cobaltstrike | 5b88f7b838a38d1d639a4f63431feeb33164aa4b867447300af56fa24605dcf6

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
Size

5.9MB
MD5

e78851f31dd1701a0fcc099ad3093d0a
SHA1

86ca20ee3c9f843b5cb0e9c2200ee7971806e2b2
SHA256

5b88f7b838a38d1d639a4f63431feeb33164aa4b867447300af56fa24605dcf6
SHA512

3314b49bfef19c14af0199910bb5feea5f2a291a66b1bb98898437c4194254e040c8c83a39fe66bd820dd07fee71c4f300f6d1692e1f1c667f36fa86db301f8f
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUg:E+b56utgpPF8u/7g

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000800000001211b-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015ce7-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d09-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d30-22.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d87-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d5f-39.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d47-34.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d7f-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016688-61.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016caa-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c88-93.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001688f-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016b85-91.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015cb8-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d21-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cef-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6e-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d72-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d67-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c9f-79.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral1/memory/1560-0-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/files/0x000800000001211b-3.dat	xmrig
behavioral1/files/0x0008000000015ce7-8.dat	xmrig
behavioral1/files/0x0008000000015d09-13.dat	xmrig
behavioral1/memory/1780-20-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2860-19-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/memory/536-25-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d30-22.dat	xmrig
behavioral1/memory/2724-46-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2468-38-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d87-51.dat	xmrig
behavioral1/memory/1560-40-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d5f-39.dat	xmrig
behavioral1/memory/2768-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2804-49-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/1560-48-0x0000000002230000-0x0000000002584000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d47-34.dat	xmrig
behavioral1/files/0x0009000000015d7f-47.dat	xmrig
behavioral1/memory/2836-57-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/1560-58-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/files/0x0007000000016688-61.dat	xmrig
behavioral1/files/0x0006000000016caa-94.dat	xmrig
behavioral1/files/0x0006000000016c88-93.dat	xmrig
behavioral1/files/0x000600000001688f-92.dat	xmrig
behavioral1/files/0x0006000000016b85-91.dat	xmrig
behavioral1/files/0x0009000000015cb8-90.dat	xmrig
behavioral1/files/0x0006000000016d21-88.dat	xmrig
behavioral1/files/0x0006000000016cef-85.dat	xmrig
behavioral1/memory/2612-103-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d6e-121.dat	xmrig
behavioral1/files/0x0006000000016d72-123.dat	xmrig
behavioral1/files/0x0006000000016d67-117.dat	xmrig
behavioral1/files/0x0006000000016d4b-113.dat	xmrig
behavioral1/memory/2704-102-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2576-101-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/1560-100-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c9f-79.dat	xmrig
behavioral1/memory/2752-98-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2804-138-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2836-139-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/1560-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/1560-142-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2576-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/2704-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2612-145-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/1780-147-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2860-148-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/memory/536-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2768-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2468-151-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2724-152-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2804-153-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2836-154-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2752-155-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2704-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2612-156-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/2576-158-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1780	DApfGSZ.exe
2860	VCrGTbe.exe
536	bpFokVk.exe
2768	Yoczwnw.exe
2468	tgndClB.exe
2724	sxHhEqY.exe
2804	sHflIsM.exe
2836	rmLQZYo.exe
2752	DtlmIZU.exe
2576	REZffvf.exe
2704	UXwvBtS.exe
2612	ZklVTet.exe
2240	IwKiUJL.exe
320	XRzIjjK.exe
2336	vVdoWza.exe
1548	qlRzjsp.exe
2928	pJTiHYG.exe
2020	etpLjam.exe
1716	gUBRKos.exe
1528	GyGVZsh.exe
1688	zTeOHAB.exe

