cobaltstrike | 5aa7df1e0cc55457c5350d26c6a16f1bc4da8e412f7b8c36604e23d585822ce4

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
Size

5.9MB
MD5

e192850c64d24461f040b20f78ddeeae
SHA1

3ed92117ff852ffdf90d92645ffca98310c16b8d
SHA256

5aa7df1e0cc55457c5350d26c6a16f1bc4da8e412f7b8c36604e23d585822ce4
SHA512

d25b9bfebfde3395df6ad169a6a623f6d84db835e082d93ddfbf26a46dce80e66762721ffad2f1a3c28402989fb8cda601ab29124b62dfa9857e8da57f6646b0
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUn:E+b56utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012119-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d2b-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d4c-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d6e-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d82-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e4a-36.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015f61-41.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d29-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d31-55.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015fd9-45.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015dab-30.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dcf-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ddf-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dcb-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d65-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d69-93.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d5e-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d42-73.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d05-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-64.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral1/memory/2232-0-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0008000000012119-3.dat	xmrig
behavioral1/memory/2832-7-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d2b-9.dat	xmrig
behavioral1/files/0x0008000000015d4c-11.dat	xmrig
behavioral1/files/0x0008000000015d6e-18.dat	xmrig
behavioral1/files/0x0007000000015d82-26.dat	xmrig
behavioral1/files/0x0007000000015e4a-36.dat	xmrig
behavioral1/files/0x0008000000015f61-41.dat	xmrig
behavioral1/files/0x0006000000016d29-50.dat	xmrig
behavioral1/files/0x0006000000016d31-55.dat	xmrig
behavioral1/memory/400-60-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/1580-59-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015fd9-45.dat	xmrig
behavioral1/files/0x0007000000015dab-30.dat	xmrig
behavioral1/files/0x0006000000016dcf-101.dat	xmrig
behavioral1/files/0x0006000000016ddf-106.dat	xmrig
behavioral1/files/0x0006000000016dcb-98.dat	xmrig
behavioral1/files/0x0006000000016d65-88.dat	xmrig
behavioral1/files/0x0006000000016d69-93.dat	xmrig
behavioral1/files/0x0006000000016d5e-83.dat	xmrig
behavioral1/files/0x0006000000016d4a-78.dat	xmrig
behavioral1/files/0x0006000000016d42-73.dat	xmrig
behavioral1/files/0x0009000000015d05-68.dat	xmrig
behavioral1/files/0x0006000000016d3a-64.dat	xmrig
behavioral1/memory/2232-110-0x0000000002330000-0x0000000002684000-memory.dmp	xmrig
behavioral1/memory/2888-111-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2980-113-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2992-115-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2232-114-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2800-126-0x000000013F290000-0x000000013F5E4000-memory.dmp	xmrig
behavioral1/memory/2232-129-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2488-128-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2740-124-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2664-123-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/2584-122-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2532-120-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/3036-118-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/1588-117-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2232-131-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2832-133-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1580-134-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2832-135-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1580-136-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2888-137-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2980-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2992-139-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/1588-140-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/3036-141-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2532-142-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2584-143-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2664-144-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/400-145-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2740-146-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2800-147-0x000000013F290000-0x000000013F5E4000-memory.dmp	xmrig
behavioral1/memory/2488-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2832	UeSMYkU.exe
1580	uoUkdiN.exe
400	AkYYMrH.exe
2888	UdvoAcU.exe
2980	vljERRv.exe
2992	tRiiFhA.exe
1588	kmiAOfS.exe
3036	nwjZtsP.exe
2532	XlQFWnK.exe
2584	pFKZlVo.exe
2664	gngJLlo.exe
2740	AJXCzLX.exe
2800	bYlPqDg.exe
2488	QGfoxpl.exe
2444	fuhNSwz.exe
2504	KOROjvj.exe
2920	XCxVrGk.exe
2204	xEqiFEx.exe
676	VhPIWlA.exe
1056	wxowlWy.exe
1296	cJRRnbw.exe

