cobaltstrike | fbb585a22ba601caf95d9aa44ba425b15079ef10f73eedc8c8a6ce223590c678

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
Size

5.9MB
MD5

f486ecc4adebfed8990b925e902038fe
SHA1

475c952698dc74f5b51da62dec7edb2e4ffb927f
SHA256

fbb585a22ba601caf95d9aa44ba425b15079ef10f73eedc8c8a6ce223590c678
SHA512

6c418304de24174fc2eb8d9f8404f77727369261231fda2b60efa902b38bfa5a6d7ca0293fa1aa1241d8c154afb6ef83bb82de192a4c43dfb81cd4e0426a13df
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUm:E+b56utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012280-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016399-15.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000164de-20.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001660e-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016890-36.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016edc-45.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016f02-50.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174b4-60.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000175f1-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018697-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870c-100.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871c-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018706-95.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018683-85.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000175f7-80.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017570-70.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174f8-65.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001707f-55.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016df8-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016689-30.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000162e4-11.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2384-0-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x000c000000012280-6.dat	xmrig
behavioral1/files/0x0008000000016399-15.dat	xmrig
behavioral1/files/0x00070000000164de-20.dat	xmrig
behavioral1/files/0x000700000001660e-26.dat	xmrig
behavioral1/files/0x0007000000016890-36.dat	xmrig
behavioral1/files/0x0006000000016edc-45.dat	xmrig
behavioral1/files/0x0006000000016f02-50.dat	xmrig
behavioral1/files/0x00060000000174b4-60.dat	xmrig
behavioral1/files/0x00060000000175f1-75.dat	xmrig
behavioral1/files/0x0005000000018697-90.dat	xmrig
behavioral1/files/0x000500000001870c-100.dat	xmrig
behavioral1/files/0x000500000001871c-104.dat	xmrig
behavioral1/files/0x0005000000018706-95.dat	xmrig
behavioral1/files/0x000d000000018683-85.dat	xmrig
behavioral1/memory/2384-114-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2888-113-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2644-129-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2592-131-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2384-130-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/1880-127-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2476-126-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2384-125-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2904-124-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2728-123-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/3012-121-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2384-120-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2820-119-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2456-117-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2688-115-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2096-111-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2360-109-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2076-108-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/files/0x00060000000175f7-80.dat	xmrig
behavioral1/files/0x0006000000017570-70.dat	xmrig
behavioral1/files/0x00060000000174f8-65.dat	xmrig
behavioral1/files/0x000600000001707f-55.dat	xmrig
behavioral1/files/0x0007000000016df8-40.dat	xmrig
behavioral1/files/0x0007000000016689-30.dat	xmrig
behavioral1/files/0x00090000000162e4-11.dat	xmrig
behavioral1/memory/2384-133-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2076-135-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2360-136-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2688-138-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2096-137-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2456-139-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/3012-141-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2904-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2476-144-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2644-146-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2592-147-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/1880-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2728-142-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2820-140-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2888-148-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2076	fwcDHjC.exe
2360	LxBJRXD.exe
2096	VJkuSWT.exe
2888	RhPvkmC.exe
2688	PNktBho.exe
2456	jQWMpda.exe
2820	KSkEVRn.exe
3012	XbqqOIH.exe
2728	iBDpHEY.exe
2904	WiekADL.exe
2476	ykkXYJf.exe
1880	NgSZZny.exe
2644	LaVmXFJ.exe
2592	KoToxfo.exe
2668	gBtovdO.exe
2172	nLlGVGA.exe
2184	mxUFSJZ.exe
1676	tivdoum.exe
1480	QLKPxDO.exe
2144	rsTuGqj.exe
2696	MxlNzor.exe