Loads dropped DLL 21 IoCs

pid	Process
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-0-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x000800000001211b-3.dat	upx
behavioral1/files/0x0008000000015ce7-8.dat	upx
behavioral1/files/0x0008000000015d09-13.dat	upx
behavioral1/memory/1780-20-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2860-19-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/memory/536-25-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/files/0x0007000000015d30-22.dat	upx
behavioral1/memory/2724-46-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2468-38-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/files/0x0008000000015d87-51.dat	upx
behavioral1/files/0x0007000000015d5f-39.dat	upx
behavioral1/memory/2768-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2804-49-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/files/0x0007000000015d47-34.dat	upx
behavioral1/files/0x0009000000015d7f-47.dat	upx
behavioral1/memory/2836-57-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/1560-58-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x0007000000016688-61.dat	upx
behavioral1/files/0x0006000000016caa-94.dat	upx
behavioral1/files/0x0006000000016c88-93.dat	upx
behavioral1/files/0x000600000001688f-92.dat	upx
behavioral1/files/0x0006000000016b85-91.dat	upx
behavioral1/files/0x0009000000015cb8-90.dat	upx
behavioral1/files/0x0006000000016d21-88.dat	upx
behavioral1/files/0x0006000000016cef-85.dat	upx
behavioral1/memory/2612-103-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/files/0x0006000000016d6e-121.dat	upx
behavioral1/files/0x0006000000016d72-123.dat	upx
behavioral1/files/0x0006000000016d67-117.dat	upx
behavioral1/files/0x0006000000016d4b-113.dat	upx
behavioral1/memory/2704-102-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2576-101-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/files/0x0006000000016c9f-79.dat	upx
behavioral1/memory/2752-98-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2804-138-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2836-139-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2576-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2704-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2612-145-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/1780-147-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2860-148-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/memory/536-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2768-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2468-151-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2724-152-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2804-153-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2836-154-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2752-155-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2704-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2612-156-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/2576-158-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bpFokVk.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\rmLQZYo.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\zTeOHAB.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\qlRzjsp.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\XRzIjjK.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\GyGVZsh.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\DApfGSZ.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\sHflIsM.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\DtlmIZU.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\ZklVTet.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\pJTiHYG.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\vVdoWza.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\gUBRKos.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\tgndClB.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\REZffvf.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\UXwvBtS.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\IwKiUJL.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\VCrGTbe.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\Yoczwnw.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\sxHhEqY.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
File created	C:\Windows\System\etpLjam.exe	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1780	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	31
PID 1560 wrote to memory of 1780	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	31
PID 1560 wrote to memory of 1780	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	31
PID 1560 wrote to memory of 2860	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2860	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2860	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	32
PID 1560 wrote to memory of 536	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	33
PID 1560 wrote to memory of 536	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	33
PID 1560 wrote to memory of 536	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	33
PID 1560 wrote to memory of 2768	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	34
PID 1560 wrote to memory of 2768	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	34
PID 1560 wrote to memory of 2768	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	34
PID 1560 wrote to memory of 2468	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	35
PID 1560 wrote to memory of 2468	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	35
PID 1560 wrote to memory of 2468	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	35
PID 1560 wrote to memory of 2724	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	36
PID 1560 wrote to memory of 2724	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	36
PID 1560 wrote to memory of 2724	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	36
PID 1560 wrote to memory of 2804	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	37
