cobaltstrike | a6018714a95241e0a173e7d46c7c227ea682584eb483338e39e68ba0b28f2ce8

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
Size

5.9MB
MD5

e82e3323dfcf07e53b352957bb908bad
SHA1

b249a60aec806b0c177c602b67c51cff0bf7da1a
SHA256

a6018714a95241e0a173e7d46c7c227ea682584eb483338e39e68ba0b28f2ce8
SHA512

725956a362ea31d594bb1ce36ced720fae97271d784b3a689362f1447b27e2f6f73adf1304b688595cd6b91992317940a739052bf500bf951b31e59eb3906cd0
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUv:E+b56utgpPF8u/7v

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000122cf-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017530-8.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186ca-24.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186c6-18.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186cc-30.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000186d9-39.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000186dd-48.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000016dd1-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019240-56.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019604-74.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019605-82.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195d6-67.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019606-89.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019608-99.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960a-105.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960c-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019667-130.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196a1-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019926-137.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961e-123.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961c-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2668-0-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/files/0x00090000000122cf-3.dat	xmrig
behavioral1/files/0x0008000000017530-8.dat	xmrig
behavioral1/memory/2820-22-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2536-23-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2672-19-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x00060000000186ca-24.dat	xmrig
behavioral1/files/0x00060000000186c6-18.dat	xmrig
behavioral1/files/0x00060000000186cc-30.dat	xmrig
behavioral1/memory/2852-29-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2668-35-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x00080000000186d9-39.dat	xmrig
behavioral1/memory/2528-43-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/files/0x00080000000186dd-48.dat	xmrig
behavioral1/memory/3016-51-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/files/0x0033000000016dd1-60.dat	xmrig
behavioral1/files/0x0006000000019240-56.dat	xmrig
behavioral1/memory/3064-59-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2668-53-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2664-41-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2852-77-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/files/0x0005000000019604-74.dat	xmrig
behavioral1/memory/2956-79-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/1396-81-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2528-83-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2668-84-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/files/0x0005000000019605-82.dat	xmrig
behavioral1/files/0x00050000000195d6-67.dat	xmrig
behavioral1/memory/1964-66-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019606-89.dat	xmrig
behavioral1/files/0x0005000000019608-99.dat	xmrig
behavioral1/files/0x000500000001960a-105.dat	xmrig
behavioral1/memory/2720-104-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/files/0x000500000001960c-113.dat	xmrig
behavioral1/files/0x0005000000019667-130.dat	xmrig
behavioral1/files/0x00050000000196a1-133.dat	xmrig
behavioral1/files/0x0005000000019926-137.dat	xmrig
behavioral1/files/0x000500000001961e-123.dat	xmrig
behavioral1/files/0x000500000001961c-119.dat	xmrig
behavioral1/memory/2668-109-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2668-102-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2668-106-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2668-101-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/1988-95-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/3064-94-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2668-140-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2348-88-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2348-142-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/1988-144-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2668-145-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2668-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2820-147-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2672-148-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2536-149-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2852-150-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2664-151-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2528-152-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/3016-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/3064-154-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/1964-155-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/1396-156-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2956-157-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2348-158-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2720-159-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2820	LGhexnL.exe
2672	efYjaIC.exe
2536	bEDbXmp.exe
2852	GaQFiXi.exe
2664	DbihDSt.exe
2528	AplUKiC.exe
3016	ZxmfpkE.exe
3064	WHxImRI.exe
1964	qtfKNyV.exe
2956	uUzNRTF.exe
1396	JjvkiCl.exe
2348	IBSkHGP.exe
1988	FPmyFyn.exe
2720	SjzyNZM.exe
2732	OwNfzuN.exe
2912	LeLHWLN.exe
2152	oFxhcwb.exe
1472	wZKsUSR.exe
2444	aUEDwNQ.exe
2628	GguRIbx.exe
1604	HeshTbN.exe

