cobaltstrike | f25c268315837190c91f6e7a8cc2a1f5d990502d59521594029abfeb7b6d6f1d

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
Size

5.9MB
MD5

ea63aa4a10d78a7b1fd8574f16dff7fa
SHA1

7cd521fd5f945f56ae59faf9ba64a1796720116e
SHA256

f25c268315837190c91f6e7a8cc2a1f5d990502d59521594029abfeb7b6d6f1d
SHA512

1ca08b5e1610e9a482b59291ba0887412f9b91ddc16dbdf04369883990c395fb57074a04c64d667b48a2ee6d0d01bdc57c0af9439b8021ae0b500fe9d4df625e
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUD:E+b56utgpPF8u/7D

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001226d-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d9a-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015da7-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e18-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f81-30.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001612f-36.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-43.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d25-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e71-25.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3e-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d46-54.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d7e-124.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001706d-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ea4-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd1-92.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173da-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016eca-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd7-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dbe-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9a-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d96-66.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral1/memory/2180-0-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/files/0x000d00000001226d-6.dat	xmrig
behavioral1/files/0x0007000000015d9a-11.dat	xmrig
behavioral1/files/0x0007000000015da7-12.dat	xmrig
behavioral1/files/0x0007000000015e18-26.dat	xmrig
behavioral1/files/0x0007000000015f81-30.dat	xmrig
behavioral1/files/0x000800000001612f-36.dat	xmrig
behavioral1/files/0x0006000000016d36-43.dat	xmrig
behavioral1/files/0x0007000000016d25-41.dat	xmrig
behavioral1/files/0x0007000000015e71-25.dat	xmrig
behavioral1/files/0x0006000000016d3e-49.dat	xmrig
behavioral1/files/0x0006000000016d46-54.dat	xmrig
behavioral1/memory/2180-62-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2180-71-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2764-76-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2180-75-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2180-77-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d7e-124.dat	xmrig
behavioral1/files/0x000600000001706d-104.dat	xmrig
behavioral1/files/0x0006000000016ea4-98.dat	xmrig
behavioral1/files/0x0006000000016dd1-92.dat	xmrig
behavioral1/files/0x00060000000173da-117.dat	xmrig
behavioral1/files/0x0006000000016eca-116.dat	xmrig
behavioral1/files/0x0006000000016dd7-115.dat	xmrig
behavioral1/files/0x0006000000016dbe-113.dat	xmrig
behavioral1/memory/1464-112-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2180-111-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/684-110-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2708-91-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2688-83-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2956-80-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d9a-79.dat	xmrig
behavioral1/memory/2268-74-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2896-73-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d96-66.dat	xmrig
behavioral1/memory/2904-70-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2468-68-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2500-67-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2472-61-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2180-60-0x0000000002350000-0x00000000026A4000-memory.dmp	xmrig
behavioral1/memory/2272-58-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/memory/2180-133-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/684-134-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/1464-135-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2472-136-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2468-138-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2272-137-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/memory/2904-139-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2500-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2268-142-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2896-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2764-143-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2956-144-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2688-145-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2708-146-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/684-147-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1464	rWlcdOg.exe
2272	BvxXGQw.exe
2472	yeTFFyJ.exe
2500	KBgEITm.exe
2468	FavBHgR.exe
2904	OecWQcR.exe
2896	gVxfatF.exe
2268	etrVKZQ.exe
2764	zFEqPUO.exe
2956	GgrYlNC.exe
2688	EIGNEFs.exe
2708	oGqBUIF.exe
684	PvWgTBK.exe
1312	rjNUDfH.exe
2968	TaWCoyB.exe
2692	EAegQkh.exe
2032	qjzHvqa.exe
560	nzykYya.exe
2888	pIrRppZ.exe
1516	WffSpKy.exe
2700	GhsQQGl.exe