PID 1560 wrote to memory of 2804	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	37
PID 1560 wrote to memory of 2804	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	37
PID 1560 wrote to memory of 2836	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	38
PID 1560 wrote to memory of 2836	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	38
PID 1560 wrote to memory of 2836	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	38
PID 1560 wrote to memory of 2752	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	39
PID 1560 wrote to memory of 2752	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	39
PID 1560 wrote to memory of 2752	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	39
PID 1560 wrote to memory of 2576	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	40
PID 1560 wrote to memory of 2576	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	40
PID 1560 wrote to memory of 2576	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	40
PID 1560 wrote to memory of 2612	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	41
PID 1560 wrote to memory of 2612	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	41
PID 1560 wrote to memory of 2612	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	41
PID 1560 wrote to memory of 2704	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	42
PID 1560 wrote to memory of 2704	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	42
PID 1560 wrote to memory of 2704	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	42
PID 1560 wrote to memory of 2240	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	43
PID 1560 wrote to memory of 2240	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	43
PID 1560 wrote to memory of 2240	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	43
PID 1560 wrote to memory of 1548	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	44
PID 1560 wrote to memory of 1548	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	44
PID 1560 wrote to memory of 1548	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	44
PID 1560 wrote to memory of 320	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	45
PID 1560 wrote to memory of 320	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	45
PID 1560 wrote to memory of 320	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	45
PID 1560 wrote to memory of 2928	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	46
PID 1560 wrote to memory of 2928	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	46
PID 1560 wrote to memory of 2928	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	46
PID 1560 wrote to memory of 2336	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	47
PID 1560 wrote to memory of 2336	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	47
PID 1560 wrote to memory of 2336	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	47
PID 1560 wrote to memory of 2020	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	49
PID 1560 wrote to memory of 2020	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	49
PID 1560 wrote to memory of 2020	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	49
PID 1560 wrote to memory of 1716	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	50
PID 1560 wrote to memory of 1716	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	50
PID 1560 wrote to memory of 1716	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	50
PID 1560 wrote to memory of 1528	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	51
PID 1560 wrote to memory of 1528	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	51
PID 1560 wrote to memory of 1528	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	51
PID 1560 wrote to memory of 1688	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	52
PID 1560 wrote to memory of 1688	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	52
PID 1560 wrote to memory of 1688	1560	e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e78851f31dd1701a0fcc099ad3093d0a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System\DApfGSZ.exe
  C:\Windows\System\DApfGSZ.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\VCrGTbe.exe
  C:\Windows\System\VCrGTbe.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\bpFokVk.exe
  C:\Windows\System\bpFokVk.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\Yoczwnw.exe
  C:\Windows\System\Yoczwnw.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\tgndClB.exe
  C:\Windows\System\tgndClB.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\sxHhEqY.exe
  C:\Windows\System\sxHhEqY.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\sHflIsM.exe
  C:\Windows\System\sHflIsM.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\rmLQZYo.exe
  C:\Windows\System\rmLQZYo.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\DtlmIZU.exe
  C:\Windows\System\DtlmIZU.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\REZffvf.exe
  C:\Windows\System\REZffvf.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\ZklVTet.exe
  C:\Windows\System\ZklVTet.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\UXwvBtS.exe
  C:\Windows\System\UXwvBtS.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\IwKiUJL.exe
  C:\Windows\System\IwKiUJL.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\qlRzjsp.exe
  C:\Windows\System\qlRzjsp.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\XRzIjjK.exe
  C:\Windows\System\XRzIjjK.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\pJTiHYG.exe
  C:\Windows\System\pJTiHYG.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\vVdoWza.exe
  C:\Windows\System\vVdoWza.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\etpLjam.exe
  C:\Windows\System\etpLjam.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\gUBRKos.exe
  C:\Windows\System\gUBRKos.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\GyGVZsh.exe
  C:\Windows\System\GyGVZsh.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\zTeOHAB.exe
  C:\Windows\System\zTeOHAB.exe
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GyGVZsh.exe