Loads dropped DLL 21 IoCs

pid	Process
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/files/0x00090000000122cf-3.dat	upx
behavioral1/files/0x0008000000017530-8.dat	upx
behavioral1/memory/2820-22-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2536-23-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2672-19-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x00060000000186ca-24.dat	upx
behavioral1/files/0x00060000000186c6-18.dat	upx
behavioral1/files/0x00060000000186cc-30.dat	upx
behavioral1/memory/2852-29-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/files/0x00080000000186d9-39.dat	upx
behavioral1/memory/2528-43-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/files/0x00080000000186dd-48.dat	upx
behavioral1/memory/3016-51-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/files/0x0033000000016dd1-60.dat	upx
behavioral1/files/0x0006000000019240-56.dat	upx
behavioral1/memory/3064-59-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2668-53-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2664-41-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2852-77-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/files/0x0005000000019604-74.dat	upx
behavioral1/memory/2956-79-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/1396-81-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2528-83-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/files/0x0005000000019605-82.dat	upx
behavioral1/files/0x00050000000195d6-67.dat	upx
behavioral1/memory/1964-66-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/files/0x0005000000019606-89.dat	upx
behavioral1/files/0x0005000000019608-99.dat	upx
behavioral1/files/0x000500000001960a-105.dat	upx
behavioral1/memory/2720-104-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/files/0x000500000001960c-113.dat	upx
behavioral1/files/0x0005000000019667-130.dat	upx
behavioral1/files/0x00050000000196a1-133.dat	upx
behavioral1/files/0x0005000000019926-137.dat	upx
behavioral1/files/0x000500000001961e-123.dat	upx
behavioral1/files/0x000500000001961c-119.dat	upx
behavioral1/memory/1988-95-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/3064-94-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2348-88-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2348-142-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/1988-144-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2820-147-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2672-148-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2536-149-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2852-150-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2664-151-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2528-152-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/3016-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/3064-154-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/1964-155-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/1396-156-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2956-157-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2348-158-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2720-159-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/1988-160-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uUzNRTF.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\efYjaIC.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\bEDbXmp.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\oFxhcwb.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\wZKsUSR.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\aUEDwNQ.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\HeshTbN.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\GguRIbx.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\GaQFiXi.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\AplUKiC.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\ZxmfpkE.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\WHxImRI.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\IBSkHGP.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\SjzyNZM.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\LeLHWLN.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\LGhexnL.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\DbihDSt.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\qtfKNyV.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\JjvkiCl.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\FPmyFyn.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
File created	C:\Windows\System\OwNfzuN.exe	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2820	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2820	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2820	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2672	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2672	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2672	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2536	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2536	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2536	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2852	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2852	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2852	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2664	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2664	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2664	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2528	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2528	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2528	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	36
PID 2668 wrote to memory of 3016	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	37
PID 2668 wrote to memory of 3016	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	37
PID 2668 wrote to memory of 3016	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	37
