cobaltstrike | 5928849e6e39cd47ce996de6bef65ba34e765980b22490322dcfc0e28e9635f3

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
Size

5.9MB
MD5

e3099baae5165efb5549a240a33faae6
SHA1

841fd0c9e1eb6811fb708fc7f15abfbb4423c0e2
SHA256

5928849e6e39cd47ce996de6bef65ba34e765980b22490322dcfc0e28e9635f3
SHA512

0a0879abc1fe324714cc2f9ef0f7baff85897c316a6a2d1e9882a95e0fc3adceb0d91d21914d7288588bc6ee1ac7ad07a9453dee8cb0def8fd72975196c76354
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUQ:E+b56utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012119-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dbe-11.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f1-28.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f4-33.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000173fc-37.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000191ff-44.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019244-48.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019353-76.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001936b-84.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001937b-88.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019356-80.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001928c-72.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019284-68.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019266-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019263-60.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-56.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019256-52.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017472-41.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd7-17.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016eca-24.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd1-16.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2092-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000012119-3.dat	xmrig
behavioral1/files/0x0008000000016dbe-11.dat	xmrig
behavioral1/files/0x00070000000173f1-28.dat	xmrig
behavioral1/files/0x00070000000173f4-33.dat	xmrig
behavioral1/files/0x00090000000173fc-37.dat	xmrig
behavioral1/files/0x00070000000191ff-44.dat	xmrig
behavioral1/files/0x0005000000019244-48.dat	xmrig
behavioral1/files/0x0005000000019353-76.dat	xmrig
behavioral1/files/0x000500000001936b-84.dat	xmrig
behavioral1/files/0x000500000001937b-88.dat	xmrig
behavioral1/files/0x0005000000019356-80.dat	xmrig
behavioral1/files/0x000500000001928c-72.dat	xmrig
behavioral1/files/0x0005000000019284-68.dat	xmrig
behavioral1/memory/2092-93-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2520-92-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2836-100-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2856-103-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/320-109-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2088-108-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2732-107-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2092-106-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2748-105-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2092-102-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/2300-101-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2744-99-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/612-98-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/872-97-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/3056-95-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/1676-94-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/1568-90-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/files/0x0005000000019266-64.dat	xmrig
behavioral1/files/0x0005000000019263-60.dat	xmrig
behavioral1/files/0x0005000000019259-56.dat	xmrig
behavioral1/files/0x0005000000019256-52.dat	xmrig
behavioral1/files/0x0008000000017472-41.dat	xmrig
behavioral1/files/0x0008000000016dd7-17.dat	xmrig
behavioral1/files/0x0008000000016eca-24.dat	xmrig
behavioral1/files/0x0008000000016dd1-16.dat	xmrig
behavioral1/memory/2092-128-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/1676-129-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/872-131-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/612-132-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2836-134-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2300-135-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2748-137-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2732-138-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2856-136-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/2744-133-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig
behavioral1/memory/3056-130-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/320-139-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2088-140-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/1568-141-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2520-142-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2732-145-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2748-146-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/612-153-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2836-152-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2856-151-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/3056-150-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/872-149-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/320-148-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2300-147-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2744-144-0x000000013FA40000-0x000000013FD94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2088	yActPdW.exe
1568	MynJmwt.exe
2520	yROiSsc.exe
320	BefzbtS.exe
1676	bnPyjYq.exe
3056	qASIwFD.exe
872	SNnFSbi.exe
612	GpLkfGz.exe
2744	HsMaHbY.exe
2836	NvgEmHM.exe
2300	WirxAXr.exe
2856	aMnYjzz.exe
2748	cWWAsnL.exe
2732	RXtVaRV.exe
3004	hmwolXs.exe
788	FGZKXed.exe
2728	qyTnjVl.exe
2612	ZUlHDIT.exe
2660	sMfTtQi.exe
2384	NMXBDci.exe
2652	DMkVKWu.exe