Loads dropped DLL 21 IoCs

pid	Process
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/files/0x000d00000001226d-6.dat	upx
behavioral1/files/0x0007000000015d9a-11.dat	upx
behavioral1/files/0x0007000000015da7-12.dat	upx
behavioral1/files/0x0007000000015e18-26.dat	upx
behavioral1/files/0x0007000000015f81-30.dat	upx
behavioral1/files/0x000800000001612f-36.dat	upx
behavioral1/files/0x0006000000016d36-43.dat	upx
behavioral1/files/0x0007000000016d25-41.dat	upx
behavioral1/files/0x0007000000015e71-25.dat	upx
behavioral1/files/0x0006000000016d3e-49.dat	upx
behavioral1/files/0x0006000000016d46-54.dat	upx
behavioral1/memory/2764-76-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x0009000000015d7e-124.dat	upx
behavioral1/files/0x000600000001706d-104.dat	upx
behavioral1/files/0x0006000000016ea4-98.dat	upx
behavioral1/files/0x0006000000016dd1-92.dat	upx
behavioral1/files/0x00060000000173da-117.dat	upx
behavioral1/files/0x0006000000016eca-116.dat	upx
behavioral1/files/0x0006000000016dd7-115.dat	upx
behavioral1/files/0x0006000000016dbe-113.dat	upx
behavioral1/memory/1464-112-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/684-110-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2708-91-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2688-83-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2956-80-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/files/0x0006000000016d9a-79.dat	upx
behavioral1/memory/2268-74-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2896-73-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/files/0x0006000000016d96-66.dat	upx
behavioral1/memory/2904-70-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2468-68-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2500-67-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2472-61-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/2272-58-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2180-133-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/684-134-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/1464-135-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2472-136-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/2468-138-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2272-137-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2904-139-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2500-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2268-142-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2896-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/2764-143-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2956-144-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2688-145-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2708-146-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/684-147-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nzykYya.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\pIrRppZ.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\TaWCoyB.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\gVxfatF.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\etrVKZQ.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\zFEqPUO.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\EIGNEFs.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\oGqBUIF.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\rWlcdOg.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\BvxXGQw.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\yeTFFyJ.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\OecWQcR.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\GhsQQGl.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\KBgEITm.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\PvWgTBK.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\qjzHvqa.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\FavBHgR.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\GgrYlNC.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\rjNUDfH.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\WffSpKy.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
File created	C:\Windows\System\EAegQkh.exe	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1464	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	31
PID 2180 wrote to memory of 1464	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	31
PID 2180 wrote to memory of 1464	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2272	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2272	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2272	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2472	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2472	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2472	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	33
PID 2180 wrote to memory of 2468	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2468	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2468	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	34
PID 2180 wrote to memory of 2500	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2500	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2500	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	35
PID 2180 wrote to memory of 2904	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2904	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2904	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	36
PID 2180 wrote to memory of 2896	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	37
PID 2180 wrote to memory of 2896	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	37
PID 2180 wrote to memory of 2896	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	37