PID 2668 wrote to memory of 3064	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	38
PID 2668 wrote to memory of 3064	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	38
PID 2668 wrote to memory of 3064	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	38
PID 2668 wrote to memory of 1964	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	39
PID 2668 wrote to memory of 1964	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	39
PID 2668 wrote to memory of 1964	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	39
PID 2668 wrote to memory of 2956	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	40
PID 2668 wrote to memory of 2956	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	40
PID 2668 wrote to memory of 2956	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	40
PID 2668 wrote to memory of 1396	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	41
PID 2668 wrote to memory of 1396	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	41
PID 2668 wrote to memory of 1396	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	41
PID 2668 wrote to memory of 2348	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	42
PID 2668 wrote to memory of 2348	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	42
PID 2668 wrote to memory of 2348	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	42
PID 2668 wrote to memory of 1988	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	43
PID 2668 wrote to memory of 1988	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	43
PID 2668 wrote to memory of 1988	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	43
PID 2668 wrote to memory of 2720	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	44
PID 2668 wrote to memory of 2720	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	44
PID 2668 wrote to memory of 2720	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	44
PID 2668 wrote to memory of 2732	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	45
PID 2668 wrote to memory of 2732	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	45
PID 2668 wrote to memory of 2732	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	45
PID 2668 wrote to memory of 2912	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	46
PID 2668 wrote to memory of 2912	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	46
PID 2668 wrote to memory of 2912	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	46
PID 2668 wrote to memory of 2152	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	47
PID 2668 wrote to memory of 2152	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	47
PID 2668 wrote to memory of 2152	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	47
PID 2668 wrote to memory of 1472	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	48
PID 2668 wrote to memory of 1472	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	48
PID 2668 wrote to memory of 1472	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	48
PID 2668 wrote to memory of 2444	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	49
PID 2668 wrote to memory of 2444	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	49
PID 2668 wrote to memory of 2444	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	49
PID 2668 wrote to memory of 2628	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	50
PID 2668 wrote to memory of 2628	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	50
PID 2668 wrote to memory of 2628	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	50
PID 2668 wrote to memory of 1604	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	51
PID 2668 wrote to memory of 1604	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	51
PID 2668 wrote to memory of 1604	2668	e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e82e3323dfcf07e53b352957bb908bad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\System\LGhexnL.exe
  C:\Windows\System\LGhexnL.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\efYjaIC.exe
  C:\Windows\System\efYjaIC.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\bEDbXmp.exe
  C:\Windows\System\bEDbXmp.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\GaQFiXi.exe
  C:\Windows\System\GaQFiXi.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\DbihDSt.exe
  C:\Windows\System\DbihDSt.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\AplUKiC.exe
  C:\Windows\System\AplUKiC.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\ZxmfpkE.exe
  C:\Windows\System\ZxmfpkE.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\WHxImRI.exe
  C:\Windows\System\WHxImRI.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\qtfKNyV.exe
  C:\Windows\System\qtfKNyV.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\uUzNRTF.exe
  C:\Windows\System\uUzNRTF.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\JjvkiCl.exe
  C:\Windows\System\JjvkiCl.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\IBSkHGP.exe
  C:\Windows\System\IBSkHGP.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\FPmyFyn.exe
  C:\Windows\System\FPmyFyn.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\SjzyNZM.exe
  C:\Windows\System\SjzyNZM.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\OwNfzuN.exe
  C:\Windows\System\OwNfzuN.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\LeLHWLN.exe
  C:\Windows\System\LeLHWLN.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\oFxhcwb.exe
  C:\Windows\System\oFxhcwb.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\wZKsUSR.exe
  C:\Windows\System\wZKsUSR.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\aUEDwNQ.exe
  C:\Windows\System\aUEDwNQ.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\GguRIbx.exe
  C:\Windows\System\GguRIbx.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\HeshTbN.exe
  C:\Windows\System\HeshTbN.exe
  2⤵
  - Executes dropped EXE
  PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AplUKiC.exe