Loads dropped DLL 21 IoCs

pid	Process
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x000c000000012280-6.dat	upx
behavioral1/files/0x0008000000016399-15.dat	upx
behavioral1/files/0x00070000000164de-20.dat	upx
behavioral1/files/0x000700000001660e-26.dat	upx
behavioral1/files/0x0007000000016890-36.dat	upx
behavioral1/files/0x0006000000016edc-45.dat	upx
behavioral1/files/0x0006000000016f02-50.dat	upx
behavioral1/files/0x00060000000174b4-60.dat	upx
behavioral1/files/0x00060000000175f1-75.dat	upx
behavioral1/files/0x0005000000018697-90.dat	upx
behavioral1/files/0x000500000001870c-100.dat	upx
behavioral1/files/0x000500000001871c-104.dat	upx
behavioral1/files/0x0005000000018706-95.dat	upx
behavioral1/files/0x000d000000018683-85.dat	upx
behavioral1/memory/2888-113-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2644-129-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2592-131-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/1880-127-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2476-126-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2904-124-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2728-123-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/3012-121-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2820-119-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2456-117-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2688-115-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2096-111-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2360-109-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2076-108-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/files/0x00060000000175f7-80.dat	upx
behavioral1/files/0x0006000000017570-70.dat	upx
behavioral1/files/0x00060000000174f8-65.dat	upx
behavioral1/files/0x000600000001707f-55.dat	upx
behavioral1/files/0x0007000000016df8-40.dat	upx
behavioral1/files/0x0007000000016689-30.dat	upx
behavioral1/files/0x00090000000162e4-11.dat	upx
behavioral1/memory/2384-133-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2076-135-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2360-136-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2688-138-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2096-137-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2456-139-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/3012-141-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2904-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2476-144-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2644-146-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2592-147-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/1880-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2728-142-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2820-140-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2888-148-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WiekADL.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\KoToxfo.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\QLKPxDO.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\fwcDHjC.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\XbqqOIH.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\iBDpHEY.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\gBtovdO.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\mxUFSJZ.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\MxlNzor.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\LxBJRXD.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\RhPvkmC.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\PNktBho.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\KSkEVRn.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\NgSZZny.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\nLlGVGA.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\VJkuSWT.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\ykkXYJf.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\LaVmXFJ.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\tivdoum.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\rsTuGqj.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
File created	C:\Windows\System\jQWMpda.exe	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2076	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2076	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2076	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2360	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2360	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2360	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2096	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2096	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2096	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2888	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2688	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2688	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2688	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2456	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	36
PID 2384 wrote to memory of 2456	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	36
PID 2384 wrote to memory of 2456	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	36
PID 2384 wrote to memory of 2820	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2820	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	37
PID 2384 wrote to memory of 2820	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	37
PID 2384 wrote to memory of 3012	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	38
PID 2384 wrote to memory of 3012	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	38