Loads dropped DLL 21 IoCs

pid	Process
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/files/0x0007000000012119-3.dat	upx
behavioral1/files/0x0008000000016dbe-11.dat	upx
behavioral1/files/0x00070000000173f1-28.dat	upx
behavioral1/files/0x00070000000173f4-33.dat	upx
behavioral1/files/0x00090000000173fc-37.dat	upx
behavioral1/files/0x00070000000191ff-44.dat	upx
behavioral1/files/0x0005000000019244-48.dat	upx
behavioral1/files/0x0005000000019353-76.dat	upx
behavioral1/files/0x000500000001936b-84.dat	upx
behavioral1/files/0x000500000001937b-88.dat	upx
behavioral1/files/0x0005000000019356-80.dat	upx
behavioral1/files/0x000500000001928c-72.dat	upx
behavioral1/files/0x0005000000019284-68.dat	upx
behavioral1/memory/2520-92-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2836-100-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2856-103-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/320-109-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2088-108-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2732-107-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2748-105-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2300-101-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2744-99-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/612-98-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/872-97-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/3056-95-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/1676-94-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/1568-90-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/files/0x0005000000019266-64.dat	upx
behavioral1/files/0x0005000000019263-60.dat	upx
behavioral1/files/0x0005000000019259-56.dat	upx
behavioral1/files/0x0005000000019256-52.dat	upx
behavioral1/files/0x0008000000017472-41.dat	upx
behavioral1/files/0x0008000000016dd7-17.dat	upx
behavioral1/files/0x0008000000016eca-24.dat	upx
behavioral1/files/0x0008000000016dd1-16.dat	upx
behavioral1/memory/2092-128-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/1676-129-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/872-131-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/612-132-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2836-134-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2300-135-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2748-137-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2732-138-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2856-136-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/2744-133-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/3056-130-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/320-139-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2088-140-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/1568-141-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2520-142-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2732-145-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2748-146-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/612-153-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2836-152-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2856-151-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/3056-150-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/872-149-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/320-148-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2300-147-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2744-144-0x000000013FA40000-0x000000013FD94000-memory.dmp	upx
behavioral1/memory/1676-143-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yActPdW.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\GpLkfGz.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\FGZKXed.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\qyTnjVl.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\ZUlHDIT.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\yROiSsc.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\bnPyjYq.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\BefzbtS.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\HsMaHbY.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\NvgEmHM.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\aMnYjzz.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\RXtVaRV.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\hmwolXs.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\SNnFSbi.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\DMkVKWu.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\MynJmwt.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\qASIwFD.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\WirxAXr.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\cWWAsnL.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\sMfTtQi.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
File created	C:\Windows\System\NMXBDci.exe	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2088	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2088	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2088	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	31
PID 2092 wrote to memory of 1568	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	32
PID 2092 wrote to memory of 1568	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	32
PID 2092 wrote to memory of 1568	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2520	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2520	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2520	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 1676	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	34
PID 2092 wrote to memory of 1676	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	34
PID 2092 wrote to memory of 1676	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	34
PID 2092 wrote to memory of 320	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	35
PID 2092 wrote to memory of 320	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	35
PID 2092 wrote to memory of 320	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	35
PID 2092 wrote to memory of 3056	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	36
