cobaltstrike | 23bef4e1da07cb486bd14fb7ed62eebdc7eb2d3ae205b0f099333e9d3ab27528

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
Size

5.9MB
MD5

e2f8abf15d7f777f97fec8f7377f078e
SHA1

620ec2187ff1c3e31c364baa8b63e6383eb80a48
SHA256

23bef4e1da07cb486bd14fb7ed62eebdc7eb2d3ae205b0f099333e9d3ab27528
SHA512

e0e11d6ad3c6bd3c8fe8774e21a7b7dcd066120b3b0bb5eb5abe07ac8c8b02b4e20437187a3dcfb0bac01539c0c5fb5832a8386b3fecd8bbc265bca31087034e
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUy:E+b56utgpPF8u/7y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012029-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019273-8.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000192f0-15.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001932a-19.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001933e-23.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41a-39.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41b-42.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41d-48.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a477-62.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a486-70.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a497-78.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a2-86.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a0-83.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a48a-74.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a478-66.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a455-58.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41e-54.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41c-47.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000194f6-34.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019384-31.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019346-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/2532-0-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/files/0x000b000000012029-3.dat	xmrig
behavioral1/files/0x0008000000019273-8.dat	xmrig
behavioral1/files/0x00070000000192f0-15.dat	xmrig
behavioral1/files/0x000600000001932a-19.dat	xmrig
behavioral1/files/0x000600000001933e-23.dat	xmrig
behavioral1/files/0x000500000001a41a-39.dat	xmrig
behavioral1/files/0x000500000001a41b-42.dat	xmrig
behavioral1/files/0x000500000001a41d-48.dat	xmrig
behavioral1/files/0x000500000001a477-62.dat	xmrig
behavioral1/files/0x000500000001a486-70.dat	xmrig
behavioral1/files/0x000500000001a497-78.dat	xmrig
behavioral1/files/0x000500000001a4a2-86.dat	xmrig
behavioral1/files/0x000500000001a4a0-83.dat	xmrig
behavioral1/files/0x000500000001a48a-74.dat	xmrig
behavioral1/files/0x000500000001a478-66.dat	xmrig
behavioral1/files/0x000500000001a455-58.dat	xmrig
behavioral1/files/0x000500000001a41e-54.dat	xmrig
behavioral1/files/0x000500000001a41c-47.dat	xmrig
behavioral1/files/0x00070000000194f6-34.dat	xmrig
behavioral1/files/0x0006000000019384-31.dat	xmrig
behavioral1/files/0x0006000000019346-26.dat	xmrig
behavioral1/memory/2528-108-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/348-110-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2560-112-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2804-114-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2104-116-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2532-117-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2872-119-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2764-118-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2748-122-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2904-121-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2532-127-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2740-126-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/2060-124-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2644-129-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2724-128-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2468-130-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2532-131-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2468-133-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2764-136-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2724-144-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2740-146-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/2748-145-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2872-143-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/348-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2104-141-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2060-140-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2560-139-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2904-138-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2528-137-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2804-134-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2644-135-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2468	SzxpWmo.exe
2528	nqeHkJN.exe
348	ttfEyms.exe
2560	SdLNZkt.exe
2804	WDBbBkQ.exe
2104	gMxTaDC.exe
2764	YRPtKlp.exe
2872	EMeQsqc.exe
2904	tQPeKrx.exe
2748	ehKuicf.exe
2060	wYCFIZt.exe
2740	unOaglz.exe
2724	WDfMsIP.exe
2644	WVtSxob.exe
2796	AXyxAUb.exe
2372	sFEmLEM.exe
2652	jWjfXNh.exe
2744	XJQivOe.exe
2088	cHYhlTO.exe
2624	GLhwixD.exe
1592	ZYdtZpn.exe