Filesize
5.9MB

MD5
5ed5587cd44465f6f8b2e6afaa15169b

SHA1
df6ce4dadb787a93ba4ca5c01c4989946540194d

SHA256
1ddc3171a0ee49aadd51d949577eaeb3b27fcfda7e43916b66ef457f77a97335

SHA512
509f42cb212f984601089c7d6af18228247dc3c111cc3280145e138dd29142c5daea34b9a2a804073b5fa05795ab8ddd261b7f67313ec764786805bae5d6b3fc

Download Submit
C:\Windows\system\GguRIbx.exe

Filesize
5.9MB

MD5
0b11b6d1ca8de13a81d42d9332633390

SHA1
219a97ed2b115e3b8ce42f8c0796410d4470a7d8

SHA256
bce315790714da0c516bb5c8f3feb7eb5030125cb007009d0b8c4e62f6159ddc

SHA512
565ef7884a2013b7b154f2aed4633c5ac7c8a52b757d4da6743b5fb32d93b3eb9ffcdad87b2f54c3e65d303b7d26cbccbe0b2a1aeb8a31bfe52e5fba27ea1d69

Download Submit
C:\Windows\system\HeshTbN.exe

Filesize
5.9MB

MD5
c9b76bb5bd0f4c46ec396bb3c0e839f0

SHA1
25814f6b5733f125db8e2d3229e28649ede31a08

SHA256
55b2ac1775d5971115fef25f1a2df90349f73e63a6fd69aca227d331ff49c9bc

SHA512
c4179ec0db9787b5660a213b4c8a05fba31c812244945da92ca6a0431b3b945d21ef754b83bec4587db33df526b74375fca47473cbd11d3c7ebb3f53ae8b7948

Download Submit
C:\Windows\system\JjvkiCl.exe

Filesize
5.9MB

MD5
9f8eed2876d614341d0fbadca86d5b32

SHA1
63287ab7152647ec8260a162e43579c2543ab462

SHA256
a9fa17281e2c63d49ba55800d8cc16e159d82fe4fc377f36be2f457194a89ddc

SHA512
f5f1e8652eb0047e57d11986e79d505a2ef484ecffaa5d7e9b8ab9d1901fb0f7d010739b12eccad2d0d219322a32692b33adff2ef3df74c89d30116cac8ef862

Download Submit
C:\Windows\system\LeLHWLN.exe

Filesize
5.9MB

MD5
9f210f69253c232741bf491711170f23

SHA1
7cf667a1e2f4770e9f798de87cff899f2a1f183f

SHA256
2a6c0824bd6cb786f004a7fec170965dc08f50701b3d31e491f288544e40e82a

SHA512
e176c7e7149b1656eea12be4f17cd04a787c7e38d73c801dd58f4eaed5198a5baa01d6ea2f65fe5ad7a76d4d00539aee512b49ce1cd8d9b83b4acf0cfc0698ac

Download Submit
C:\Windows\system\SjzyNZM.exe

Filesize
5.9MB

MD5
05297ad0b3fcca86cc0e9bc135a2ff62

SHA1
ffeaf18f0b08e0e257ca80ab84899b5b82735190

SHA256
6f1a01f48c90e2124efb88ed1492b32cca6819cfcf4a1d18a927f376a18d8277

SHA512
994279c9298446fb0c887587ffdb52892f8a948cf551359036a46cac9d7e6c5524c1cb21abf5a9924959a174a47cc4f9fd5f9c12af4938c2cde5d506f49b15de

Download Submit
C:\Windows\system\WHxImRI.exe

Filesize
5.9MB

MD5
ce328e82daf43bb986409c6f01422db9

SHA1
d47911fb86a0fdda4fe43dae870a2751933c5294

SHA256
8b2d0788e1a8122cf8093fb0bde67f243374690b69e1b589211792f2c5a2847d

SHA512
39e4dc1a4763bdc09a80fe3740e79becb305a62bb5c0849b823fe54786795e4eb514cb8be408dd6b6a05a2d598bf134d74b604b24388c7c4e147c8fbc313d1aa

Download Submit
C:\Windows\system\ZxmfpkE.exe

Filesize
5.9MB

MD5
b0ab4f917dd09f5c12612986c8e6c42a

SHA1
5f4a04cee2d5910d380e1a8bd446f271c19071b8

SHA256
177ca541d38eb6f3d570581637789cf7ee5daa7f00001d0baea737486e35a5a4

SHA512
568de95cfe024a2cf8d6aae564d309ea788e35eb0d06a4cf2daef512338d66a31bdc77429487ebf74fa5d9bb68d0f631de6cb5357641988305c57cbbe4420085

Download Submit
C:\Windows\system\aUEDwNQ.exe

Filesize
5.9MB

MD5
420a8b8305272475442e8a1246893912

SHA1
f5c1d9a15bb684271ac4f55fb8ef0d8863c795c5

SHA256
1a7db1c36aa0f09a8ab5a0dcd6dc5da21d0cc3287b27a2430662401435bb0dc4

SHA512
2c40a0db1132312b80002cb8b385bdb341d9059344a084c90bb29f8bfbe635545ba7e3b3140c8f382383897172c23a9b6cb0967d180085a80f65c4dc35e3dcd7