Loads dropped DLL 21 IoCs

pid	Process
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0008000000012119-3.dat	upx
behavioral1/memory/2832-7-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0008000000015d2b-9.dat	upx
behavioral1/files/0x0008000000015d4c-11.dat	upx
behavioral1/files/0x0008000000015d6e-18.dat	upx
behavioral1/files/0x0007000000015d82-26.dat	upx
behavioral1/files/0x0007000000015e4a-36.dat	upx
behavioral1/files/0x0008000000015f61-41.dat	upx
behavioral1/files/0x0006000000016d29-50.dat	upx
behavioral1/files/0x0006000000016d31-55.dat	upx
behavioral1/memory/400-60-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/1580-59-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/files/0x0008000000015fd9-45.dat	upx
behavioral1/files/0x0007000000015dab-30.dat	upx
behavioral1/files/0x0006000000016dcf-101.dat	upx
behavioral1/files/0x0006000000016ddf-106.dat	upx
behavioral1/files/0x0006000000016dcb-98.dat	upx
behavioral1/files/0x0006000000016d65-88.dat	upx
behavioral1/files/0x0006000000016d69-93.dat	upx
behavioral1/files/0x0006000000016d5e-83.dat	upx
behavioral1/files/0x0006000000016d4a-78.dat	upx
behavioral1/files/0x0006000000016d42-73.dat	upx
behavioral1/files/0x0009000000015d05-68.dat	upx
behavioral1/files/0x0006000000016d3a-64.dat	upx
behavioral1/memory/2888-111-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2980-113-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2992-115-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2800-126-0x000000013F290000-0x000000013F5E4000-memory.dmp	upx
behavioral1/memory/2488-128-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2740-124-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2664-123-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2584-122-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2532-120-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/3036-118-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/1588-117-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2232-131-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2832-133-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/1580-134-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2832-135-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/1580-136-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2888-137-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2980-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2992-139-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/1588-140-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/3036-141-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2532-142-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2584-143-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2664-144-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/400-145-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2740-146-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2800-147-0x000000013F290000-0x000000013F5E4000-memory.dmp	upx
behavioral1/memory/2488-148-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fuhNSwz.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\xEqiFEx.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\VhPIWlA.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\cJRRnbw.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\AkYYMrH.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\UdvoAcU.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\vljERRv.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\tRiiFhA.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\pFKZlVo.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\QGfoxpl.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\wxowlWy.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\UeSMYkU.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\kmiAOfS.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\AJXCzLX.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\gngJLlo.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\bYlPqDg.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\KOROjvj.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\XCxVrGk.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\uoUkdiN.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\nwjZtsP.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
File created	C:\Windows\System\XlQFWnK.exe	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2832	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2832	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2832	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	29
PID 2232 wrote to memory of 1580	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1580	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1580	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	30
PID 2232 wrote to memory of 400	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	31
PID 2232 wrote to memory of 400	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	31
PID 2232 wrote to memory of 400	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2888	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2888	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2888	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	32
PID 2232 wrote to memory of 2980	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2980	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2980	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2992	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2992	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	34
PID 2232 wrote to memory of 2992	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	34
PID 2232 wrote to memory of 1588	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	35
PID 2232 wrote to memory of 1588	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	35
PID 2232 wrote to memory of 1588	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	35
PID 2232 wrote to memory of 3036	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	36
PID 2232 wrote to memory of 3036	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	36
PID 2232 wrote to memory of 3036	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	36
PID 2232 wrote to memory of 2532	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2532	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2532	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	37
PID 2232 wrote to memory of 2584	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	38
PID 2232 wrote to memory of 2584	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	38
PID 2232 wrote to memory of 2584	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	38
PID 2232 wrote to memory of 2664	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	39
PID 2232 wrote to memory of 2664	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	39
PID 2232 wrote to memory of 2664	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	39
PID 2232 wrote to memory of 2740	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	40
PID 2232 wrote to memory of 2740	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	40
PID 2232 wrote to memory of 2740	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	40
PID 2232 wrote to memory of 2800	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	41
PID 2232 wrote to memory of 2800	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	41
PID 2232 wrote to memory of 2800	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	41
PID 2232 wrote to memory of 2488	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	42
PID 2232 wrote to memory of 2488	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	42
PID 2232 wrote to memory of 2488	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	42
PID 2232 wrote to memory of 2444	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	43
PID 2232 wrote to memory of 2444	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	43
PID 2232 wrote to memory of 2444	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	43
PID 2232 wrote to memory of 2504	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	44
PID 2232 wrote to memory of 2504	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	44
PID 2232 wrote to memory of 2504	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	44
PID 2232 wrote to memory of 2920	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	45
PID 2232 wrote to memory of 2920	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	45
PID 2232 wrote to memory of 2920	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	45
PID 2232 wrote to memory of 2204	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	46
PID 2232 wrote to memory of 2204	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	46
PID 2232 wrote to memory of 2204	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	46
PID 2232 wrote to memory of 676	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	47
PID 2232 wrote to memory of 676	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	47
PID 2232 wrote to memory of 676	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	47
PID 2232 wrote to memory of 1056	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	48
PID 2232 wrote to memory of 1056	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	48
PID 2232 wrote to memory of 1056	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	48
PID 2232 wrote to memory of 1296	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	49
PID 2232 wrote to memory of 1296	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	49
PID 2232 wrote to memory of 1296	2232	e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe	49