Loads dropped DLL 21 IoCs

pid	Process
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/files/0x000b000000012029-3.dat	upx
behavioral1/files/0x0008000000019273-8.dat	upx
behavioral1/files/0x00070000000192f0-15.dat	upx
behavioral1/files/0x000600000001932a-19.dat	upx
behavioral1/files/0x000600000001933e-23.dat	upx
behavioral1/files/0x000500000001a41a-39.dat	upx
behavioral1/files/0x000500000001a41b-42.dat	upx
behavioral1/files/0x000500000001a41d-48.dat	upx
behavioral1/files/0x000500000001a477-62.dat	upx
behavioral1/files/0x000500000001a486-70.dat	upx
behavioral1/files/0x000500000001a497-78.dat	upx
behavioral1/files/0x000500000001a4a2-86.dat	upx
behavioral1/files/0x000500000001a4a0-83.dat	upx
behavioral1/files/0x000500000001a48a-74.dat	upx
behavioral1/files/0x000500000001a478-66.dat	upx
behavioral1/files/0x000500000001a455-58.dat	upx
behavioral1/files/0x000500000001a41e-54.dat	upx
behavioral1/files/0x000500000001a41c-47.dat	upx
behavioral1/files/0x00070000000194f6-34.dat	upx
behavioral1/files/0x0006000000019384-31.dat	upx
behavioral1/files/0x0006000000019346-26.dat	upx
behavioral1/memory/2528-108-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/348-110-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2560-112-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2804-114-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2104-116-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2872-119-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2764-118-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2748-122-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2904-121-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2740-126-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/2060-124-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2644-129-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2724-128-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2468-130-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2532-131-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2468-133-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2764-136-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2724-144-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2740-146-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/2748-145-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2872-143-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/348-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2104-141-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2060-140-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2560-139-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2904-138-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2528-137-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2804-134-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2644-135-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XJQivOe.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\GLhwixD.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\wYCFIZt.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\unOaglz.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\WDfMsIP.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\WVtSxob.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\jWjfXNh.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\cHYhlTO.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\nqeHkJN.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\WDBbBkQ.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\EMeQsqc.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\ehKuicf.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\AXyxAUb.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\tQPeKrx.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\sFEmLEM.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\ZYdtZpn.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\SzxpWmo.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\ttfEyms.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\SdLNZkt.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\gMxTaDC.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
File created	C:\Windows\System\YRPtKlp.exe	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2468	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2468	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2468	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2528	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2528	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2528	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	32
PID 2532 wrote to memory of 348	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	33
PID 2532 wrote to memory of 348	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	33
PID 2532 wrote to memory of 348	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2560	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2560	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2560	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2804	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2804	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2804	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	35
PID 2532 wrote to memory of 2104	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2104	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2104	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2764	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2764	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2764	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2872	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2872	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2872	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2904	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	39
PID 2532 wrote to memory of 2904	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	39
PID 2532 wrote to memory of 2904	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	39
PID 2532 wrote to memory of 2748	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	40
PID 2532 wrote to memory of 2748	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	40
PID 2532 wrote to memory of 2748	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	40
PID 2532 wrote to memory of 2060	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	41
PID 2532 wrote to memory of 2060	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	41
PID 2532 wrote to memory of 2060	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	41
PID 2532 wrote to memory of 2740	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	42
PID 2532 wrote to memory of 2740	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	42
PID 2532 wrote to memory of 2740	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	42
PID 2532 wrote to memory of 2724	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	43
PID 2532 wrote to memory of 2724	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	43
PID 2532 wrote to memory of 2724	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	43
PID 2532 wrote to memory of 2644	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2644	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2644	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2796	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	45
PID 2532 wrote to memory of 2796	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	45
PID 2532 wrote to memory of 2796	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	45
PID 2532 wrote to memory of 2372	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	46
PID 2532 wrote to memory of 2372	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	46
PID 2532 wrote to memory of 2372	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	46
PID 2532 wrote to memory of 2652	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	47
PID 2532 wrote to memory of 2652	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	47
PID 2532 wrote to memory of 2652	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	47
PID 2532 wrote to memory of 2744	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2744	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2744	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2088	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	49
PID 2532 wrote to memory of 2088	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	49
PID 2532 wrote to memory of 2088	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	49
PID 2532 wrote to memory of 2624	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	50
PID 2532 wrote to memory of 2624	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	50
PID 2532 wrote to memory of 2624	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	50
PID 2532 wrote to memory of 1592	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	51
PID 2532 wrote to memory of 1592	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	51
PID 2532 wrote to memory of 1592	2532	e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2f8abf15d7f777f97fec8f7377f078e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System\SzxpWmo.exe
  C:\Windows\System\SzxpWmo.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\nqeHkJN.exe
  C:\Windows\System\nqeHkJN.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\ttfEyms.exe
  C:\Windows\System\ttfEyms.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\SdLNZkt.exe
  C:\Windows\System\SdLNZkt.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\WDBbBkQ.exe
  C:\Windows\System\WDBbBkQ.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\gMxTaDC.exe
  C:\Windows\System\gMxTaDC.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\YRPtKlp.exe
  C:\Windows\System\YRPtKlp.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\EMeQsqc.exe
  C:\Windows\System\EMeQsqc.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\tQPeKrx.exe
  C:\Windows\System\tQPeKrx.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\ehKuicf.exe
  C:\Windows\System\ehKuicf.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\wYCFIZt.exe
  C:\Windows\System\wYCFIZt.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\unOaglz.exe
  C:\Windows\System\unOaglz.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\WDfMsIP.exe
  C:\Windows\System\WDfMsIP.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\WVtSxob.exe
  C:\Windows\System\WVtSxob.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\AXyxAUb.exe
  C:\Windows\System\AXyxAUb.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\sFEmLEM.exe
  C:\Windows\System\sFEmLEM.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\jWjfXNh.exe
  C:\Windows\System\jWjfXNh.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\XJQivOe.exe
  C:\Windows\System\XJQivOe.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\cHYhlTO.exe
  C:\Windows\System\cHYhlTO.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\GLhwixD.exe
  C:\Windows\System\GLhwixD.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\ZYdtZpn.exe
  C:\Windows\System\ZYdtZpn.exe
  2⤵
  - Executes dropped EXE
  PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AXyxAUb.exe