PID 2180 wrote to memory of 2268	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	38
PID 2180 wrote to memory of 2268	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	38
PID 2180 wrote to memory of 2268	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	38
PID 2180 wrote to memory of 2764	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2764	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2764	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	39
PID 2180 wrote to memory of 2956	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2956	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2956	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	40
PID 2180 wrote to memory of 2688	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	41
PID 2180 wrote to memory of 2688	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	41
PID 2180 wrote to memory of 2688	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	41
PID 2180 wrote to memory of 2708	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	42
PID 2180 wrote to memory of 2708	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	42
PID 2180 wrote to memory of 2708	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	42
PID 2180 wrote to memory of 684	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	43
PID 2180 wrote to memory of 684	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	43
PID 2180 wrote to memory of 684	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	43
PID 2180 wrote to memory of 560	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	44
PID 2180 wrote to memory of 560	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	44
PID 2180 wrote to memory of 560	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	44
PID 2180 wrote to memory of 1312	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	45
PID 2180 wrote to memory of 1312	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	45
PID 2180 wrote to memory of 1312	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	45
PID 2180 wrote to memory of 2888	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	46
PID 2180 wrote to memory of 2888	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	46
PID 2180 wrote to memory of 2888	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	46
PID 2180 wrote to memory of 2968	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	47
PID 2180 wrote to memory of 2968	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	47
PID 2180 wrote to memory of 2968	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	47
PID 2180 wrote to memory of 1516	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	48
PID 2180 wrote to memory of 1516	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	48
PID 2180 wrote to memory of 1516	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	48
PID 2180 wrote to memory of 2692	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	49
PID 2180 wrote to memory of 2692	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	49
PID 2180 wrote to memory of 2692	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	49
PID 2180 wrote to memory of 2700	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	50
PID 2180 wrote to memory of 2700	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	50
PID 2180 wrote to memory of 2700	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	50
PID 2180 wrote to memory of 2032	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	51
PID 2180 wrote to memory of 2032	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	51
PID 2180 wrote to memory of 2032	2180	ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea63aa4a10d78a7b1fd8574f16dff7fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System\rWlcdOg.exe
  C:\Windows\System\rWlcdOg.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\BvxXGQw.exe
  C:\Windows\System\BvxXGQw.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\yeTFFyJ.exe
  C:\Windows\System\yeTFFyJ.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\FavBHgR.exe
  C:\Windows\System\FavBHgR.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\KBgEITm.exe
  C:\Windows\System\KBgEITm.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\OecWQcR.exe
  C:\Windows\System\OecWQcR.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\gVxfatF.exe
  C:\Windows\System\gVxfatF.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\etrVKZQ.exe
  C:\Windows\System\etrVKZQ.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\zFEqPUO.exe
  C:\Windows\System\zFEqPUO.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\GgrYlNC.exe
  C:\Windows\System\GgrYlNC.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\EIGNEFs.exe
  C:\Windows\System\EIGNEFs.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\oGqBUIF.exe
  C:\Windows\System\oGqBUIF.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\PvWgTBK.exe
  C:\Windows\System\PvWgTBK.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\nzykYya.exe
  C:\Windows\System\nzykYya.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\rjNUDfH.exe
  C:\Windows\System\rjNUDfH.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\pIrRppZ.exe
  C:\Windows\System\pIrRppZ.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\TaWCoyB.exe
  C:\Windows\System\TaWCoyB.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\WffSpKy.exe
  C:\Windows\System\WffSpKy.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\EAegQkh.exe
  C:\Windows\System\EAegQkh.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\GhsQQGl.exe
  C:\Windows\System\GhsQQGl.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\qjzHvqa.exe
  C:\Windows\System\qjzHvqa.exe
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BvxXGQw.exe

