metasploit | 5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
Size

274KB
MD5

ce46eb95fece1606dc284b8c04b493d2
SHA1

ddf05e9185be47fa1cf11cf3d296ec66f81f6477
SHA256

5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290
SHA512

751ea1f43bab69d63151b076f4c689018743a8c5a3adcc162429718c1891de64e1c4953440eab7b5c55242f0dd2dbba0d4e4f91ae84be6e807af679e004daa16
SSDEEP

6144:oW95WO18EFJpK/rBjccRiyhQEl3oCXLfRTR19K4L76JDNbewMAAGy9:oAzFvc79oCbv6DJDNa+u

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2768	qctjqoj.exe
2584	lsyuyss.exe
2872	yaofaow.exe
2816	vluibzc.exe
2912	qtktdug.exe
2972	omroenm.exe
2140	ineucqo.exe
2432	ogjfxuo.exe
2488	rhplvxy.exe
1616	zcvgjpv.exe
2144	wcojkkb.exe
2096	erymbtb.exe
2452	mexhqty.exe
2296	wyiaqvg.exe
2840	asaniyd.exe
2704	mlqdkzl.exe
2624	mskyhwq.exe
2068	ptpeezs.exe
2100	ajqkcfu.exe
1048	foepnhv.exe
2932	lgaaauw.exe
2960	niogxxy.exe
912	tmewwfx.exe
2120	szejyli.exe
2156	yahcgkc.exe
1804	gofxckh.exe
2204	msnnbtg.exe
968	zwbtmdh.exe
1068	jqftenh.exe
1732	mgfzbtj.exe
576	xirulqf.exe
2324	iyrabwh.exe
1060	pxbiasl.exe
1608	vnsbozl.exe
648	ikyyzkm.exe
2608	woeekvf.exe
2684	gqqxcfn.exe
2252	uuvcnig.exe
2236	wozdnsp.exe
2288	kpcowyj.exe
2884	ugcblel.exe
2976	fwcobkn.exe
3060	pmdcyqp.exe
1408	vrjajsi.exe
2352	izasxii.exe
2388	wdgqisb.exe
3036	gxrracj.exe
2544	jnseqil.exe
1652	wsycale.exe
2284	kwditwf.exe
1168	unevjbh.exe
2480	fatvwdc.exe
2328	iqtblje.exe
1688	skfbltm.exe
1772	glauurg.exe
3040	qbaajxi.exe
2136	bopawyd.exe
776	dibawim.exe
2304	rjetepg.exe
680	bdhmxzh.exe
2952	mqwmjak.exe
536	pgxahgl.exe
2428	atuauhg.exe
1336	nqayeki.exe