Filesize
5.9MB

MD5
b7b395dcb24a78e1aa405d23ce404818

SHA1
ca736f279aff20e9f3b2ba71e3a64e664d85ae9f

SHA256
6352471c634f4264fd6c77fad88035e60c4c43f76b76ad4e28acc3b0623ecd68

SHA512
946a2b5c07a7d472216e8bc854e24af6a4522f3c4a21aa55dea9e64e752e1d23bf462cac6fedb04b83d1309e2512a911177f9299829a5a985af1d46141ebfec9

Download Submit
C:\Windows\system\IwKiUJL.exe

Filesize
5.9MB

MD5
6a784f900ee20363e742c65bc4186a1c

SHA1
25cd8a3a4c816584c471fcdf8b2e94d3b844903f

SHA256
c921234200c0b8ef0ed61247577f2a66edcc6b2f946e5d90a28d87a28c9615ca

SHA512
ca4f77624dd977f45526470c017eb4610f65fefc29de46a81bfd21e57fb87eb455001d2305b6f2c2fd0fe1bf2bfb1f3d7e318817ca03a43b3e3eb572ab266083

Download Submit
C:\Windows\system\REZffvf.exe

Filesize
5.9MB

MD5
c112e49dceb5c965a14e7f40814d3520

SHA1
26a9a1986090407e1cb63e420c874e42dc1e2bdc

SHA256
df2d2f5cf254bad9472b1c51f95e34c628dac0a79d3656d8e138f45bd7e94899

SHA512
a4427a8eda1765de28f37c2fae466d689110184eadfbfec649064c593a16d519a155cff9065eeaf317c3054e188e596c74452680eb96b1dc570f75f692fa5449

Download Submit
C:\Windows\system\UXwvBtS.exe

Filesize
5.9MB

MD5
eb04f31f3dcb1d6cb1a97df5716c4d64

SHA1
cbe0428901a94d16659c5b7db37e7bcc746eb765

SHA256
fb50766db49934c91e0c81ce621acb47bec2bbe189f00cbecfe070de2636e61a

SHA512
514996798b20e5dbaa59b815cd938dd04b17782d42e5f42010c356827f18702d50b8bf211d7778db0ca57a2952d41f2995880a8e2b331bec262c9656a83b105b

Download Submit
C:\Windows\system\XRzIjjK.exe

Filesize
5.9MB

MD5
603219364c44d738c2449d469e36277b

SHA1
dd80eebac2ae2622eb1c9890249fd16bebbb5587

SHA256
5468ec3f0c45f5b0a0c1375bcd4dd2857714baa87fc1ccfde3966e1fd5cee63f

SHA512
e8bb27466b91170fdcb77efd1c6bae89bce97b5cc94bbc42af5da83b1a6eede2af9c943a6de61765b5dae8f109b002ac99f26b6e10b91502121cb0189bea1bf8

Download Submit
C:\Windows\system\ZklVTet.exe

Filesize
5.9MB

MD5
dbcf574430ee7fd853b1b078250f81f6

SHA1
a04d97ca738b94ce7e95559d9291c1a6ad270759

SHA256
9aef6c0649b88e8ceb83d0a58d3a121777d52ee4b20c386fe0936a1a59c2857c

SHA512
1cfcf0f1b3377143fd984b7843bec8e4c47e1080d4295d5d16e9fa53c81b9d4ecc61666be280c39adc8239f802b2c2dd7e82b7377d13d9bb6edde478592690ad

Download Submit
C:\Windows\system\bpFokVk.exe

Filesize
5.9MB

MD5
82d8832290a7f7589bfd67c2be21070d

SHA1
0ad664af3e66553c6efeab5e5e4f75bab8e43ea6

SHA256
354737d7f1e0e612ea7bf1c43853c66aae017bf71ba9ae809feb1fdc45c54721

SHA512
cb2a142bc9f3e1615f4af608409e03cfe04b3f421f366a0c7207ddf649c92f511ffb183842b2ba7cc31956b65ab9aa18825d5baccd3474d8afab1bbe744f3d43

Download Submit
C:\Windows\system\etpLjam.exe

Filesize
5.9MB

MD5
ab19424a0e4e8c5e6267dc84d085d7e0

SHA1
5e4f0067f7ffbae725b37038c3251714ff0d668f

SHA256
dd32e72720c4dce1dec1bdca4d9c0f0c7630427ab0c88f0c8cdd0c301002243e

SHA512
e7962bbedcdc523b7abd3a09e374edc95a7b2a4a7c7264549928f81be7c9749ce8d4cf3f79fe8d293ae90203566d78b4177f7d82f713e79eccd1005989affc22