C:\Users\Admin\AppData\Local\Temp\e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e192850c64d24461f040b20f78ddeeae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System\UeSMYkU.exe
  C:\Windows\System\UeSMYkU.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\uoUkdiN.exe
  C:\Windows\System\uoUkdiN.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\AkYYMrH.exe
  C:\Windows\System\AkYYMrH.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\UdvoAcU.exe
  C:\Windows\System\UdvoAcU.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\vljERRv.exe
  C:\Windows\System\vljERRv.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\tRiiFhA.exe
  C:\Windows\System\tRiiFhA.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\kmiAOfS.exe
  C:\Windows\System\kmiAOfS.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\nwjZtsP.exe
  C:\Windows\System\nwjZtsP.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\XlQFWnK.exe
  C:\Windows\System\XlQFWnK.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\pFKZlVo.exe
  C:\Windows\System\pFKZlVo.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\gngJLlo.exe
  C:\Windows\System\gngJLlo.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\AJXCzLX.exe
  C:\Windows\System\AJXCzLX.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\bYlPqDg.exe
  C:\Windows\System\bYlPqDg.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\QGfoxpl.exe
  C:\Windows\System\QGfoxpl.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\fuhNSwz.exe
  C:\Windows\System\fuhNSwz.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\KOROjvj.exe
  C:\Windows\System\KOROjvj.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\XCxVrGk.exe
  C:\Windows\System\XCxVrGk.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\xEqiFEx.exe
  C:\Windows\System\xEqiFEx.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\VhPIWlA.exe
  C:\Windows\System\VhPIWlA.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\wxowlWy.exe
  C:\Windows\System\wxowlWy.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\cJRRnbw.exe
  C:\Windows\System\cJRRnbw.exe
  2⤵
  - Executes dropped EXE
  PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AJXCzLX.exe

Filesize
5.9MB

MD5
4dc0c2bb736eaf4295dcd4b13711e1ac

SHA1
20db5698b60437ed57bb72174bd9d20a75efaf4a

SHA256
456664b299055e2072e9eb6d2be683077b162fd1e86ddbc4cba6751c1a59a188

SHA512
c554985b4bf4948dcf71f2ac391f1b3c7a2d67b6b64ad5774d3f53eb45d097cae021510302777ba846139de5cb6fb877047c447db216f5240799630a982c9ad3

Download Submit
C:\Windows\system\AkYYMrH.exe

Filesize
5.9MB

MD5
302dc30a3eedecf0b5378e03a8662c1a

SHA1
34d223a2d45c283f60edf31467986bc65e29195f

SHA256
03a226dd34207999348d64306b4e7817042019a365334d806f51f3a2162173a8

SHA512
540c791584e766392dd9c93a41e14037752a140f9247804790194e6164ab1ac765b9bcb3de767cffad96a475fd4696094d162f4c07ce9e047b2a456112048e9a