Loads dropped DLL 64 IoCs

pid	Process
2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
2768	qctjqoj.exe
2768	qctjqoj.exe
2584	lsyuyss.exe
2584	lsyuyss.exe
2872	yaofaow.exe
2872	yaofaow.exe
2816	vluibzc.exe
2816	vluibzc.exe
2912	qtktdug.exe
2912	qtktdug.exe
2972	omroenm.exe
2972	omroenm.exe
2140	ineucqo.exe
2140	ineucqo.exe
2432	ogjfxuo.exe
2432	ogjfxuo.exe
2488	rhplvxy.exe
2488	rhplvxy.exe
1616	zcvgjpv.exe
1616	zcvgjpv.exe
2144	wcojkkb.exe
2144	wcojkkb.exe
2096	erymbtb.exe
2096	erymbtb.exe
2452	mexhqty.exe
2452	mexhqty.exe
2296	wyiaqvg.exe
2296	wyiaqvg.exe
2840	asaniyd.exe
2840	asaniyd.exe
2704	mlqdkzl.exe
2704	mlqdkzl.exe
2624	mskyhwq.exe
2624	mskyhwq.exe
2068	ptpeezs.exe
2068	ptpeezs.exe
2100	ajqkcfu.exe
2100	ajqkcfu.exe
1048	foepnhv.exe
1048	foepnhv.exe
2932	lgaaauw.exe
2932	lgaaauw.exe
2960	niogxxy.exe
2960	niogxxy.exe
912	tmewwfx.exe
912	tmewwfx.exe
2120	szejyli.exe
2120	szejyli.exe
2156	yahcgkc.exe
2156	yahcgkc.exe
1804	gofxckh.exe
1804	gofxckh.exe
2204	msnnbtg.exe
2204	msnnbtg.exe
968	zwbtmdh.exe
968	zwbtmdh.exe
1068	jqftenh.exe
1068	jqftenh.exe
1732	mgfzbtj.exe
1732	mgfzbtj.exe
576	xirulqf.exe
576	xirulqf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yaofaow.exe	lsyuyss.exe
File created	C:\Windows\SysWOW64\ptpeezs.exe	mskyhwq.exe
File created	C:\Windows\SysWOW64\pxbiasl.exe	iyrabwh.exe
File created	C:\Windows\SysWOW64\fwcobkn.exe	ugcblel.exe
File created	C:\Windows\SysWOW64\bopawyd.exe	qbaajxi.exe
File created	C:\Windows\SysWOW64\nqayeki.exe	atuauhg.exe
File opened for modification	C:\Windows\SysWOW64\tmewwfx.exe	niogxxy.exe
File created	C:\Windows\SysWOW64\gqqxcfn.exe	woeekvf.exe
File opened for modification	C:\Windows\SysWOW64\jnseqil.exe	gxrracj.exe
File opened for modification	C:\Windows\SysWOW64\qbaajxi.exe	glauurg.exe
File opened for modification	C:\Windows\SysWOW64\xslyxui.exe	nqayeki.exe
File created	C:\Windows\SysWOW64\qctjqoj.exe	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\qtktdug.exe	vluibzc.exe
File created	C:\Windows\SysWOW64\xirulqf.exe	mgfzbtj.exe
File created	C:\Windows\SysWOW64\uuvcnig.exe	gqqxcfn.exe
File opened for modification	C:\Windows\SysWOW64\ptpeezs.exe	mskyhwq.exe
File created	C:\Windows\SysWOW64\niogxxy.exe	lgaaauw.exe
File opened for modification	C:\Windows\SysWOW64\glauurg.exe	skfbltm.exe
File created	C:\Windows\SysWOW64\lsyuyss.exe	qctjqoj.exe
File opened for modification	C:\Windows\SysWOW64\ajqkcfu.exe	ptpeezs.exe
File created	C:\Windows\SysWOW64\iyrabwh.exe	xirulqf.exe
File opened for modification	C:\Windows\SysWOW64\dibawim.exe	bopawyd.exe
File opened for modification	C:\Windows\SysWOW64\rjetepg.exe	dibawim.exe
File opened for modification	C:\Windows\SysWOW64\mqwmjak.exe	bdhmxzh.exe
File opened for modification	C:\Windows\SysWOW64\ugcblel.exe	kpcowyj.exe
File opened for modification	C:\Windows\SysWOW64\rhplvxy.exe	ogjfxuo.exe
File created	C:\Windows\SysWOW64\mskyhwq.exe	mlqdkzl.exe
File created	C:\Windows\SysWOW64\lgaaauw.exe	foepnhv.exe
File opened for modification	C:\Windows\SysWOW64\lgaaauw.exe	foepnhv.exe
File created	C:\Windows\SysWOW64\szejyli.exe	tmewwfx.exe
File opened for modification	C:\Windows\SysWOW64\szejyli.exe	tmewwfx.exe
File opened for modification	C:\Windows\SysWOW64\mgfzbtj.exe	jqftenh.exe
File opened for modification	C:\Windows\SysWOW64\kpcowyj.exe	wozdnsp.exe
File created	C:\Windows\SysWOW64\wcojkkb.exe	zcvgjpv.exe
File opened for modification	C:\Windows\SysWOW64\mlqdkzl.exe	asaniyd.exe
File created	C:\Windows\SysWOW64\gofxckh.exe	yahcgkc.exe
File created	C:\Windows\SysWOW64\kpcowyj.exe	wozdnsp.exe
File created	C:\Windows\SysWOW64\ineucqo.exe	omroenm.exe
File created	C:\Windows\SysWOW64\mexhqty.exe	erymbtb.exe
File opened for modification	C:\Windows\SysWOW64\uuvcnig.exe	gqqxcfn.exe
File opened for modification	C:\Windows\SysWOW64\bdhmxzh.exe	rjetepg.exe
File created	C:\Windows\SysWOW64\vluibzc.exe	yaofaow.exe
File opened for modification	C:\Windows\SysWOW64\erymbtb.exe	wcojkkb.exe
File opened for modification	C:\Windows\SysWOW64\iyrabwh.exe	xirulqf.exe
File opened for modification	C:\Windows\SysWOW64\kwditwf.exe	wsycale.exe
File created	C:\Windows\SysWOW64\iqtblje.exe	fatvwdc.exe
File created	C:\Windows\SysWOW64\bubctal.exe	qeipduj.exe