PID 2092 wrote to memory of 3056	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	36
PID 2092 wrote to memory of 3056	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	36
PID 2092 wrote to memory of 872	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	37
PID 2092 wrote to memory of 872	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	37
PID 2092 wrote to memory of 872	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	37
PID 2092 wrote to memory of 612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	38
PID 2092 wrote to memory of 612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	38
PID 2092 wrote to memory of 612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	38
PID 2092 wrote to memory of 2744	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	39
PID 2092 wrote to memory of 2744	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	39
PID 2092 wrote to memory of 2744	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	39
PID 2092 wrote to memory of 2836	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2836	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2836	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	40
PID 2092 wrote to memory of 2300	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	41
PID 2092 wrote to memory of 2300	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	41
PID 2092 wrote to memory of 2300	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	41
PID 2092 wrote to memory of 2856	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	42
PID 2092 wrote to memory of 2856	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	42
PID 2092 wrote to memory of 2856	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	42
PID 2092 wrote to memory of 2748	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	43
PID 2092 wrote to memory of 2748	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	43
PID 2092 wrote to memory of 2748	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	43
PID 2092 wrote to memory of 2732	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	44
PID 2092 wrote to memory of 2732	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	44
PID 2092 wrote to memory of 2732	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	44
PID 2092 wrote to memory of 3004	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	45
PID 2092 wrote to memory of 3004	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	45
PID 2092 wrote to memory of 3004	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	45
PID 2092 wrote to memory of 788	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	46
PID 2092 wrote to memory of 788	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	46
PID 2092 wrote to memory of 788	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	46
PID 2092 wrote to memory of 2728	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	47
PID 2092 wrote to memory of 2728	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	47
PID 2092 wrote to memory of 2728	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	47
PID 2092 wrote to memory of 2612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	48
PID 2092 wrote to memory of 2612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	48
PID 2092 wrote to memory of 2612	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	48
PID 2092 wrote to memory of 2660	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	49
PID 2092 wrote to memory of 2660	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	49
PID 2092 wrote to memory of 2660	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	49
PID 2092 wrote to memory of 2384	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	50
PID 2092 wrote to memory of 2384	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	50
PID 2092 wrote to memory of 2384	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	50
PID 2092 wrote to memory of 2652	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	51
PID 2092 wrote to memory of 2652	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	51
PID 2092 wrote to memory of 2652	2092	e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3099baae5165efb5549a240a33faae6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System\yActPdW.exe
  C:\Windows\System\yActPdW.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\MynJmwt.exe
  C:\Windows\System\MynJmwt.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\yROiSsc.exe
  C:\Windows\System\yROiSsc.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\bnPyjYq.exe
  C:\Windows\System\bnPyjYq.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\BefzbtS.exe
  C:\Windows\System\BefzbtS.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\qASIwFD.exe
  C:\Windows\System\qASIwFD.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\SNnFSbi.exe
  C:\Windows\System\SNnFSbi.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\GpLkfGz.exe
  C:\Windows\System\GpLkfGz.exe
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\System\HsMaHbY.exe
  C:\Windows\System\HsMaHbY.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\NvgEmHM.exe
  C:\Windows\System\NvgEmHM.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\WirxAXr.exe
  C:\Windows\System\WirxAXr.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\aMnYjzz.exe
  C:\Windows\System\aMnYjzz.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\cWWAsnL.exe
  C:\Windows\System\cWWAsnL.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\RXtVaRV.exe
  C:\Windows\System\RXtVaRV.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\hmwolXs.exe
  C:\Windows\System\hmwolXs.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\FGZKXed.exe
  C:\Windows\System\FGZKXed.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\qyTnjVl.exe
  C:\Windows\System\qyTnjVl.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\ZUlHDIT.exe
  C:\Windows\System\ZUlHDIT.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\sMfTtQi.exe
  C:\Windows\System\sMfTtQi.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\NMXBDci.exe
  C:\Windows\System\NMXBDci.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\DMkVKWu.exe
  C:\Windows\System\DMkVKWu.exe
  2⤵
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BefzbtS.exe