Download Submit
C:\Windows\system\KOROjvj.exe

Filesize
5.9MB

MD5
13b12b4a01a06daf81bad5bffd290304

SHA1
06fb06b93231496748d1659c7ced3b4b94fab5a4

SHA256
0d65cde887228b000a2942ccebc2899508118b20306c6d510948549a31cdc064

SHA512
484f3e9c3046c5461ca25b3d40428a202ab9f280018fc31e39d330a44a7f33c47136f11be2e1f368186d5385af156e096fbc545db02f388166d4d6d313890dde

Download Submit
C:\Windows\system\QGfoxpl.exe

Filesize
5.9MB

MD5
829ab57c895b5ad0b636fb66b094c83e

SHA1
e8a0f06984ebab617203d01909404113b656346c

SHA256
2ccfdb70ddc62a5a06600c7064a54975d45208c350da89a2189af3c586d018d1

SHA512
5b75b91c0b3551a53261d1a3dfa7169293eb0088002a0abc13aefa17796fd5dca123451d60205529465c6c89cf934c09ea704d3e811b0b53af4e94e929a795c2

Download Submit
C:\Windows\system\VhPIWlA.exe

Filesize
5.9MB

MD5
e2c6d8e08760b94dbf4beef97ff9d77f

SHA1
36e94af2369fb91477240f55d839d6fb638d027f

SHA256
937d60c9e1114fa3bbc39b24a2873ac2d1da648a72024b9755eea9c0b1cbf1ce

SHA512
c500950858ee763a5d9dbfaffe083ac2c4d98fac0fa759d845336dabf3de7c4aa188e2d113787e7e644aa65aa2ee0280a5c32065d2512f507897c97ee92c3206

Download Submit
C:\Windows\system\XCxVrGk.exe

Filesize
5.9MB

MD5
4dfa2f750be2da6d6c3d3d33bef738f6

SHA1
13bdde6ef0733ab6292539473e7af7e2d116dc2f

SHA256
abce8572b659796bb21b8e52e63ff6c54771e814c9da8a33a1df2a3c96dbc133

SHA512
a16354f537f78bc8c6476003a6d284791058ebb41ebf01d897dc62953a10dec0710c4af07250647e6b7666c6d74f6fe593fcc64c62693bcfd3899f90357ea79e

Download Submit
C:\Windows\system\XlQFWnK.exe

Filesize
5.9MB

MD5
5a9380923d4ec639ec4c657b60f09647

SHA1
60a3d1b11c9ec56c37bb975d7e8daf356d48bada

SHA256
7fa11ef20ce4fb9cd8946e1c3f3c576359c3b8dde895880b30754d018732683d

SHA512
08e24193c43c606472d83c4b5ec5cf2e9bf3c1b6f124e1e3ef7befc637dd90ce888a659b9a76bd4fd29b5b618b38c894d580312688d930bf8bb59bc844057893

Download Submit
C:\Windows\system\bYlPqDg.exe

Filesize
5.9MB

MD5
eca29160cf0d3bbd927965d53138b6f3

SHA1
cee9b078d73cf5f26e0efd877385f0c76f1985d4

SHA256
a0dbcf75a14dc01cce5ed40bbe3a79d575d671ac0ca55efb67b7285d08b87930

SHA512
05a112506b1feea3a85ea9a0947dc8352ba74446b10ebb9da6313daad9cc748d07ab593977a90e69c2c9a8988d42011abe728b3046d40f5eb8ff8f8b0ce40bbc

Download Submit
C:\Windows\system\fuhNSwz.exe

Filesize
5.9MB

MD5
1992460dabc34f7e6344630d21cf4884

SHA1
16f1b7706cf38b529709f5ba3ac30dddb001d05a

SHA256
c0236108b225f3de7439066f19e9afb7a8c9f73aee9e615e2c2f00abd8423569

SHA512
eb2f0a772737a70e10e664bf787e4642ba4ef9deddc22b6983c8b6bc67e07afc901b4c8715208a464f397d228a52a4e6cb7a031d59e8377ca47bc8e4cf1f0947