File opened for modification	C:\Windows\SysWOW64\lsyuyss.exe	qctjqoj.exe
File created	C:\Windows\SysWOW64\msnnbtg.exe	gofxckh.exe
File created	C:\Windows\SysWOW64\jqftenh.exe	zwbtmdh.exe
File opened for modification	C:\Windows\SysWOW64\xirulqf.exe	mgfzbtj.exe
File created	C:\Windows\SysWOW64\wdgqisb.exe	izasxii.exe
File opened for modification	C:\Windows\SysWOW64\iqtblje.exe	fatvwdc.exe
File created	C:\Windows\SysWOW64\dibawim.exe	bopawyd.exe
File opened for modification	C:\Windows\SysWOW64\omroenm.exe	qtktdug.exe
File opened for modification	C:\Windows\SysWOW64\niogxxy.exe	lgaaauw.exe
File created	C:\Windows\SysWOW64\yahcgkc.exe	szejyli.exe
File created	C:\Windows\SysWOW64\vnsbozl.exe	pxbiasl.exe
File opened for modification	C:\Windows\SysWOW64\skfbltm.exe	iqtblje.exe
File created	C:\Windows\SysWOW64\atuauhg.exe	pgxahgl.exe
File created	C:\Windows\SysWOW64\qtktdug.exe	vluibzc.exe
File opened for modification	C:\Windows\SysWOW64\pxbiasl.exe	iyrabwh.exe
File opened for modification	C:\Windows\SysWOW64\woeekvf.exe	ikyyzkm.exe
File opened for modification	C:\Windows\SysWOW64\gqqxcfn.exe	woeekvf.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jnseqil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsycale.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bubctal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlqdkzl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptpeezs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gofxckh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msnnbtg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iyrabwh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugcblel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeipduj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vluibzc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhplvxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zcvgjpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unevjbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjetepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzvjtji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erymbtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwbtmdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgfzbtj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxrracj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqtblje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skfbltm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bopawyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdhmxzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogjfxuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wozdnsp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vrjajsi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izasxii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmewwfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xirulqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glauurg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nqayeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsyuyss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dibawim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foepnhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yahcgkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kpcowyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdgqisb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwditwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbaajxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgxahgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtktdug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ineucqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqftenh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uuvcnig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xslyxui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omroenm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woeekvf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mqwmjak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atuauhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szejyli