Filesize
5.9MB

MD5
721bc204219d31afbba8530093a9a5a4

SHA1
1095fe90e76c005180d6b46b27a42b021f761614

SHA256
a8a01b94f18ad94aeffd989d4d2c2f3bf39824c3f948582bda0141c9924adde1

SHA512
7b6b6e6cdfb6a1db91e1611fccb487844b659fb957014e75090ba881620b1b2d1832f1c811e0a4ac26300aef861e6fb52b4a86bb221b1d607b6ed916f6562c75

Download Submit
C:\Windows\system\EAegQkh.exe

Filesize
5.9MB

MD5
d450a3028d132a9b6573ef9868160f9a

SHA1
ae433be5a8bb47658e6c8c0938b113567335777a

SHA256
02f67b0ede2c6761b1d200e61bd876ab6e252947dbd0056e1a66c6b951d8338d

SHA512
0d5f2644c338361bbbc7f8422833de7db13a6329f82fd3274d6eda9210f1ebbc07ffc4c6239dec8e9dab5010f31e7a0c5e2f8d5a277c5831279796928f5331d3

Download Submit
C:\Windows\system\FavBHgR.exe

Filesize
5.9MB

MD5
65022e652fb99621de4acc93abb4650e

SHA1
40d6c342585e3f7b3fe356dfbe449232afeb5c11

SHA256
c335b892c1f1cafa88c54d359db746139af4dd8b5f166e6ea86ab53742c54085

SHA512
edf2f58e554b8923b406928b9a52c4ec9c54e776b76915749ad04220d2e57fc2300bedc46bbab11aec0e724aa0b660f6803acd7e0ade52e1e7f71083c4fdcd1b

Download Submit
C:\Windows\system\KBgEITm.exe

Filesize
5.9MB

MD5
7db4cb1532898804ce570f5ec2b6f02f

SHA1
e4ea95f5edb52144c8b898a23494088712893ce3

SHA256
1106a145a6bac487749d1a2cfcdc7e94205a6046f88d029f48ede6a841cfe576

SHA512
7a69faf9e00c3c6d2c6cd76f659fd55ea9bdf6aefe2426b26a1e7a0bb6b9fa8f1ebf266a2206ec5acfa5ba832e93a4cf74ade04dfb65566b0f65d6060768c676

Download Submit
C:\Windows\system\OecWQcR.exe

Filesize
5.9MB

MD5
287fa83af0faf33fe324cbd7d3a45da3

SHA1
de8c6a7353d389ab53015375a01572882a9dbc6a

SHA256
e4b48c07a06b92ae60dd3a6742eb16aee4a758c59fcbe2df74d6cb4144e78e78

SHA512
7f6b7aa52c5a130f9ccc4e2c9e39edcfd6506d9d9583fef17e2fe0f333a62962300840b1a04e264bd5e676b44cae7993a961da99dcb8fa891a6c5231b654329d

Download Submit
C:\Windows\system\TaWCoyB.exe

Filesize
5.9MB

MD5
1171aa5bf58da6287788b755888b3615

SHA1
4c397c6bcb52539f05b7b7ccf35e0022321e9c0f

SHA256
c125280747ee0953447c989144da451ae57fcdee02bf2c46403e6fddc8471ad9

SHA512
ce3cf45df47330168caefd1b62b84a68ea97029c1e393c78feb9162a543697be6bb556fd0f163fc34f26bd637e59f3b5619cdb2c5eb477a077ccaf5e32b76042

Download Submit
C:\Windows\system\etrVKZQ.exe

Filesize
5.9MB

MD5
20efcc6b887ee7b4b2e2a198ce69a123

SHA1
0a25a8bc238dd4064778d8b074cb458cb978cf70

SHA256
cd6c82dd3bf0854b435fce807b973454045159fd59411c9b7e59979bbd83883f

SHA512
5146ee0cced57a774b09d34ec4684fa2dad6512defcd23a531ed205d12a8c0bc25ee6a1048477b1f5ff4233955d5a631ad038592ebd797c700e06b1fd4bedabc

Download Submit
C:\Windows\system\gVxfatF.exe

Filesize
5.9MB

MD5
2d0a0af61ef1278ef647aff452883856

SHA1
ae395a186873ff15350326936ff69af9c16c1c08

SHA256
c96cf3eba37d4bc21d1c60e06d84c17d249a3fa544c6e2ab312b4e9973303993

SHA512
6aa3158ff7e1c189ea08dbcf78426152755b5f1510a013257842d5dfbe3e167f798b0e45c169ef6714abdbb9b00090334b146464f0b17fe5dd816d1eae52cb05

Download Submit
C:\Windows\system\nzykYya.exe

Filesize
5.9MB

MD5
24b41e334f3c051b4ef38ea845f54994

SHA1
cd0345d79e7e7763229cedce8b514f765b573e45

SHA256
8937abd12364a65fea5963637f35d2987a46a3e27cfb798f89d069c2802ee482

SHA512
5a2999c586e25c4ebce82f8c0748a2e2b2c32cbdcc3470eef59e5e012e00bd784e09537223aee90d34487dd8a571cb085fc59d28240160346f25635ecf5641b9