Filesize
5.9MB

MD5
1fbffce192ef6b65a952d3785f42ac99

SHA1
d8075fc2db535875a87056180ed9447bb8d440fd

SHA256
020d53e2697473ee11fe517ac4af548487beae3134608496b18d63f2d1cdb589

SHA512
3eb6ad824c361ac603faeddc0a4da627e502c3561b47325a81ffce6fb9f4773f21dc2bd795171563942a9e0d41d4b593129b44753231a134693a7ec601e618a0

Download Submit
C:\Windows\system\EMeQsqc.exe

Filesize
5.9MB

MD5
18899af338a14df554fe04e107153609

SHA1
2334b31c3e9ff2dbfb051b7c1376abe643f1a64c

SHA256
287510a193c8b18f7f88d866ca0a632f75bfb95b744cf6171f87d30427a0199f

SHA512
7f057e66f75c3cd51e87fd474f1b0ccdfcb8a72d87802e41da6144bece1eb1bd229425f6446be9fb9d309744dadfa3c8b4371c180d2b96df2cfe2cf93932be08

Download Submit
C:\Windows\system\GLhwixD.exe

Filesize
5.9MB

MD5
d1baf410d2c9c0d25ffd01426480c5ab

SHA1
c25872edcce7c3346b7a2da29b2220c0189c4782

SHA256
d5a288a88bd41d2d0a090730a2dc274b6328e3bf166b3a40823c0f2bd855ee13

SHA512
5e8820e8fb935cbb69baf40e2e3b340511107fecbbe4321e3f3153e0711da120b0d529d1b1cc70327cee5bdebdcde1c5fba8a5276b1903da84a2dd178530db94

Download Submit
C:\Windows\system\SdLNZkt.exe

Filesize
5.9MB

MD5
be7f1adfd2ca3ae78f691f21e2700615

SHA1
0c136fb61beb6de34373e00fd03e0ebb82c5551b

SHA256
7fb1eb773da393c0cb56ef7adb5aaf4731c28bfdd17fdecb7eca3da282a78f93

SHA512
6d9437d40e3c1ea03ec58986a4970847927d36a97c0ff1377fef79c63bfa69b68f8d9ebadf508efef1d89077bca8c12341b9b2d1309b30659f43899db487685c

Download Submit
C:\Windows\system\WDBbBkQ.exe

Filesize
5.9MB

MD5
b415335929be5e2ee536da30e2bc066d

SHA1
b02a56d15fee338f362c196c320cf717b64847af

SHA256
36798c77ec9324c94d395cedf44341863dd3e827a6eedbbbeca4bf45e22c0f75

SHA512
bfa9107220431b0b964d7ffbfa8e8d4c18a71aa757eaa9cbe54126b40ad196f5ca59d11b054b365c722fd785cf56c0025f574a4beaf3ac0fe8579335e0121887

Download Submit
C:\Windows\system\WDfMsIP.exe

Filesize
5.9MB

MD5
629acd9815042e7b1a05d7777cd20486

SHA1
7fad0dc916aa0aba8e51e2f0b678a7f0dfc51a76

SHA256
3ecf49ac054489d9083c93663fe3abadf10abc8ffb0ebd62312e02812f58203c

SHA512
be1a0efa8e7000716299ecb20992911b2c06891ad49deae145dbce7d70fefd0e1e7c7f12fa93095a371bf72312b36bad1c5534629443b2caeabe1ad7313017c6