PID 2384 wrote to memory of 3012	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	38
PID 2384 wrote to memory of 2728	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	39
PID 2384 wrote to memory of 2728	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	39
PID 2384 wrote to memory of 2728	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	39
PID 2384 wrote to memory of 2904	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	40
PID 2384 wrote to memory of 2904	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	40
PID 2384 wrote to memory of 2904	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	40
PID 2384 wrote to memory of 2476	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	41
PID 2384 wrote to memory of 2476	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	41
PID 2384 wrote to memory of 2476	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	41
PID 2384 wrote to memory of 1880	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	42
PID 2384 wrote to memory of 1880	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	42
PID 2384 wrote to memory of 1880	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	42
PID 2384 wrote to memory of 2644	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	43
PID 2384 wrote to memory of 2644	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	43
PID 2384 wrote to memory of 2644	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	43
PID 2384 wrote to memory of 2592	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	44
PID 2384 wrote to memory of 2592	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	44
PID 2384 wrote to memory of 2592	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	44
PID 2384 wrote to memory of 2668	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	45
PID 2384 wrote to memory of 2668	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	45
PID 2384 wrote to memory of 2668	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	45
PID 2384 wrote to memory of 2172	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	46
PID 2384 wrote to memory of 2172	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	46
PID 2384 wrote to memory of 2172	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	46
PID 2384 wrote to memory of 2184	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	47
PID 2384 wrote to memory of 2184	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	47
PID 2384 wrote to memory of 2184	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	47
PID 2384 wrote to memory of 1676	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	48
PID 2384 wrote to memory of 1676	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	48
PID 2384 wrote to memory of 1676	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	48
PID 2384 wrote to memory of 1480	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	49
PID 2384 wrote to memory of 1480	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	49
PID 2384 wrote to memory of 1480	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	49
PID 2384 wrote to memory of 2144	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	50
PID 2384 wrote to memory of 2144	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	50
PID 2384 wrote to memory of 2144	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	50
PID 2384 wrote to memory of 2696	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	51
PID 2384 wrote to memory of 2696	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	51
PID 2384 wrote to memory of 2696	2384	f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f486ecc4adebfed8990b925e902038fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System\fwcDHjC.exe
  C:\Windows\System\fwcDHjC.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\LxBJRXD.exe
  C:\Windows\System\LxBJRXD.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\VJkuSWT.exe
  C:\Windows\System\VJkuSWT.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\RhPvkmC.exe
  C:\Windows\System\RhPvkmC.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\PNktBho.exe
  C:\Windows\System\PNktBho.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\jQWMpda.exe
  C:\Windows\System\jQWMpda.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\KSkEVRn.exe
  C:\Windows\System\KSkEVRn.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\XbqqOIH.exe
  C:\Windows\System\XbqqOIH.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\iBDpHEY.exe
  C:\Windows\System\iBDpHEY.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\WiekADL.exe
  C:\Windows\System\WiekADL.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\ykkXYJf.exe
  C:\Windows\System\ykkXYJf.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\NgSZZny.exe
  C:\Windows\System\NgSZZny.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\LaVmXFJ.exe
  C:\Windows\System\LaVmXFJ.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\KoToxfo.exe
  C:\Windows\System\KoToxfo.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\gBtovdO.exe
  C:\Windows\System\gBtovdO.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\nLlGVGA.exe
  C:\Windows\System\nLlGVGA.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\mxUFSJZ.exe
  C:\Windows\System\mxUFSJZ.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\tivdoum.exe
  C:\Windows\System\tivdoum.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\QLKPxDO.exe
  C:\Windows\System\QLKPxDO.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\rsTuGqj.exe
  C:\Windows\System\rsTuGqj.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\MxlNzor.exe
  C:\Windows\System\MxlNzor.exe
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KSkEVRn.exe