Download Submit
C:\Windows\system\oGqBUIF.exe

Filesize
5.9MB

MD5
a10629d5d430052f73a6d99e306e5efc

SHA1
db5f81884f2acb76cf55a7e394e91e47d91f4cfa

SHA256
bb1c1456af22bb6f7d39789c18c5e534752dd52e5f91c753c754e89de1ec2513

SHA512
60c4cb88d93667fdf8b0fbe2e1476f60e24963c05a5e5be351aaf96cf01b974e36e5b6b1c9adbb66ea4cf2c47184f825291af5f3657add324013ffc80c5ae761

Download Submit
C:\Windows\system\qjzHvqa.exe

Filesize
5.9MB

MD5
6d7d4dc8e5cbd7282a4e06696699bcfa

SHA1
c5ca11b3e2d0dfe7c14ed72750701964092f0bd8

SHA256
f52a2d925f306f84a97fc8c4b69f448fc1146890918d4b10bb2570046000a1d9

SHA512
9b80ed5868a93fdef41d5695058e36e0ae2442187025cf65a96893943595cb3b2e9f6f7dd649055735269745fdfbeacfc0ae578d105bbe67a9138aa16594e578

Download Submit
C:\Windows\system\rWlcdOg.exe

Filesize
5.9MB

MD5
bd6d274b927a0d9b6d44fe13d5f200de

SHA1
7593a24faf2a14cbc4d3d327302971f33f1f279e

SHA256
f159a1df37746d8386a60d453de79dcb7821be27c934218c40ff4feb9a1ff45e

SHA512
a0ab8a219d32794f9ecd50692adb4e189c07685f0021b60bc456310e29eef4d912ce3c7841597273d5495c6249583ba9fdeeeeadbcaa04ba0f8b2242b4ecd131

Download Submit
C:\Windows\system\rjNUDfH.exe

Filesize
5.9MB

MD5
607470eca31698825c7b282eaac33755

SHA1
2f1a88f89612f1fd4e8f3a69c97a0255afaa18b3

SHA256
81e26088e769d0d71ec9a8dfbd1610dcf66a459c65e4c1ae7f201390fd1f9b0d

SHA512
544e1709947968e514b890c7710af0dd9cff8144aa16e0c74e3cce9b588dcd83861051e1271d38a80b179d3f6aace6c2a00e429fb77d3664accafb42accf6f76

Download Submit
\Windows\system\EIGNEFs.exe

Filesize
5.9MB

MD5
0328ac2c53c731a8350caf6f8a363132

SHA1
5288bc90e080f161913d3fed812ebd6e56c77614

SHA256
b7085586a39f6cb60aee0061d58cbc4509c380919794f1182292b44fa41df584

SHA512
6e707c0b0de7a60306e1d6803aa4e6affdd59a730deb64eb464455c973b93188597901d6481ddfc77c6bbeda7fa2f8c7e4565e76019e6562b36c308f84712709

Download Submit
\Windows\system\GgrYlNC.exe

Filesize
5.9MB

MD5
bba3619e95238a9a0c5492e5f3271d18

SHA1
f95703a038d03895b424c45c25befeaf1622b7d2

SHA256
5e1d3260d4e5c0620a24e4ca6d3e6d05e1843c074feb2d0a7dcf778b6350e115

SHA512
ae7d79ac804e99fb4cf10f88b7788f6aa3a8b9be88ff7a775c43319c09a975cbb3b64dcc103b8f09793ddfcd0e16529c0fb8c68cfcfa7ed03f0ca545fbc643a8