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asaniyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajqkcfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxbiasl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatvwdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcojkkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pmdcyqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niogxxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnsbozl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikyyzkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qctjqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mexhqty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgaaauw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2768	2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2768	2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2768	2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2768	2788	ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe	31
PID 2768 wrote to memory of 2584	2768	qctjqoj.exe	32
PID 2768 wrote to memory of 2584	2768	qctjqoj.exe	32
PID 2768 wrote to memory of 2584	2768	qctjqoj.exe	32
PID 2768 wrote to memory of 2584	2768	qctjqoj.exe	32
PID 2584 wrote to memory of 2872	2584	lsyuyss.exe	33
PID 2584 wrote to memory of 2872	2584	lsyuyss.exe	33
PID 2584 wrote to memory of 2872	2584	lsyuyss.exe	33
PID 2584 wrote to memory of 2872	2584	lsyuyss.exe	33
PID 2872 wrote to memory of 2816	2872	yaofaow.exe	34
PID 2872 wrote to memory of 2816	2872	yaofaow.exe	34
PID 2872 wrote to memory of 2816	2872	yaofaow.exe	34
PID 2872 wrote to memory of 2816	2872	yaofaow.exe	34
PID 2816 wrote to memory of 2912	2816	vluibzc.exe	35
PID 2816 wrote to memory of 2912	2816	vluibzc.exe	35
PID 2816 wrote to memory of 2912	2816	vluibzc.exe	35
PID 2816 wrote to memory of 2912	2816	vluibzc.exe	35
PID 2912 wrote to memory of 2972	2912	qtktdug.exe	36
PID 2912 wrote to memory of 2972	2912	qtktdug.exe	36
PID 2912 wrote to memory of 2972	2912	qtktdug.exe	36
PID 2912 wrote to memory of 2972	2912	qtktdug.exe	36
PID 2972 wrote to memory of 2140	2972	omroenm.exe	37
PID 2972 wrote to memory of 2140	2972	omroenm.exe	37
PID 2972 wrote to memory of 2140	2972	omroenm.exe	37
PID 2972 wrote to memory of 2140	2972	omroenm.exe	37
PID 2140 wrote to memory of 2432	2140	ineucqo.exe	38
PID 2140 wrote to memory of 2432	2140	ineucqo.exe	38
PID 2140 wrote to memory of 2432	2140	ineucqo.exe	38
PID 2140 wrote to memory of 2432	2140	ineucqo.exe	38
PID 2432 wrote to memory of 2488	2432	ogjfxuo.exe	39
PID 2432 wrote to memory of 2488	2432	ogjfxuo.exe	39
PID 2432 wrote to memory of 2488	2432	ogjfxuo.exe	39
PID 2432 wrote to memory of 2488	2432	ogjfxuo.exe	39
PID 2488 wrote to memory of 1616	2488	rhplvxy.exe	40
PID 2488 wrote to memory of 1616	2488	rhplvxy.exe	40
PID 2488 wrote to memory of 1616	2488	rhplvxy.exe	40
PID 2488 wrote to memory of 1616	2488	rhplvxy.exe	40
PID 1616 wrote to memory of 2144	1616	zcvgjpv.exe	41
PID 1616 wrote to memory of 2144	1616	zcvgjpv.exe	41
PID 1616 wrote to memory of 2144	1616	zcvgjpv.exe	41
PID 1616 wrote to memory of 2144	1616	zcvgjpv.exe	41
PID 2144 wrote to memory of 2096	2144	wcojkkb.exe	42
PID 2144 wrote to memory of 2096	2144	wcojkkb.exe	42
PID 2144 wrote to memory of 2096	2144	wcojkkb.exe	42
PID 2144 wrote to memory of 2096	2144	wcojkkb.exe	42
PID 2096 wrote to memory of 2452	2096	erymbtb.exe	43
PID 2096 wrote to memory of 2452	2096	erymbtb.exe	43
PID 2096 wrote to memory of 2452	2096	erymbtb.exe	43
PID 2096 wrote to memory of 2452	2096	erymbtb.exe	43
PID 2452 wrote to memory of 2296	2452	mexhqty.exe	44
PID 2452 wrote to memory of 2296	2452	mexhqty.exe	44
PID 2452 wrote to memory of 2296	2452	mexhqty.exe	44
PID 2452 wrote to memory of 2296	2452	mexhqty.exe	44
PID 2296 wrote to memory of 2840	2296	wyiaqvg.exe	45
PID 2296 wrote to memory of 2840	2296	wyiaqvg.exe	45
PID 2296 wrote to memory of 2840	2296	wyiaqvg.exe	45
PID 2296 wrote to memory of 2840	2296	wyiaqvg.exe	45
PID 2840 wrote to memory of 2704	2840	asaniyd.exe	46
PID 2840 wrote to memory of 2704	2840	asaniyd.exe	46
PID 2840 wrote to memory of 2704	2840	asaniyd.exe	46
PID 2840 wrote to memory of 2704	2840	asaniyd.exe	46