Filesize
5.9MB

MD5
07e94ef2c3e9062165e53eecfd9a147a

SHA1
f1f9468e0d093976290edf1b03abc9995e30e0b1

SHA256
8eb232f70b7d5d68c1d8fd690e143baba25efc3614e5e0cdff6fae72a2ce867b

SHA512
435000bf16183351eb314a33681a8c442f7eddf6d4017946f13a3fdafb7502b639f83fe77f781d7ccb756ea02d0ac29b9e6637f32b4eb290e0d4820d337ee63d

Download Submit
C:\Windows\system\KoToxfo.exe

Filesize
5.9MB

MD5
84dcb5bfe091178dc10ff69343f0d581

SHA1
7c9441023a6816b4080a90425d4f813abcf2a023

SHA256
3f739533f0665587dc6c6fe11e2b7bf21e7fdc633cb8be0c7597deab46c1beac

SHA512
ad86dadc7ae772e2f717f973e48698554a5a4a7d045e66e41b71bef6c482a41c5a61a2523f924e8405437e7deb7619c4c123fbe48c115d16a86c9d45902ca32e

Download Submit
C:\Windows\system\LaVmXFJ.exe

Filesize
5.9MB

MD5
33c39d468c2be4137fc6f484f0fbe04b

SHA1
f1dfc3d614b1f37fc096d99e339d2267b3f5ec82

SHA256
30cb3c6d1f97eef5c7b723de5ba8df8da736ff2694250cbd4a9453510b3dac61

SHA512
dd45d3e0281ae86c427e0afea7060371468055bb7a5e3ba36fbc7e6dfc94e629d48a3b28e8d2bdc4e4db3554f7402494b0aa590d89ab7cf203bde090b48ba1f2

Download Submit
C:\Windows\system\LxBJRXD.exe

Filesize
5.9MB

MD5
90918653a2436cd44e08d4d806b8c275

SHA1
07e020b982a9ad374f0bf5bbf0ae0616e0b3fb08

SHA256
5265818f223a37d9bdf39410fa7ec24e1fc08151fa0bf917f623160d250fd976

SHA512
d4b50ca6199adcf55936b761bd14e226ddb44a91f4e170948f32e12eb163c9cf8279883c2d84e212c596c51d6e779e91313011c0e91509a9dafd535d30e83f2c

Download Submit
C:\Windows\system\MxlNzor.exe

Filesize
5.9MB

MD5
1979bf18598fe3ba612cae4556777cee

SHA1
09410598246cd6fd8c3d8bfd808fb5c1b90c70df

SHA256
a3362b598a6bb12b12b453a3c343c36338299f841d9680305fd9463bc78a5b71

SHA512
12e8a69ae669a39dd234a53bdfd39cb57cbb6e2da44524dfe831df0f2a99eeb285dc84b277debed02f95c95f77f7b81a75296afd5f1dcf9604148dae49471e64

Download Submit
C:\Windows\system\NgSZZny.exe

Filesize
5.9MB

MD5
b33e092fbb1ecfab50c93bb2b6e5f0af

SHA1
810ed5e598c21aae11cd79afe870e9636b408bf4

SHA256
f79bc92877f80637c2428cccaf133fb800b4366f2dc6ea528f7779a9a81bfbca

SHA512
4f2d989c379862cebed65f88fe971e86e441811ec79c9ee97b659ba6ff0f039f6949e51043a01dbb0730476815ea32800e6b0cb3c4b2fa7ae8bc9e39e75cb29c

Download Submit
C:\Windows\system\PNktBho.exe

Filesize
5.9MB

MD5
db6cc0f88e1f9310a44bf015baf5f8ca

SHA1
6ab94949fee7b7fdeba83f548a98e354b6e28bc5

SHA256
27e985513d48018f565889da0268466de7097addc2950c9c4a3695cc53eeb1ed

SHA512
eaab840aa0c4f733af331308fbdd0443963e933b20734280ac3e390fe4de3bd2eba79cb98007f6df9bef10e0507ec8369bc17a495dbc39e0f997098ac364a8d7

Download Submit
C:\Windows\system\QLKPxDO.exe

Filesize
5.9MB

MD5
ed8866aae78ce2af9f0aa6a4c2258a00

SHA1
4135afab2ca2de9700d9ed01f9c453c2140a7f26

SHA256
90a24dbaba03ec12eabe1d3643451405a485671442895305804ffe96f165c8f3

SHA512
171913e2952aa5b6dd359f6f419b3d2e6ff995977e3882f908d5125672f2314d387e1d79098fde49e87fe59dd0b23b388e85f8d7a396d4078a077378626381d3

Download Submit
C:\Windows\system\RhPvkmC.exe

Filesize
5.9MB

MD5
f45ccb0c3c0a9b2030ebd3e58445c7f0

SHA1
5a5fecf8bdf0d00511f52097f7e1f64e1bf80da7

SHA256
cb58b031cb080dcff6a7b925e22cd431b2f7b9b89e3f339b62546ef2c3098aa0

SHA512
be5ffebd1843fccf0bdeb2c1b1bee50e13d55fb1c626fbce617b09a38c146731323401db894e609f2dca17a3a736617946994ec69a4238d7c9e03dc98b14bfde