Download Submit
C:\Windows\system\WVtSxob.exe

Filesize
5.9MB

MD5
3f82bb959fbfe0fe10b631df850a5f44

SHA1
e700c500a6feb7994179996098eb40944197d8dd

SHA256
e36be54669c26c0b447b37feeab5cf2379c7027f0ce9f8d49961510faa8a374a

SHA512
827c4c273d8224c6f9bb59d4b4f506482c48a437d61289a3c21c35316d73afb18d52558506cec668de3e047c9b4d35061265800c7cabeb34aea90e40eca4443a

Download Submit
C:\Windows\system\XJQivOe.exe

Filesize
5.9MB

MD5
60a9205489d15738e66e219d6e48b604

SHA1
1855bc62d85c74dfd18dc0f0997a29dae93c6a21

SHA256
a747150b58144ae1d1fa46c4732c59ae9bf0b4c1682db8030bf20946683e3599

SHA512
a99f2bfe416d2cb5dfd97b01bbe5227c838a8f42dcdbe301e0b63a6229e5793e6209095f36927d94557243532671da9169eb6f9da2aa1994196199f21067c99a

Download Submit
C:\Windows\system\YRPtKlp.exe

Filesize
5.9MB

MD5
c62ceb710122935d7edb08e4f5a341ee

SHA1
57bb1b0c7d219de7e3dd9fc1ef605965f77daeae

SHA256
93fa58025ed70a83817278070df433f1acdf631ba9e843ed0fc69a8061cc1cdb

SHA512
009e9c28ef72343c6860ec47a6ba379dc92866a96dbc211c07efe158a23fa01dc93ef891e91adcf5df3395af9c24f3a63ee9ec949ca96f4b193452d702b20de7

Download Submit
C:\Windows\system\ZYdtZpn.exe

Filesize
5.9MB

MD5
5cbe90ec7988d2a4fcc17ef2a15f0785

SHA1
3aead44ac2b03af36376c360fc2cbdfb153fe6b4

SHA256
1168674d697ce02a72527948d96e42121d2a3b50e7ba0573cfeeb103074454f7

SHA512
1e18a944ef0d02e2d86fcec34e1154a6dcf252859404d72a79389c78c2d4ddac27535f3e8f3f97c93eea8304375095559c6ab538ac618a712eacbe55008faef8

Download Submit
C:\Windows\system\cHYhlTO.exe

Filesize
5.9MB

MD5
2a4d07f47277c43cc06b0ed48e92c093

SHA1
1c1e1113dfa1192f7fe4ec68c19eba31d21d6093

SHA256
ce272cc6dbafa70d839cfe614a0741b23e47f2af81bb352979ebaa0ae8167c7e

SHA512
67db4ba6424a0170303b737536dd540d2f1a6a3b8d55a33d0508a382ecfab18008cecfd66dd25969b9cf357d4dd8bd5ba4d443931959392c0ca1eed719bc5a5c

Download Submit
C:\Windows\system\ehKuicf.exe

Filesize
5.9MB

MD5
0e5d1e04d46829cd8d0f3c2cca365fdd

SHA1
fdce85dcc406d266a6a69de40b8482a93b26603a

SHA256
ed64dde4b6d9f949fd495a699a04af5139e93fee7fdbead65c0c41376b7356da

SHA512
4d9e013093eab784d2f015d76ecdfca23cdab3d635636c8698f6aa15e4eb044fafc685a7cbc091f1880b10aa0b25d6de9382ec7914b513d9e6beb555ed7bfd02

Download Submit
C:\Windows\system\gMxTaDC.exe

Filesize
5.9MB

MD5
e49b496deb39ae355dc4733b10409597

SHA1
457e137f693d524b1de2412257ac94bfefbe4d2c

SHA256
4ca3939bddad17f528cb56b1ca46140e697ddc0ca281430c110f0482bbe2867b

SHA512
6c9ce22cd755b997653c4dc720a2da3e2b0c8fdcd288f097d39264d974f0914da68d5520854c5c33139e5370fd4e91bf226fd147dc4df391ee749cb6b3f83fe7

Download Submit
C:\Windows\system\jWjfXNh.exe

Filesize
5.9MB

MD5
c1d65a71cdd06d95925a1bfa374eec5c

SHA1
474fe0c02c79bfadfeb0379b96d6179d08eef6bd

SHA256
7c6990dbc67eaec37d74a05e4f39ce52c5511b9ceeee031043191f44d127de7d

SHA512
d31f87ce9900b949e9fe8d1ecd809c235cfb5536758221b5bb55e16b214ab6d98f8c37aa6170af3c28a41787b729fcf537f75f328cd344919992205a39a17fbc