Download Submit
C:\Windows\system\bEDbXmp.exe

Filesize
5.9MB

MD5
cb19420ef4b562bf03bc653d7747bc39

SHA1
4f0e22012a5b8dab6681f2aeb7d0e886818857f2

SHA256
d6adaad3cb163465080159c69d670855217d194008274eb3a22bdbff3596a608

SHA512
707fac2b679bb2b669a40eb622176a4fbebc5bf70a37a0bff7610e6ff6e20df5533dd444eecdf5ef6d59c6798f9ca7f6dbf639e931d533b128c127d91b9aa3fe

Download Submit
C:\Windows\system\efYjaIC.exe

Filesize
5.9MB

MD5
930784ac4c1cd18cba6dbeb642a7d8c2

SHA1
b46c9e141fe12c28a388a186cb9d72df179d0b36

SHA256
c2ba873839a14cb9e25ed14dc7de35789244595b8e008b10104848fb9a9ddb5f

SHA512
38451ed987269031d6f3c261e50efe0d87a556914a32820dce1961816e7d7d68be00375c5f6477ef5e36fd00a5361a47ae56f166e44b1f7e006d491ccef2b2aa

Download Submit
C:\Windows\system\oFxhcwb.exe

Filesize
5.9MB

MD5
2613d459996cee5899dbbe461f0d7478

SHA1
c1b51428c26cdbfa0f125f6da34ca7af979608d7

SHA256
8a1bdf9963d2b3bcfa7630640af89c1a5077ab54d8cc34e3241610ca6feab8e9

SHA512
f220c1bb0d986df4e7dbcc6816a0912738350280c97c50450cc59bd9c29acdff3debc03bf6e4ab0b0ca975a3fec40fe5c4a58d6962bb6e8b67034eda3fa80ede

Download Submit
C:\Windows\system\wZKsUSR.exe

Filesize
5.9MB

MD5
190578f607ca3fd24f1cb5560f028948

SHA1
539eda955771dae54594027bbdfa469fd5ae610a

SHA256
c3ecb0ac1f4061f3a8bbc9444c914137ff66bda46cc26a36633b782ba1f24834

SHA512
fb07d0ba3d3e8aa4e7df964a278ce631456cd798fc61e26df1c32195181659c1e9c9d5aeee762c135f2d20c67554a302d32ef1ecd5603113142a4dce8483d863

Download Submit
\Windows\system\DbihDSt.exe

Filesize
5.9MB

MD5
173e2e32e9f7d7411da2a94e5da0606e

SHA1
d19ec57578e2136ba921ace70cae3bee3f71e6ec

SHA256
5cde6d1fcf4e73d906a917f7517cddf2cd622255226de2a83dc0ed160c9af0b8

SHA512
59ee9d442435dfbc45b07d9b229358ea9c74cfe9da4fa493f1d6573b0ec3cabb0d358521a22744dbe973e776f393ff91fbbb711403b9754e0510eb22e3b648ed

Download Submit
\Windows\system\FPmyFyn.exe

Filesize
5.9MB

MD5
cf5e2f1e2f5eecfbb2b1d3f295e8e84a

SHA1
8daec5a5531409ebb86fbb9df29421811f7c761f

SHA256
b27a971bc4a0fd6d3171ce0e5eeed2898e7d3c238968688262787c05565c3c87

SHA512
57cf3082a5a0e9f9b369c089b1ee2d369785f21ed2a75a2e5738b1343d2299385b9c7bb3003a8c35d40def7544b088fa794d8279d544f1baa439aa970e93caa5

Download Submit
\Windows\system\GaQFiXi.exe

Filesize
5.9MB

MD5
ddc9b5fc3d2f43aa223b01b33415f528

SHA1
67e10b98984ab3c4f63b55da8bb3a54e1ba4f8a9

SHA256
bd1efe54492a3fcc9773d8fb0b1f213255d3b28ec57d1aca37e78c3180e9835b

SHA512
7bc1d0dc56037a564a4f250a1175808658cabeb014bd6582c154cdb2950c4b266b99a24f47305693cfacce5596eb2b1d06a0f54a83f3267d327e6c6479c50ff4