Download Submit
C:\Windows\system\gUBRKos.exe

Filesize
5.9MB

MD5
fa08dd2e22c4552d096ff3adf94116da

SHA1
4e5a56a816a87956ed2a4449d9a0bfa5cbae048d

SHA256
1907932ee2f8724d71a6f69518ce0518a2ee42b3019f35d1723307549595d903

SHA512
a8ae6c65bfcfd61b96db061866556b0a62fe965fd0ed09e30078c5666d00f4522823a801e14243a59d620114c3f2c4ba164a0af6a97c86e1665327ff816c085e

Download Submit
C:\Windows\system\sHflIsM.exe

Filesize
5.9MB

MD5
5adb9bc70e8c8847129d9f2714893c82

SHA1
de73deff69973a83f71472e9265d5ac703838ebb

SHA256
07840caefe262763a2bc7ede30406781811a10f2047f1cac9288be9336f29e1a

SHA512
af71731173e69bec60a7542a85d88ade2a1008d674f344b0552e20de2e9f218f84869e3e1d6ece9e5394df862712e197a2677d2650c3cb802bb3aefd960ed3c4

Download Submit
C:\Windows\system\sxHhEqY.exe

Filesize
5.9MB

MD5
46192ba585f2c27a0ef8609962f70755

SHA1
39b479213bf5e576aba270973bca0c7b6955fb34

SHA256
c29e6328c4f5e353f5716a745816d686033d9b0990a6a3c66a6b9f22daa53ab4

SHA512
c1c64b6ea141447ee78558861d4aae6ee0a6e244927140dc818a7c6e1cdf7c79f2a104747d2dffd5904c262171127c6d1d7a4bba8c2fbfa42885e73241ba41a3

Download Submit
C:\Windows\system\tgndClB.exe

Filesize
5.9MB

MD5
e9925cba0fd9cb8b438128e56bcfe2f2

SHA1
c9d047e79b17b23d779f30a941deaf5e136409d1

SHA256
f2647d6f7ad29bc0dc6b270b2756aa791cba1ace079ab3f7d288f46d250148b5

SHA512
5bff0bdf491a69bbaf2b980ae29994d6c03343ab3283a3c545d64bbbfa475a55c9ccd8e75e3c4d0dd736a0623e5ace887b7d682fddc8ad247261c3762e6c3760

Download Submit
\Windows\system\DApfGSZ.exe

Filesize
5.9MB

MD5
61929eabee04cd7dccf02d62bcf202f5

SHA1
6e58af75eb00bea1ed4879a97b02f010bfff4bb3

SHA256
c10993f09663e9d3caff98a404208ea5940d48518b931abfbf5f5157515e0447

SHA512
e0b6956ebc920f5c1ad5eac03ead5269faf8bdd4ac369b9047f8bb60ae25b8324ce01e88c4253697a77399f590118fcf6c7509f1cc06dbe1dca4a9522e099712

Download Submit
\Windows\system\DtlmIZU.exe

Filesize
5.9MB

MD5
d0b1822cc0f5201526e7bb168fdec776

SHA1
d5e87efefc39d0d9775e8adc98863df48da79a57

SHA256
d2f3d4488eb8f57230cd99f0b580bdc61f913df7c68e085e51d3a3578cf22044

SHA512
5bf59f2759ed377c9d2ca3fbe72991257dae085667aeedecdb09b6e86bdd0d16352541c1da5900a1f3e5022f688556a2ac972af03063344d3d4ee8bd63985503

Download Submit
\Windows\system\VCrGTbe.exe

Filesize
5.9MB

MD5
d4a8b0cf10dcc99307a1ca2969450a08

SHA1
996f49e30dc0c750c248f1b7f1e3e3ac1005e4f4

SHA256
67a72ed322d02c75ec2f710d89e5e072cba9d699269fc55f52a533c91757bab7

SHA512
11ed2fcef8faa1f058556637c7252d093a71aba3fd7750eaf48d59062dbbb85059b05f9077e6299fa08e71ef9e95a1f0a28a42a4a4e45da3e30d274610fe84ae