C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\qctjqoj.exe
  C:\Windows\system32\qctjqoj.exe 576 "C:\Users\Admin\AppData\Local\Temp\ce46eb95fece1606dc284b8c04b493d2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\lsyuyss.exe
    C:\Windows\system32\lsyuyss.exe 548 "C:\Windows\SysWOW64\qctjqoj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\yaofaow.exe
      C:\Windows\system32\yaofaow.exe 568 "C:\Windows\SysWOW64\lsyuyss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\vluibzc.exe
        
        C:\Windows\system32\vluibzc.exe 536 "C:\Windows\SysWOW64\yaofaow.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\qtktdug.exe
        
        C:\Windows\system32\qtktdug.exe 540 "C:\Windows\SysWOW64\vluibzc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\omroenm.exe
        
        C:\Windows\system32\omroenm.exe 564 "C:\Windows\SysWOW64\qtktdug.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\ineucqo.exe
        
        C:\Windows\system32\ineucqo.exe 552 "C:\Windows\SysWOW64\omroenm.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\ogjfxuo.exe
        
        C:\Windows\system32\ogjfxuo.exe 600 "C:\Windows\SysWOW64\ineucqo.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\rhplvxy.exe
        
        C:\Windows\system32\rhplvxy.exe 544 "C:\Windows\SysWOW64\ogjfxuo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\zcvgjpv.exe
        
        C:\Windows\system32\zcvgjpv.exe 556 "C:\Windows\SysWOW64\rhplvxy.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\wcojkkb.exe
        
        C:\Windows\system32\wcojkkb.exe 560 "C:\Windows\SysWOW64\zcvgjpv.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\erymbtb.exe
        
        C:\Windows\system32\erymbtb.exe 596 "C:\Windows\SysWOW64\wcojkkb.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\mexhqty.exe
        
        C:\Windows\system32\mexhqty.exe 572 "C:\Windows\SysWOW64\erymbtb.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\wyiaqvg.exe
        
        C:\Windows\system32\wyiaqvg.exe 628 "C:\Windows\SysWOW64\mexhqty.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\asaniyd.exe
        
        C:\Windows\system32\asaniyd.exe 584 "C:\Windows\SysWOW64\wyiaqvg.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\mlqdkzl.exe
        
        C:\Windows\system32\mlqdkzl.exe 612 "C:\Windows\SysWOW64\asaniyd.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\mskyhwq.exe
        
        C:\Windows\system32\mskyhwq.exe 616 "C:\Windows\SysWOW64\mlqdkzl.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\ptpeezs.exe
        
        C:\Windows\system32\ptpeezs.exe 580 "C:\Windows\SysWOW64\mskyhwq.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\ajqkcfu.exe
        
        C:\Windows\system32\ajqkcfu.exe 588 "C:\Windows\SysWOW64\ptpeezs.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\foepnhv.exe
        
        C:\Windows\system32\foepnhv.exe 592 "C:\Windows\SysWOW64\ajqkcfu.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\lgaaauw.exe
        
        C:\Windows\system32\lgaaauw.exe 608 "C:\Windows\SysWOW64\foepnhv.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\niogxxy.exe
        
        C:\Windows\system32\niogxxy.exe 668 "C:\Windows\SysWOW64\lgaaauw.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\tmewwfx.exe
        
        C:\Windows\system32\tmewwfx.exe 604 "C:\Windows\SysWOW64\niogxxy.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\szejyli.exe
        
        C:\Windows\system32\szejyli.exe 648 "C:\Windows\SysWOW64\tmewwfx.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\yahcgkc.exe
        
        C:\Windows\system32\yahcgkc.exe 620 "C:\Windows\SysWOW64\szejyli.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\gofxckh.exe
        
        C:\Windows\system32\gofxckh.exe 656 "C:\Windows\SysWOW64\yahcgkc.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\msnnbtg.exe
        