Filesize
5.9MB

MD5
1aa0e70fe1950435dbef2ff2c79a5f05

SHA1
610400e1160a8de2fbdb0eaf76f6ba5126b48293

SHA256
ad65eb373adfa963e1266cca1effe13142f822e7abce8a606fbd4d6ba753bd43

SHA512
632fbb6429edc9ca78707fe4b287e36dd101fca2ebeddb6809752e383dc6a48d3ee078ac8227b1b7faf3d8dc62745a07167fe3aeb51cb53e1ecdf9cd6b3c3f80

Download Submit
C:\Windows\system\DMkVKWu.exe

Filesize
5.9MB

MD5
71afe5756c21a6624f048ddf23234a9f

SHA1
45822d5385f1d15afff325dab0f682a78ef987f3

SHA256
e3cc01e2f9c577d074129ebb51b7aac2793d92b17f8b0e274d608e020cec7029

SHA512
b270cb3bf5d0d44292e39dfc78e1c177c828d412337d2f289812bc5cdef3e31bf8a99dd73937f25bd946c24078d7d1e46b9ba130092b2a77766f4a2ce7b0866a

Download Submit
C:\Windows\system\FGZKXed.exe

Filesize
5.9MB

MD5
96165478da5b37e684e8b63581e74448

SHA1
361bef727620a86701dc20586fc04273ed6773e7

SHA256
f0b406829eba7c492678e146f304d7a3a3ce4c364ca0332bc4fdee2803ffb6ea

SHA512
f959179debcf2622fcabbd32e7542b315456315cf435221a5708d11f7e44623ed30a722144726c766e72491bb23a87cbfe708f8a841dffda8d31884f60822136

Download Submit
C:\Windows\system\GpLkfGz.exe

Filesize
5.9MB

MD5
ed2de01cd193ebe7aea695531de48906

SHA1
a0ec54bcd0252bb29a0b883e62479772375eba8e

SHA256
0ba70437b36d62694c74b8e8e84d81dc002452925b8908345ec267e993bff81e

SHA512
b85e9334f86882cae200fbdc902227fedef04148392272d73492760af88ca1633b41e9bc1b18728c45bcc8c84ca8bacee1a531009844294f8c847c47e66308cb

Download Submit
C:\Windows\system\HsMaHbY.exe

Filesize
5.9MB

MD5
27264f9a4e05f7ccbf83d07bd1c6f644

SHA1
8ad0cdb511965db7cc5f3f09fb9470a917888a0d

SHA256
c5143dab9ef4a2b26a40e1ecf8c82b2043dbf06685535352229e96d6fb220263

SHA512
c03ca86439a64a3325e34450caa27d6138d72bdbaa2a166a3abcb2399313da02912b7c45e7684f8440ace8e58f2280c8218c750889ae8651b31aad8948b0ee82

Download Submit
C:\Windows\system\MynJmwt.exe

Filesize
5.9MB

MD5
daac0ea22bf873741701bb871e3ead6a

SHA1
1fea37446e29810bad4dd8034ea111a5d1480487

SHA256
fb42dc5918f8861486abe7fe52ad758c0c41c88d863f61ce9de7aa365a0e0212

SHA512
b1f4ecdce069501c700d810ddd4dc54959157b87023fac169930b1c7cb8929a887447f305ba8ab4e68fcf3ab3024e201e146e20d7535c6a6eabd7f9e9f9f9279

Download Submit
C:\Windows\system\NMXBDci.exe

Filesize
5.9MB

MD5
7e9a6530c08c719b896b72b1513e7711

SHA1
52439c94420f5af3596743eabd376fc46d520978

SHA256
f48f8515692eec1e79a16ab4779f3bb9a1662e777ad547063444272e2b4ae2e7

SHA512
d33389fa3857bc3d7a0a024409b9b0b0bf13a8a4ac83c65f38b1d00c2368cc0a4d1a17da6ed3738aff784a40f62f0d243d0c7fadd16d85958b13c9fc1fce09bb

Download Submit
C:\Windows\system\NvgEmHM.exe

Filesize
5.9MB

MD5
3f68504fbff52f9cc0154c7cd5adadab

SHA1
c1c6b05fb104930f3ee5f0b70361e6f6acd8509b

SHA256
fb726b165b7ec55be1759c77b1576cf8330f871cf500e5d16edf612d50e195ba

SHA512
b5d0bdcfb4de630584228de268c05bc80be33e5c03f8ae18ba74b4811f12777886ce78efe6f7aaa7778a48cc8bb67dca9f6ef86adb55eac7772465854a4d88f7

Download Submit
C:\Windows\system\RXtVaRV.exe

Filesize
5.9MB

MD5
b80f9b003c68762b098fac4c4855c002

SHA1
717f960d38258e80d364c607afdf31420e5d366a

SHA256
d02065296714dff173d3ddbc52d0108765fc9ca492fba79458df09bf355eaf23

SHA512
0936d22d67aeec0ab1faa527947eb6e7b42976d244b56b9c5013d80ed034bc4efcbb5ac1d1dd85433033895b05a32e564a143d1ec304684823b027375313bdba

