414bb7941e4e12571aa26cdf19798f8339f3ca5b

SHA256
8a43cdc8098bf34bb0c83cd3d015dffaa1c3e76e6e33b6d9399adcc1552808d2

SHA512
76599b9537837ef24aaf397e594d79df86c46160aaebd21cd6eff74f34bf4dd97d13fd69e3637de594d738003bf8ef572eac8bde47dd8f35f66dadddf03a44a0

Download Submit
\Windows\system\HQGnnrE.exe

Filesize
5.9MB

MD5
a41ca5b16325704f05ac7b94e15b305a

SHA1
2d1d09e8ca86beeca0bbdfdd05b587a9e0212d71

SHA256
040b9098e64fde6da04a85d9fff24581400afd650cdf07a3de3ddbb90a2ffc67

SHA512
8e3f224dfb8a65a1ea346c9fd260873b75c25bb2c1ce56aefb94c182c341be2426d3dc740e653f921b5f2255c60b51adba0ed7eebc9bbedc1522c6d848597667

Download Submit
\Windows\system\IApJVCn.exe

Filesize
5.9MB

MD5
d1329d054e13eca7e6d984bd96786845

SHA1
85fd1a35fefe8b378ed3cc09f3d998e903c68877

SHA256
32b2074243b6c54bc07710a87829e187fddfe7d321e5fcb30ef1c09b20ce437b

SHA512
e91458d638e42d5f44d5409cd36d75986077f4cbc508317fecc15dbd3124837b6e485d1f27bbc9e0eb64fce5b205ff41388ee0a0657f31dcef822d5856fc393b

Download Submit
\Windows\system\KMdJYgx.exe

Filesize
5.9MB

MD5
1e6fb2ccbfee2d32405098ddbf440ca3

SHA1
921509e3ef344e780d773025b0c3c420347726ee

SHA256
5ce5059718af1ddac87cbee5ddd44ecc0199f05fc0fd6e3234cfca3c36d2ec98

SHA512
9464c9a7459c81f0c9e7465aab8ca9b88f52639d2fce07942a95d9e536a5adcbd2c11f8365eb21c6bcfaa9615fec23fc5d3ffa570e79c97309cde2c6a95d5fb5

Download Submit
\Windows\system\XTxQkrG.exe

Filesize
5.9MB

MD5
130ed62c4750c8bf3983dbc5c8343338

SHA1
6e96468a093246f98446ef991b5b824d344a9686

SHA256
4d4e26fac72cab8063b8c3e207198144905c9114e1e9f40ae768371742d472ea

SHA512
d083737cd33a81a03a5d7dc3fc5de1f336b7940fa633b00b234221607be1ef742f2722fedbe1245caa2a8029f7c0515754fb58508ab048b9c98d316f8fa0d9b8

Download Submit
\Windows\system\YiTEZQG.exe

Filesize
5.9MB

MD5
1c6763d9d2d342e933867960f475b1da

SHA1
b37463fae786f8106b678c76c4d22aad9be315f8

SHA256
280018bdf46aa8a2efdc43e41dcd5ed94c074f9c747fc6329c10b69a2bd50a2f

SHA512
0e3b40298b690c950855927ec440ef986054c9c2f506aaa82ff3ca130d11784d0bbdb90a4254366606ea3572c45df7bd93311c7f1c0b3c2b465b62f214702bc1

Download Submit
\Windows\system\jrWhkJd.exe

Filesize
5.9MB

MD5
755880796c43633b0e9780bfa46a9c03

SHA1
30a0fd20647a066c46d45430fcfe46685e1df5fc

SHA256
649fed08f041d513685eb36855a045254a875e8bb105354361b2f18df2cea38e

SHA512
ecfc0632cd30afb52f3ac19234d9d63f734ef3abaf227873693ab91f11783065de72db2fcc52a3abae249b6384b299c6ca06afb133c84ffaf3175cc0b14c067f

Download Submit
\Windows\system\qfkVZyu.exe

Filesize
5.9MB

MD5
711d698f08bbf9602b054c504460d402

SHA1
50a4b65d845fb09a52c7eef02793656ace2f91dd

SHA256
8576a369ac3d8e7ea853aefb4e89f73790287c84daae010e3923339f43831c89

SHA512
63b6c8b1db4544efac3a83cab3582feecce63ee39ff3b2a1b615a8aad7f5c1fe7b42ea2df0e8820998909b6cfd7d785bf0e80b0dbcd95c3c9d214501805f89f8

Download Submit
\Windows\system\yFRzKjJ.exe

Filesize
5.9MB

MD5
d10a7185a2eda744fa8929e85cc9ac63

SHA1
a5055a527e2e64e2b973dd6f90b4b5af719dfdf5

SHA256
707569edb6955893cb2047922510e8ff6598a2143e385ae65fa9819609555220

SHA512
68f3060afe37e7ceca3f5790681f282c232a89638d0b6cf90dcc774b0218aaba3c66404a19bcad43bd76b207cd9f999c57aba2d551ce1b9532203abdd8b72d97

Download Submit
\Windows\system\yZgjNOw.exe

Filesize
5.9MB

MD5
ebcc6a25deb6d8e09eba113061e1fb4b

SHA1
8d7b0d2ee1a5d03572858066f8e12f2e03872bc2

SHA256
f4ba738df285b1ec8d424a2dce372e4ae47c0a8ee638d7c2e250e9e7ac403a46

SHA512
4450f592fd2242167c7d6565698ed5ac9e6f5a48ae641945061c3bde1c2524a320e18eae9a4d1745636b12e72d25d840f1d6a0e1ff77a746280f581ecd83f7df

Download Submit
memory/584-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/584-71-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/836-148-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/836-58-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/836-19-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-131-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1144-156-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2180-155-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2180-114-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2344-23-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-146-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-61-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-145-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-14-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-127-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2524-132-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2524-62-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2524-30-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-9-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-144-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2524-35-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2524-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-25-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-64-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2524-12-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-57-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2524-140-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2524-133-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-53-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2524-130-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2524-26-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2524-126-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2524-125-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2524-0-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-110-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2712-141-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2712-150-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2712-54-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2736-142-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2736-65-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2736-153-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2804-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2804-46-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2844-28-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2844-147-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2844-67-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2912-101-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2912-154-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/3000-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/3000-152-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/3000-68-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download