Download Submit
C:\Windows\system\VJkuSWT.exe

Filesize
5.9MB

MD5
8303c3cf3112a7f95396bfc98cce2409

SHA1
694b0d1692e44cbd6370a97baad09d30b9e88ace

SHA256
3c71da0cd22d6c8dadaa34b60c830a035cc5bfd31338eaa5342b8a3ee6bb2573

SHA512
6d4dbdec2fda79608cc11492b0b26b1dd561463272148ba3ff674c1d7a9812f84847931f990e7ea611bc79905d084048393c8119a3e8c09af19e3482ab8abc7a

Download Submit
C:\Windows\system\WiekADL.exe

Filesize
5.9MB

MD5
a04638daabafba353f4c7b4eb7ae6758

SHA1
7e1ca2364c439e2f5a10af7afaea794f6fa6432f

SHA256
67ac2f861dd1e60cbb42f02e5ec00d83738a5fc4398a219813f2418b619ff768

SHA512
3da3aa69a78195aac87a58775b2fb076ec72dd77c80b3e0aed8f28517adf267260bca209bb6de38993d48fbb5e060c959e19cd8175cd38069c86db7e1bb928db

Download Submit
C:\Windows\system\XbqqOIH.exe

Filesize
5.9MB

MD5
d8a29cbeac92a0797764f9cbd4ac1bcf

SHA1
3b09a23b646c810b5827e7bbc1337e8bb8c08d0a

SHA256
d1ebbff39ec2a9d33cb126002731ed73e9cfbf1d5154d4add00b4418128f8e9b

SHA512
2cd2de49db6d6d4f568aa7e5ade4d0966db7eae856dfbc4de3b0985fbceedd6995cfdb11cbaabdafce18c71b3789bd587683a74a4d6f29737e8d8701125fc741

Download Submit
C:\Windows\system\fwcDHjC.exe

Filesize
5.9MB

MD5
8e6622d76f82f1e37006556d6d30c49c

SHA1
ab7992bf513e7890854c3b3e6ad06f7b2f3e37cb

SHA256
35e4f61b916d32e5f127b1df95196479ccb1be36dae21c022100e12e12ce2ba8

SHA512
fffff1a400b550be71e299ffb3d7c87be3cfe7ae8969849bb75f2af83b3fff9b6bbcd04293cc06bf046172bbf33accc84651122c13551c5c3d5aaa0e45031522

Download Submit
C:\Windows\system\gBtovdO.exe

Filesize
5.9MB

MD5
22648c274157a793bffe3c26704fc301

SHA1
a98a774f66a20feb88faee7c41d5234432b5c9ca

SHA256
675890d50b279204a7c796f08f5799e0761aa90332a2d5d53375922f7f6f33ac

SHA512
eb699dcd814cda7207f4e734f98ce25679d4b07467317353545c324aa524653a11ce840ad6255c75f6c9ea82de7ab431e1642e6fd5f87290ac56d09c07c27165

Download Submit
C:\Windows\system\iBDpHEY.exe

Filesize
5.9MB

MD5
7dc9b7fd9cd2ac31a3e2d403f0a0788e

SHA1
0c3e763dd4f315a5d07214fee6a9edc62b9048bf

SHA256
60aaf46e2655de789747ab52d100c01985d25fe48375637d0b4856513a659a99

SHA512
b5ab63678ae8cbd008311ee2681c197cf580096400a7833e03547f2cee4f638f55f756e122f9cedb65c9baff421ea2093f2f0780abf0369eaeb1df734bc69bab

Download Submit
C:\Windows\system\jQWMpda.exe

Filesize
5.9MB

MD5
67093c30b9721a23540216751cc5693f

SHA1
16ebaefe71be3f08dba49f37da68c1e6aa9095f2

SHA256
8ecad427e0baeadba65e9b6e128bcfd36e2e54863af5756527937e05c4793653

SHA512
842175ee26e3c396cfedf700df45f702d37b0f35c5cc685b623b01a550b680ef6c201b2e7cbab0c24bfdded72e2bfd68fb5c49f4ddb72210650f1fc55df0661b