Download Submit
C:\Windows\system\SNnFSbi.exe

Filesize
5.9MB

MD5
958344abb27ed92b4d1401d8d3c1a168

SHA1
196e5f6c82c7b4c4a9602d83b6dd2aa7f61995be

SHA256
c5c74482b78a1fc5a85b9e0a7771be10e26c84407f7ef0b490517b9d482056d1

SHA512
58ac752a395287a04332ec5aa35e86bfe2947f90e07e2d2a9ffd7661ce18d9cef1258fbf333b27e000ea7ce893458783b30c4029efdd910041259e9d9c5f968e

Download Submit
C:\Windows\system\WirxAXr.exe

Filesize
5.9MB

MD5
6b17ced8edca3c662f030d7e466c511a

SHA1
e99d30f3c0c6e8e83487080dce70e7e9c067f457

SHA256
eadaa9253376de61605711fd93ab919b0684005a2fcc72b6afe862a7b0c1a4af

SHA512
bb4f3b1ea0657ea5fa952fbd49871aee1c2a56ceb703f85727c19cd84040ff7f918206c837ca00b80b70f05e324daa82572a371476fa994b1ed56910d6ea32b1

Download Submit
C:\Windows\system\ZUlHDIT.exe

Filesize
5.9MB

MD5
0044662f1d5ecba1532ccd07fe1e7273

SHA1
fdfe3fbbb311e76b9c3b44c64c7e996730a43d56

SHA256
d1986a3aba059ffa89f141952ffce0e2b455cdd5d1095455bbcd3605467eeeda

SHA512
cd4d5168c25bc8ba107e9cd8b6739052d11b6bafe56f78dd4f907bfd1a590971b4a8d7d1740c67e25911730b1b98d14a0161c5cddb92ca00a219fd9662348923

Download Submit
C:\Windows\system\aMnYjzz.exe

Filesize
5.9MB

MD5
b7a627d7c735fc202b81d30798281aed

SHA1
a4662083477dceec675d7a382a76ca154935d5b2

SHA256
c2045efb06ea0309daf982b314c0ae30c08639b969e8a966c700d67e51ca51a1

SHA512
9e11e3ac35809df7b1ff65116bd485a9609fcf93abcdd401ec95d2f7f59854ad34825e171300a5117b26610703fcbd94a7929ffeea8264e05960b581732006e4

Download Submit
C:\Windows\system\cWWAsnL.exe

Filesize
5.9MB

MD5
b1be89849ed710a2d9ff0999f9d561e0

SHA1
65e1f62bcbe9fa2ae0bf520ba38e361bdec58c49

SHA256
feacf08a27631d745b40afacfa83ed4e81904800c817864352ffbcc235c58679

SHA512
0c75871af6632b4fd8b89fd4c9df0ef5f63f39a9f8d63175e617fe437a9e0c0e07953cf1c86c863e1de7b712b9ec2b512c82606a7a2391c11b37750c8109a69d

Download Submit
C:\Windows\system\hmwolXs.exe

Filesize
5.9MB

MD5
ad7ffdd85cf7034d6bd416cb97038c60

SHA1
55b98a351cb7c2f332c76bd08261ed94eb531d71

SHA256
a2aa8642b2e4e5b2e9fb458dd009f93401cd222233a9ec320acf6b3e8718e852

SHA512
40abb7659a2e2dd1a2f8447d0075f1f086c60d4e96399a302e4181405222655bad1f8c9ef94aff90253840db30e4422b99f3781ff5a2d4e9a70f9230f3683b61

Download Submit
C:\Windows\system\qASIwFD.exe

Filesize
5.9MB

MD5
3a8dd86d902b5b2c58588f77cf6565bb

SHA1
3556bde7d2149e99231873ee037c8a9e55fd7335

SHA256
7525795951e74a7486a1ca49eb19b5401eff12ceb5288526632c8cdbe182a3e4

SHA512
f89ff4f6cf0759b478656ed2ffe0174e69cffeb416071048c54ab33de0ca0db4a6a3d0dda103d7487fbba23a4e7993afe7972fd0edf72c8f59a80a91782d32d4