Download Submit
\Windows\system\GhsQQGl.exe

Filesize
5.9MB

MD5
117f647ff7e3eab460342a8e8322e5ef

SHA1
3434b8177d5554a835c7e6e67348f56b92837439

SHA256
a031609d5359c1b40b64aed98ff22ea7f121c49e229f8675b948d228a2aba33f

SHA512
a184a5fae92a49b86385cfac951b3fab0ec39cc3a657cb1d337b34517bfe3111f37e31f38d366e3d37639bf698506c820d60bcbce67e2a8e7e30cfff11fcd783

Download Submit
\Windows\system\PvWgTBK.exe

Filesize
5.9MB

MD5
1a4fb9d14b53c6a5347a4f5e14c422e0

SHA1
570699d45c579b7bf9c4aa9454fdd26beddaabef

SHA256
244de2a1ac9a5cd42e09f7bd075b0b05089d5bbc8b7196b4d443da4e030c2229

SHA512
573249c60aa817f9ded2fb6c77b290dfbfbcb408f74a460a81c4c8f07c48fb4d8c02e5a21537e6653dab37a9418c53d4962bae2ce17933657f9a436bf7fd25a9

Download Submit
\Windows\system\WffSpKy.exe

Filesize
5.9MB

MD5
4b451a4b77a39073b8e469acbb0de0e8

SHA1
ad7b2d4fc4fc4cc27ba29437d5921fd26df41d90

SHA256
c203094e60d45a0e24b2e42e553ff61c61c17e801ae3c1dc8740c34606cacc16

SHA512
3e2fbe39f618fda79a4b237d7b5df750d25be3786ee020fa779d2675a316e20359fb742ce93ce60c27f9bc0c5df3ffba781548281b54844daa1086c7a0bd9009

Download Submit
\Windows\system\pIrRppZ.exe

Filesize
5.9MB

MD5
bdf21ebf44a6cf610ca389c192b7f897

SHA1
c5d7c48dd12bd730234f3cbb6a925f2b9e2aeebd

SHA256
0c1aa10bde30156417eaee872a2f8fb936809400726b63937cf96525e537f6fa

SHA512
61630825b0dd35668a451709fcda729e585eeb6dbea20d94d713b3b4f9df30540016db2f39cf8922acc091060222cafd2b903209f5039ad2be3ab77690315832

Download Submit
\Windows\system\yeTFFyJ.exe

Filesize
5.9MB

MD5
3be11d2a18cf71a2bf025423ac53582e

SHA1
42446e7b8fb7c6a0182e91a97db1a9fd51f28b06

SHA256
fc22ca027389c5f4bf3b3a199f8172b8fdc8dd12941cc89db63c5ad2e83135cd

SHA512
4a995f95fbcb06114a491707815a2cec5fdb032586c4075e413871cc52ac29745be57bb9f9b3de16bde00ae5b0603ea8620b2c37b33d07da551e25141de842e2

Download Submit
\Windows\system\zFEqPUO.exe

Filesize
5.9MB

MD5
9f603688572d4a62dcfac9dc1e931b98

SHA1
9098413ae074eb5926113abf2a87877c7519075e

SHA256
8dae47f9e3bd15b609835ef6eda8971e9b9e17588cbd1eb429a5d02e9aed2598

SHA512
507f961be854d8f52fc2ca4a2a058276cabf8fd34e0597922d38b89d24645a4713275fee5cb117524ee1db03a00929dc6fc6cac5fbbb31fbbf2aa95715a07bfa

Download Submit
memory/684-110-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/684-134-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/684-147-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/1464-135-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-112-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-71-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2180-18-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-122-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2180-126-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2180-77-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-75-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2180-111-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2180-133-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2180-60-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-118-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2180-0-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2180-69-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-63-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-62-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2268-74-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2268-142-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2272-137-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2272-58-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2468-68-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2468-138-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2472-136-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2472-61-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2500-67-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-141-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-83-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-145-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-91-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2708-146-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2764-143-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2764-76-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2896-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2896-73-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2904-139-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2904-70-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2956-80-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-144-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download