Download Submit
C:\Windows\system\sFEmLEM.exe

Filesize
5.9MB

MD5
e70d9f75ed5e2f27f8922c4b8e924c3c

SHA1
0dfacd45ab043d580165bd60e18a740bb349127e

SHA256
2faf08607b84920a97b391991a1f54e24a5c7496f96bd9b5aa49bcbd49aec65f

SHA512
0cb5a49046a675de9815ac8e0fa09efa9ee38f51cfe79d70c8ab37eb4dcfbbb0b1bfb20ff393b937339ddeaceb2cfd05c4dc942f0d9d298d2cf0b7f741c9c579

Download Submit
C:\Windows\system\tQPeKrx.exe

Filesize
5.9MB

MD5
b589b99a23cf8ac403543f6865e00e29

SHA1
b9a4e6cb1ebf4d456054636c2b9070c5d19f687a

SHA256
bef42a905fb60beb589dd2fb04979a29743ac57f6c199290d8313d7ef14f72a7

SHA512
2f9d38b737bbfa3300c273441b71e17443732392903d8db478dcedbe872afa70fed8b3823947080b9ff8b9d7901bab9130151a360299f3e56e8f8ed5a5a1a5ab

Download Submit
C:\Windows\system\ttfEyms.exe

Filesize
5.9MB

MD5
dadc1ae5afce76ccc3e0190660e69d68

SHA1
9998ac3e5f7c49fa694ef90533207799c1c0cc38

SHA256
3729ac04ca266ced8f615f81d032118d745b303b3ec995ff905bb6f521a22695

SHA512
72a04559791354298298b0dd40c42d0d36a66577713916e5191a27fca863c1cf7783a5f8f7f1b3f4228db5e43f52a2a0c41026d19dc106be0df987c1b13932db

Download Submit
C:\Windows\system\wYCFIZt.exe

Filesize
5.9MB

MD5
5c532d002935e02753cd1d73375dd7ae

SHA1
a3e10875ea34b907ece0bc53d7db1f6efe0620b5

SHA256
251532464233cc165008facec8906fa9366e9751734d703a6fec3c5088b9efc9

SHA512
0f2f28de50187f4f7f2386d63300394e14f5cc274766925f45443967ffc91e2b9c1cb3bb766051a47d274454c1ce6e2b29ecb437f4cab58c8293b83e84fcf60b

Download Submit
\Windows\system\SzxpWmo.exe

Filesize
5.9MB

MD5
bbb1df98d03a75400c79c909a7de3a96

SHA1
88809647acebe0fcd7a92a7ea7469230bddfea8d

SHA256
fb618b8d44b185d7984253d8b86bb357371c406fb386a941f2af4d492a6a7069

SHA512
c3b60929ce05035d2205eb16cab9a0a4d8d58edd1a052909f24c19ae178411950e3ecb24fc5cb4a9f982d417c9cee3b033157de77572b2ae820ea119b8c36e2b

Download Submit
\Windows\system\nqeHkJN.exe

Filesize
5.9MB

MD5
3e54fd71c347d7cf8bf6fd89259b6aa7

SHA1
92db61e16f1d4398aad1754ff5a5af6724ec5052

SHA256
e55af26bed06ac3aaef17020b94ec498e88d2e56cb2079c3c64161e4d16d271f

SHA512
5d747d7888f95df74f894867b7acd76b993ba8b7085084ab1f516ca018f140f3e143627e318a481eb1229bd4b3bedb7674303e3f0ed5c8978eaf5b2dcd11a4f8

Download Submit
\Windows\system\unOaglz.exe

Filesize
5.9MB

MD5
ad3b45d4a015abbf9515a4292cee8ebd

SHA1
0f0d4112ad4e1cb9210aa24286ee5263e9ee3836

SHA256
d859a2c81db591c463b83395db6d8cf2a6c69a87997888d7e25a63875daf0db2

SHA512
ddc2ae6f156c5a63ac225969f9b0693052fcf401746f1a8223474212f603e72e36006200bb8736c74e000867df800d0cfe9bf69ab876c112a77a636fe3a30f26

Download Submit
memory/348-110-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/348-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2060-124-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-140-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-141-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2104-116-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2468-133-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-130-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-137-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2528-108-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2532-115-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2532-125-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2532-117-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2532-120-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2532-111-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2532-109-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2532-123-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-107-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2532-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2532-127-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2532-132-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-131-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2532-0-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2532-113-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-139-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2560-112-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2644-129-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-135-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-128-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2724-144-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2740-126-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2740-146-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2748-122-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2748-145-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2764-136-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2764-118-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2804-114-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-134-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-143-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2872-119-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2904-138-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2904-121-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download