        C:\Windows\system32\msnnbtg.exe 624 "C:\Windows\SysWOW64\gofxckh.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\zwbtmdh.exe
        
        C:\Windows\system32\zwbtmdh.exe 632 "C:\Windows\SysWOW64\msnnbtg.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\jqftenh.exe
        
        C:\Windows\system32\jqftenh.exe 636 "C:\Windows\SysWOW64\zwbtmdh.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\mgfzbtj.exe
        
        C:\Windows\system32\mgfzbtj.exe 684 "C:\Windows\SysWOW64\jqftenh.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\xirulqf.exe
        
        C:\Windows\system32\xirulqf.exe 640 "C:\Windows\SysWOW64\mgfzbtj.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\iyrabwh.exe
        
        C:\Windows\system32\iyrabwh.exe 688 "C:\Windows\SysWOW64\xirulqf.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\pxbiasl.exe
        
        C:\Windows\system32\pxbiasl.exe 696 "C:\Windows\SysWOW64\iyrabwh.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\vnsbozl.exe
        
        C:\Windows\system32\vnsbozl.exe 712 "C:\Windows\SysWOW64\pxbiasl.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\ikyyzkm.exe
        
        C:\Windows\system32\ikyyzkm.exe 644 "C:\Windows\SysWOW64\vnsbozl.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\woeekvf.exe
        
        C:\Windows\system32\woeekvf.exe 652 "C:\Windows\SysWOW64\ikyyzkm.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\gqqxcfn.exe
        
        C:\Windows\system32\gqqxcfn.exe 660 "C:\Windows\SysWOW64\woeekvf.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\uuvcnig.exe
        
        C:\Windows\system32\uuvcnig.exe 676 "C:\Windows\SysWOW64\gqqxcfn.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\wozdnsp.exe
        
        C:\Windows\system32\wozdnsp.exe 664 "C:\Windows\SysWOW64\uuvcnig.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\kpcowyj.exe
        
        C:\Windows\system32\kpcowyj.exe 672 "C:\Windows\SysWOW64\wozdnsp.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\ugcblel.exe
        
        C:\Windows\system32\ugcblel.exe 680 "C:\Windows\SysWOW64\kpcowyj.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\fwcobkn.exe
        
        C:\Windows\system32\fwcobkn.exe 692 "C:\Windows\SysWOW64\ugcblel.exe"
        43⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\pmdcyqp.exe
        
        C:\Windows\system32\pmdcyqp.exe 756 "C:\Windows\SysWOW64\fwcobkn.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\vrjajsi.exe
        
        C:\Windows\system32\vrjajsi.exe 704 "C:\Windows\SysWOW64\pmdcyqp.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\izasxii.exe
        
        C:\Windows\system32\izasxii.exe 700 "C:\Windows\SysWOW64\vrjajsi.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\wdgqisb.exe
        
        C:\Windows\system32\wdgqisb.exe 716 "C:\Windows\SysWOW64\izasxii.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\gxrracj.exe
        
        C:\Windows\system32\gxrracj.exe 708 "C:\Windows\SysWOW64\wdgqisb.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\jnseqil.exe
        
        C:\Windows\system32\jnseqil.exe 720 "C:\Windows\SysWOW64\gxrracj.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\wsycale.exe
        
        C:\Windows\system32\wsycale.exe 724 "C:\Windows\SysWOW64\jnseqil.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\kwditwf.exe
        
        C:\Windows\system32\kwditwf.exe 728 "C:\Windows\SysWOW64\wsycale.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\unevjbh.exe
        
        C:\Windows\system32\unevjbh.exe 784 "C:\Windows\SysWOW64\kwditwf.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\fatvwdc.exe
        
        C:\Windows\system32\fatvwdc.exe 732 "C:\Windows\SysWOW64\unevjbh.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\iqtblje.exe
        
        C:\Windows\system32\iqtblje.exe 736 "C:\Windows\SysWOW64\fatvwdc.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\skfbltm.exe
        