Download Submit
C:\Windows\system\gngJLlo.exe

Filesize
5.9MB

MD5
ed9e003a742cbab1fc8147076f996436

SHA1
9c97b719401b7d8f9f6c6fa2d8bc4bf18e68c46a

SHA256
fd160fe35f250e347cc2cdb56746a1399c18e9bbd2958e9da3a6b63418c8ad4b

SHA512
fc965cd5c1df5c3515d73c615ddad01afbbf3e846ee9463f1c5d318ac98c19587469f0847ff59a399f49c37175516cb9fb88662998edad4be3580c30eeb9b7ed

Download Submit
C:\Windows\system\kmiAOfS.exe

Filesize
5.9MB

MD5
502d5ad7f644e98dae3b856d99f1c861

SHA1
c59562c0a092f6075ffcfdfe3e6cda691fec32a6

SHA256
f9b3d432994b503a68e3e3b54ebaae342dde180eec29fa27203ec322bf217feb

SHA512
a50fe1218e4499608e90ec2216560efc5f85ffe31b3e9a71b8649b9c26be8526d0ac369570483878141092fc2363f408d48bfbb0414317f0708d32c91739d14b

Download Submit
C:\Windows\system\nwjZtsP.exe

Filesize
5.9MB

MD5
8b71a9569ceb5458dc727c9b8a0d981b

SHA1
778d356f66aa354fe033a10a4c38d045bb29c8a2

SHA256
498bb574d06ecf7dd21d46ddb47ef67c8d5ca4dfadf5bd58ca33bb3ecc41023b

SHA512
818d1752d57ec3669f13ee2917ce1cb93b20e97fd8d512ca0bef25028572621a901db0764a3547e9168775a9f23ec557d2ace5599329bdf2a09ce38108e0e60c

Download Submit
C:\Windows\system\pFKZlVo.exe

Filesize
5.9MB

MD5
136f451b2bd8771602fadc610446b1de

SHA1
30101eca5103b466fff635cf3534513922979e30

SHA256
2c3718e31d66e8ec9abff6fb42f0989025a627b5dd7c4bdf3f7831eebd6017c0

SHA512
db6448b8d843661f189054242adcd0f2cfc036b98942d61578b2402dc95a31937eabb1e7d40f41b56a9e3bc2099477681ccaa206ea1da700d71a4d87a9247d41

Download Submit
C:\Windows\system\tRiiFhA.exe

Filesize
5.9MB

MD5
dc97b6de2497403fef95208ea89efd9d

SHA1
2a53daaed498b808409f60a9c56caf7509c47115

SHA256
81bf0d52b04ee47ab52315e49a55ee5375198b7c1d4b6cce43c854305fdafa62

SHA512
9be25f4a672324205bb49a77ab05d2a2b24e2dd26468229ce005cbfbff360a03b088c174f69013ece854126b5d9fdae169f9a9c0b074cf3992864bf453abc0bb

Download Submit
C:\Windows\system\vljERRv.exe

Filesize
5.9MB

MD5
3129c15d1bb58d1ce12c1d0befa1cfbc

SHA1
3f7b4635b6700b29b205dcfbca395f78e0363006

SHA256
3726c5ddc6d0e42c1f8f71faf03642f2ba4b2b69bad418df3415d3fb970801a1

SHA512
9afb1caaa8666ad7fbabd77a1a90d384fdae90ecacea629b59055b4aaed2000490850c86e92eb7200a697c016676ee471b95fd118b9234e90e0b6bdd8ee4ed83

Download Submit
C:\Windows\system\xEqiFEx.exe

Filesize
5.9MB

MD5
69640ba1cc712fa015600fafb8f9362e

SHA1
7d48840237c2f668496d78013d0100d6d7b289cd

SHA256
9d423fb9cb309e70fb441b54a9a155d3bb0b99ddcb0cf49ddab3f92b85cd2786

SHA512
e9f26295a50366876842472af2c9f8e5f928686bab8240dbcf2b436439d8ca0e7d43a6084d5e85c9dba4b8de5c2d49cb9864f507eeb5369b5968b13322d40aac