Download Submit
C:\Windows\system\mxUFSJZ.exe

Filesize
5.9MB

MD5
1c01181add5f1f5c58e99c0e236328d8

SHA1
e65e847b7406ef6987e8bbd10dce5c9c3fd1c306

SHA256
b384bb982c3d5fb39285ab1422bcbf6866b8386fff52afc98910d67c09d36c6f

SHA512
57aae790913f578428d043d91625062bda505348cff39a67c8297d85cecae72a2cd3892ecece9bca8a3bd87e8d8a9f4de97370829379dc27b066a912d4277ea7

Download Submit
C:\Windows\system\nLlGVGA.exe

Filesize
5.9MB

MD5
b9f35e116dc7bafed54041dfd0a72774

SHA1
ff7a4848ca16bf8b20d8b7802e510652d6b2b0f6

SHA256
bc1c6d666c7735fe90909cf9db60082186dc6de665295f21f626c52a82619171

SHA512
6dd1aac3327143049b49f1f25305d22a9159b3885b09bed8f73f3e0b60be7dc9b6d5a2a79c9f41712a8a95011c4897ad99fee0e0f4464a84186a9f21fb370242

Download Submit
C:\Windows\system\rsTuGqj.exe

Filesize
5.9MB

MD5
c28cc85fd41317ca6faea51877d34fc0

SHA1
4b87a5ddfbb99e981ad0b3a106e09217b97f9514

SHA256
7162d244d7d913b714123cc445a21f46a3922f10508c5fce84341d07ad1ac349

SHA512
6bed1c868e6935f0fa43c8a22f7b538c290f9130c93efd1dcaf9bd59dd53f5b42020990e51737b5fc42f33961bbcdc274a73f24e470dc8ccd941d4a71ebc3048

Download Submit
C:\Windows\system\tivdoum.exe

Filesize
5.9MB

MD5
b59e5a2e9d9d74795bb87af52591dd41

SHA1
f233784042d9da3fb2d1e968573cd3c40f9a0fb9

SHA256
f95ad33e5874d5850bdcfebb345edebe0165bfdd5e73e83bfd776d6b202bcf80

SHA512
3e0485b657f0e2b198a4bb9c8298ab62a5f0d59f4504e5331a36c451864f924dd4bfc600b496efd90d65483e2cebc8feb4748d46fd56d41dc781393a5e08bbcb

Download Submit
C:\Windows\system\ykkXYJf.exe

Filesize
5.9MB

MD5
7d4c1276f1763f1f6fe54e6a438d17d1

SHA1
b16f1cdddc479e1c9eb1aa47a0d19f1390ec5df9

SHA256
f5897e668cf8e2f2858634eeb69c4ef3aa6d7d264d400cc157c3b3f5a1767174

SHA512
3f426693bd7890f1250e37df1f135b52c038de5379736c13b4f4f336e0e794b78eb9d74cff89992d7d10bf2ef934804186e9c8ef7ff6ced9df27dfd6dac435cb

Download Submit
memory/1880-127-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1880-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2076-135-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-108-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-111-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2096-137-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2360-136-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2360-109-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2384-22-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-114-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2384-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2384-118-0x0000000002400000-0x0000000002754000-memory.dmp

Filesize
3.3MB

Download
memory/2384-120-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2384-116-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-112-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-133-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2384-110-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2384-122-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2384-132-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2384-0-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2384-125-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2384-130-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-128-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-117-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-139-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-126-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2476-144-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2592-147-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-131-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-146-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-129-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-138-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2688-115-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2728-123-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2728-142-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2820-119-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-140-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-113-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-148-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-124-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-121-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/3012-141-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download