Download Submit
C:\Windows\system\qyTnjVl.exe

Filesize
5.9MB

MD5
3c87976ed811caf0f4438cdb59e04602

SHA1
6896cd88a85cbb8a1c3e2d6b6c70e234c26453a1

SHA256
3cb0a12df593ff518a0e8dfa64eef8f8ee7719b348be146f4819bc8110786451

SHA512
db81bf9d1d2efe8043fc8501709755a6fbaa95c3cbc3469e4c34fa220347e586826ec9c52ab1a432b57f1be649a402c787011ad30d4c9d974f083fdc732ad088

Download Submit
C:\Windows\system\sMfTtQi.exe

Filesize
5.9MB

MD5
9775e84d9872d72b18f2070f23ca2b8d

SHA1
ffc9bda1cf702f9d5c85bdd5d8e9d1595d59f971

SHA256
4d961a8eec670f0032e9702df89ba7bc7cb1e39a82c803d3e2d2492aaed6d72d

SHA512
7a363c7bf71f25bb80d2c7cc194da6e8738f02c23b29c89d2a64bd990fa60c07f3fe4760a90f320212f57bcc8c73e7f648c0c1b71ba2fe51846e0c1bb47491e0

Download Submit
C:\Windows\system\yROiSsc.exe

Filesize
5.9MB

MD5
9f23f770d0943dc7d5909e33d3adfa51

SHA1
3a2f04cda14a153863c3b93281b268dce582fdcd

SHA256
0f172fb328316714d3b7350f9b607d37dab06275f954cbde3ad4436a3497a051

SHA512
dc422c0092765093c59697919b0ed1eda46d206c2d4f228871f79414726f974b11637e3148723452f5de0a34839fb6bb4eb96082bab63ece456ac5aeb4274d4a

Download Submit
\Windows\system\bnPyjYq.exe

Filesize
5.9MB

MD5
be43248f4352df0ff05990d4a81a2adf

SHA1
3379ae27f1faf17bc86a3edf0e53be9acd73a5ea

SHA256
e156f255f2562e46442c9fc7aed8bd3a7e1b52b8b14a100dd59af80aaa5de6c0

SHA512
b3e2862f8c21b1dbb4f4110d13316706eae8244e04c4c437d29d358527cc745c6b3e8af86c859ac9c3e3fe8ab487c4c683f0c33ccb5595ba1c6f9e956ad2a69a

Download Submit
\Windows\system\yActPdW.exe

Filesize
5.9MB

MD5
484ac112773ea7f168a5178ac1e5b379

SHA1
c6b98337ca14e253de243aa233f1a46574a3bd15

SHA256
bcbfd04ac5073fc9d7a0b78c056e1de0a684dc9e1d74613faac4906cc8a266bf

SHA512
1efc7866b4e2c6fafb28e3b2fe085b0f74d85ca03714836cbf6c4a713bc71aecb3ee7f4ede96f996310537fdff18d798fb4352b90e93e6c982fd26c30f34a521

Download Submit
memory/320-109-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/320-148-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/320-139-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/612-132-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/612-153-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/612-98-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/872-131-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/872-97-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/872-149-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1568-141-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1568-90-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1676-143-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-94-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-129-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2088-108-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2088-140-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2092-96-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2092-91-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2092-20-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2092-102-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/2092-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2092-104-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2092-128-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-106-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-0-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-93-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-101-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2300-147-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2300-135-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2520-92-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2520-142-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2732-107-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-138-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-145-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-144-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2744-133-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2744-99-0x000000013FA40000-0x000000013FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2748-137-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2748-146-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2748-105-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2836-134-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2836-152-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2836-100-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2856-151-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/2856-103-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/2856-136-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/3056-95-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/3056-150-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/3056-130-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download