Download Submit
\Windows\system\Yoczwnw.exe

Filesize
5.9MB

MD5
cbee65cfac0ed39d57da39cf39b87caf

SHA1
df7ff5d84abb5af56c693be84cf0ebb32ad901d0

SHA256
63e78109ebd76194c845f18b56c8ac45cd93c4686689fb99c00263588bf9493b

SHA512
382ba6cae4f3d438a9abd85ce22b064458554a1f31220ae932617ef5be1a609bae375d21a28f2f0d8dae5b980e5e3f80b8cf25ce30a72ea253a8e0c71777d96f

Download Submit
\Windows\system\pJTiHYG.exe

Filesize
5.9MB

MD5
1c659957bc3cb62f901deed79d100802

SHA1
ec8aabd1d18c692093229a5606167e4d1f4a5a21

SHA256
1175da8ac98cd98f667ec565d170e202cceca7313d77f7c169288a09c5a818a4

SHA512
d496da0783b752df32c4cc2ce3e4b6a161612784589add0ec6b11d9da28ad68810b57b15c126222e9bced36428f86855ac1c3b6305f7682c9ff5ebfc2f2dc352

Download Submit
\Windows\system\qlRzjsp.exe

Filesize
5.9MB

MD5
90bbd0f59dba7fe9378bbdc03816d19d

SHA1
95c860542179fd8eecc763f2ae835104ee7e9914

SHA256
d25b87099b1c711ef399894b61943fe03647f86857228a9b2b461f16170d4e08

SHA512
3579f160e819317aba4e72bd456204dd011a85281718d4aeb479e900ecf3b557b78a3b71917a08ba1f5abf22ce8cdfec914b58f07fcdadb55abd4b35a11a0b14

Download Submit
\Windows\system\rmLQZYo.exe

Filesize
5.9MB

MD5
8906c722281cbc37991915eda8509d78

SHA1
e091c589109d8f616e93d5cc971ffd39352f5143

SHA256
08fb9adb41f09f53b63cb054b31f697a4ad253a39f67c7bb5e04b1cf9e4d3b19

SHA512
ea2c016ae02156a6b8ceedb8193484df5273caefa7dc5c56f3a5646ffe3c75828a1a7109655c29ea23b714846bc77a657f62ceb9a0da0df5431d40055329bc65

Download Submit
\Windows\system\vVdoWza.exe

Filesize
5.9MB

MD5
a5915110a6ee90c350dac855331c5fbb

SHA1
5c097df787cafb150fca697e2c96bf5c2c66de82

SHA256
126ab4e6ce539e25fab92f8ad208f50f98f2b52d7de7c4cbde0dd3ab6342e68b

SHA512
902e02de468354bd2affbb8a8304c43afe96972f39647d8f62a1e92cdc937016d1e5fabc53c0e2433f5a312b274a274ff23ad52f54d767e1a28341757412549c

Download Submit
\Windows\system\zTeOHAB.exe

Filesize
5.9MB

MD5
2bfdeb5c63afd3d091478bbc1425e95e

SHA1
84c5f8e8526b9e856c3b354bd7023b5f093a2d5f

SHA256
52519588db173428a50a436cdcae89433785298e9b71f6f3eea90ab56da0eea8

SHA512
5d3d53f9485308fc8b06d9ce2f2428db8b4ffb8237da679aa37f842b1df8555644ea8311c8867519ec6831158d3ab0a5cf5b0a9e860c3b4d3f2d9627e30bed2b

Download Submit
memory/536-149-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/536-25-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/1560-40-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1560-107-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-58-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1560-62-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-60-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-59-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1560-31-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-44-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/1560-48-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-146-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1560-0-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1560-52-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1560-142-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1560-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1560-140-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-99-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/1560-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1560-21-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/1560-16-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-109-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1560-108-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1560-100-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1560-106-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-105-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/1560-104-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1780-20-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1780-147-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2468-38-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2468-151-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2576-101-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-158-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-103-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2612-145-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2612-156-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2704-102-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2704-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2704-157-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2724-46-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2724-152-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2752-155-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2752-98-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2768-37-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-153-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-138-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-49-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-139-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2836-154-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2836-57-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2860-148-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2860-19-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download