Download Submit
\Windows\system\UdvoAcU.exe

Filesize
5.9MB

MD5
80c877efc966ba7442a1f36e8f8d0533

SHA1
870fd7cfe5d08e59b689751f04316351589e783d

SHA256
a0f8ab6e7a699ee28e9b7b6972054d36226c3dc52d791337aeff2719dd3ad689

SHA512
863ea44d5c49c970a458e7631a46da317174d9e64f699cd00a71e66e71f7eeeab416c05a7f66cf97d0ee7ce5faeff2bdcc86fca5174350b4581cbb0667189f57

Download Submit
\Windows\system\UeSMYkU.exe

Filesize
5.9MB

MD5
d7f9b8d2a5fbf66aa56abb8f6a2d72a7

SHA1
58f3db4523eaeace7af6954fc4ccb4f123697fed

SHA256
fbc542a70fea2b2a96c89cc85b13e30ad59c017a6faa338371424755b67b1e65

SHA512
f52f5ee6b3272548427f86e94f8619db7bbdb3dc356b580c72edabc6a7a10ee86ad6a2245cf0801277eb8b318b676e7712cc74da6c58672c4bfbe5a49248fcd8

Download Submit
\Windows\system\cJRRnbw.exe

Filesize
5.9MB

MD5
40abb1f68ff5e7e26fa12976d0d0ecf2

SHA1
c06b044b63fb24c4bcabd632a1da75cdbe1eb008

SHA256
bf1f68285e263a653e3d04c0ef0555468d0be479834180e5fdab219dbc527319

SHA512
954c7f48069326ea7736c0c1cfe3a1bde773d233e872d302c7b4e07ab28511625eb416345b56393e6afe0cdd6aacf59146f77c73c6517d2fa7765f3fdfc61b65

Download Submit
\Windows\system\uoUkdiN.exe

Filesize
5.9MB

MD5
2e53ec0b13c869389d1fbfd5ffb1266f

SHA1
466464deadef23d5dbcec136d68e86e3da983a02

SHA256
119d8b5a74bd7957cdbe34b651dafbba3bbb1b0fe6e00759179414e7a6992f2c

SHA512
01b34acdc1924f2c7c8e6188a7de1ac0df6812537c91763c5b56f6682979a35ce1364e200d42bf056eaf950f8d05d55bc5c8a26dc73b0f781f8eb44f7d4ac271

Download Submit
\Windows\system\wxowlWy.exe

Filesize
5.9MB

MD5
580754c8b655e0d0d0a96722461ea718

SHA1
d2c24ac126f458ca3754cc860b7fb2a8c67711e2

SHA256
de787d60c53a66f01ec8e9cc0d46b2ae1a54cfbbda446368b1577807e7f1301a

SHA512
05b35963489b3b05e8bd8c762c661bc6cb1ac4a270a62f9e46d4c893ba24fef2bb931f0d61b24d877013b95af3eda664b80e73f15e2a9968162fba81e8a3f484

Download Submit
memory/400-60-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/400-145-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1580-59-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1580-136-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1580-134-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-140-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1588-117-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2232-125-0x000000013F290000-0x000000013F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-131-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-116-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2232-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2232-114-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-110-0x0000000002330000-0x0000000002684000-memory.dmp

Filesize
3.3MB

Download
memory/2232-130-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2232-129-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2232-112-0x0000000002330000-0x0000000002684000-memory.dmp

Filesize
3.3MB

Download
memory/2232-127-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-132-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2232-119-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2232-121-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2488-148-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-128-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-120-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2532-142-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2584-143-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2584-122-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2664-123-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-144-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-124-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2740-146-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2800-147-0x000000013F290000-0x000000013F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-126-0x000000013F290000-0x000000013F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-135-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2832-7-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2832-133-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2888-137-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2888-111-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2980-113-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-115-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2992-139-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/3036-141-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-118-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download