        C:\Windows\system32\skfbltm.exe 740 "C:\Windows\SysWOW64\iqtblje.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\glauurg.exe
        
        C:\Windows\system32\glauurg.exe 764 "C:\Windows\SysWOW64\skfbltm.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\qbaajxi.exe
        
        C:\Windows\system32\qbaajxi.exe 748 "C:\Windows\SysWOW64\glauurg.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\bopawyd.exe
        
        C:\Windows\system32\bopawyd.exe 744 "C:\Windows\SysWOW64\qbaajxi.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\dibawim.exe
        
        C:\Windows\system32\dibawim.exe 752 "C:\Windows\SysWOW64\bopawyd.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\rjetepg.exe
        
        C:\Windows\system32\rjetepg.exe 796 "C:\Windows\SysWOW64\dibawim.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\bdhmxzh.exe
        
        C:\Windows\system32\bdhmxzh.exe 760 "C:\Windows\SysWOW64\rjetepg.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\mqwmjak.exe
        
        C:\Windows\system32\mqwmjak.exe 768 "C:\Windows\SysWOW64\bdhmxzh.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\pgxahgl.exe
        
        C:\Windows\system32\pgxahgl.exe 772 "C:\Windows\SysWOW64\mqwmjak.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\atuauhg.exe
        
        C:\Windows\system32\atuauhg.exe 776 "C:\Windows\SysWOW64\pgxahgl.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\nqayeki.exe
        
        C:\Windows\system32\nqayeki.exe 780 "C:\Windows\SysWOW64\atuauhg.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\xslyxui.exe
        
        C:\Windows\system32\xslyxui.exe 788 "C:\Windows\SysWOW64\nqayeki.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\lzvjtji.exe
        
        C:\Windows\system32\lzvjtji.exe 792 "C:\Windows\SysWOW64\xslyxui.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\qeipduj.exe
        
        C:\Windows\system32\qeipduj.exe 800 "C:\Windows\SysWOW64\lzvjtji.exe"
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\bubctal.exe
        
        C:\Windows\system32\bubctal.exe 804 "C:\Windows\SysWOW64\qeipduj.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\qctjqoj.exe

Filesize
274KB

MD5
ce46eb95fece1606dc284b8c04b493d2

SHA1
ddf05e9185be47fa1cf11cf3d296ec66f81f6477

SHA256
5db97f76d33bf29c3ddabd323840e6456afd92014059b39e809575a4b6d2f290

SHA512
751ea1f43bab69d63151b076f4c689018743a8c5a3adcc162429718c1891de64e1c4953440eab7b5c55242f0dd2dbba0d4e4f91ae84be6e807af679e004daa16

Download Submit
memory/576-405-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/576-396-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/648-437-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/912-337-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/912-327-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/968-381-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1048-294-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1048-292-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1048-304-0x00000000031A0000-0x00000000032E2000-memory.dmp

Filesize
1.3MB

Download
memory/1048-303-0x00000000031A0000-0x00000000032E2000-memory.dmp

Filesize
1.3MB

Download
memory/1048-307-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1060-421-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1068-389-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1608-429-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1616-167-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1616-166-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1616-181-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1732-397-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1804-365-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1804-356-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2068-282-0x0000000002F00000-0x0000000003042000-memory.dmp

Filesize
1.3MB

Download
memory/2068-283-0x0000000002F00000-0x0000000003042000-memory.dmp

Filesize
1.3MB

Download
memory/2068-285-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2096-206-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2096-192-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2096-193-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2100-295-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2100-293-0x0000000003160000-0x00000000032A2000-memory.dmp

Filesize
1.3MB

Download
memory/2100-284-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2120-345-0x0000000003250000-0x0000000003392000-memory.dmp

Filesize
1.3MB

Download
memory/2120-347-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2120-336-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2140-137-0x0000000003060000-0x00000000031A2000-memory.dmp

Filesize
1.3MB

Download
memory/2140-142-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2140-138-0x0000000003060000-0x00000000031A2000-memory.dmp

Filesize
1.3MB

Download
memory/2140-126-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2144-194-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2144-180-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2156-354-0x0000000003280000-0x00000000033C2000-memory.dmp