Download Submit
\Windows\system\IBSkHGP.exe

Filesize
5.9MB

MD5
72aaaf84bb319f16c919b36b46ac1745

SHA1
40c865aac163ab50dd721acd171dc7dfc43697e2

SHA256
72a6a1bc77e13b5b64aa3c9258b2dd5e7e508853cb4222dad38187d4e84d74ac

SHA512
ff1b9bd1af1108546ae46ac5937865ff761dd782e6c344319df9adf652ad865e84e9796134b2adbadfba7e6c3318ad469448d93b8d04727b72c0cd1c26da54d9

Download Submit
\Windows\system\LGhexnL.exe

Filesize
5.9MB

MD5
868ad0be2b39547e55acef46d18f1d5e

SHA1
10c9b22bb65e54a0da8ead9f27e32d4c02a4ba37

SHA256
b636281e2190e3084903cd4682b204db4d20b9b0347ac628cbd73afe57a3a89a

SHA512
b41b9823c9fc44ead7ecbb6f3cd078c8ef66409f9d0c2078324f786f6ef9f72ed4a1e4c0dd3f42d0b3b6fbdf92619c13f04a9a69a98b4aed0aa1b45c9691d843

Download Submit
\Windows\system\OwNfzuN.exe

Filesize
5.9MB

MD5
a34ed9eed0a10aad0539e175e40a323e

SHA1
e9c2bfe48d0c0b7cbc562b2dad272085f43efb57

SHA256
f7c59de379ed9c918f5d0b8860df134c310fe967302d6570ed41d977d9384e39

SHA512
5b8424b0eb76ad454d97b66d37c63ae4e145783150e1cde2c00a159a98363a72143a48d2dc1199c12702d4ada85e477174391f652494492e3a686f0c6a041d95

Download Submit
\Windows\system\qtfKNyV.exe

Filesize
5.9MB

MD5
2c07b013a158255f8071cf8cc101100f

SHA1
664828d66d5b6f9092baf9bf438b459a90de3a1a

SHA256
47c0db74330a98bdc47b4081b33350863b8b8840540a7bb5a662666ae223f3d9

SHA512
30e4fc8a7dcad6cbc6a32c9e5515230e32eae948e7f11743e2632d3c3f498b53b336ec1d74666da38a60be774c206f88fd7f3a69a7935bf782d6179d1fba7cdb

Download Submit
\Windows\system\uUzNRTF.exe

Filesize
5.9MB

MD5
e1f639430e9adc9a46d10da4239dfcea

SHA1
de7d330f861cfe39313d8c0a81752c21989a7ab0

SHA256
d21e9874f516b528aeb37397748cdf43518470d2804e8e78061097cbf29a804e

SHA512
70e9e3bf4de175a2406fde6a117c2c1581254e30e7669cf9a56a750ca4f1c413187e0f9fcebb842978786c2c96349dadb94f8f3e886599347b3efbb35c169e56

Download Submit
memory/1396-156-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1396-81-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-66-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-155-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-144-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/1988-160-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/1988-95-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2348-158-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2348-88-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2348-142-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2528-83-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2528-43-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2528-152-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2536-149-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-23-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-151-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2664-41-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2668-109-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-101-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-35-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2668-53-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-17-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-0-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-25-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2668-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

Filesize
64KB

Download
memory/2668-21-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/2668-78-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2668-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-12-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-57-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/2668-102-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-106-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2668-44-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2668-80-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-145-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-140-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2668-50-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2668-84-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2668-143-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/2668-61-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-148-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-19-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-159-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-104-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-22-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-147-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-150-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2852-77-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2852-29-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2956-79-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2956-157-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/3016-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/3016-51-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/3064-154-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-59-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/3064-94-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download