Filesize
1.3MB

Download
memory/2156-346-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2156-357-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2204-373-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2252-461-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2296-232-0x0000000003350000-0x0000000003492000-memory.dmp

Filesize
1.3MB

Download
memory/2296-220-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2296-233-0x0000000003350000-0x0000000003492000-memory.dmp

Filesize
1.3MB

Download
memory/2296-238-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2296-217-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2324-413-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2432-141-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2432-152-0x0000000003220000-0x0000000003362000-memory.dmp

Filesize
1.3MB

Download
memory/2432-155-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2452-219-0x0000000003090000-0x00000000031D2000-memory.dmp

Filesize
1.3MB

Download
memory/2452-218-0x0000000003090000-0x00000000031D2000-memory.dmp

Filesize
1.3MB

Download
memory/2452-222-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2488-168-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2584-40-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2584-46-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/2584-47-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2584-45-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2584-60-0x0000000003270000-0x00000000033B2000-memory.dmp

Filesize
1.3MB

Download
memory/2584-59-0x0000000003270000-0x00000000033B2000-memory.dmp

Filesize
1.3MB

Download
memory/2584-64-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2584-63-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2584-39-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2584-41-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2608-445-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2624-274-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2624-265-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2684-453-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2704-263-0x0000000003300000-0x0000000003442000-memory.dmp

Filesize
1.3MB

Download
memory/2704-264-0x0000000003300000-0x0000000003442000-memory.dmp

Filesize
1.3MB

Download
memory/2704-251-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2704-252-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2704-266-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2768-36-0x0000000003180000-0x00000000032C2000-memory.dmp

Filesize
1.3MB

Download
memory/2768-37-0x0000000003180000-0x00000000032C2000-memory.dmp

Filesize
1.3MB

Download
memory/2768-23-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2768-19-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2768-24-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2768-25-0x00000000002E0000-0x00000000002E5000-memory.dmp

Filesize
20KB

Download
memory/2768-26-0x0000000000380000-0x00000000003AC000-memory.dmp

Filesize
176KB

Download
memory/2768-44-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2768-43-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-4-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/2788-5-0x0000000000390000-0x00000000003BC000-memory.dmp

Filesize
176KB

Download
memory/2788-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2788-3-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-1-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-15-0x0000000003550000-0x0000000003692000-memory.dmp

Filesize
1.3MB

Download
memory/2788-16-0x0000000003550000-0x0000000003692000-memory.dmp

Filesize
1.3MB

Download
memory/2788-2-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2788-21-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2788-22-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2816-98-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2816-94-0x0000000003140000-0x0000000003282000-memory.dmp

Filesize
1.3MB

Download
memory/2816-80-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2840-249-0x00000000031A0000-0x00000000032E2000-memory.dmp

Filesize
1.3MB

Download
memory/2840-254-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2840-236-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2840-248-0x00000000031A0000-0x00000000032E2000-memory.dmp

Filesize
1.3MB

Download
memory/2872-77-0x0000000003160000-0x00000000032A2000-memory.dmp

Filesize
1.3MB

Download
memory/2872-76-0x0000000003160000-0x00000000032A2000-memory.dmp

Filesize
1.3MB

Download
memory/2872-83-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2872-82-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2872-66-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2872-65-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2872-61-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2912-113-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2912-96-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2912-108-0x00000000031F0000-0x0000000003332000-memory.dmp

Filesize
1.3MB

Download
memory/2932-305-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2932-315-0x00000000030E0000-0x0000000003222000-memory.dmp

Filesize
1.3MB

Download
memory/2932-317-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2960-325-0x0000000002E40000-0x0000000002F82000-memory.dmp

Filesize
1.3MB

Download
memory/2960-316-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2960-326-0x0000000003050000-0x0000000003192000-memory.dmp

Filesize
1.3MB

Download
memory/2960-329-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2972-110-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2972-111-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2972-125-0x0000000003120000-0x0000000003262000-memory.dmp

Filesize
1.3MB

Download
memory/2972-127-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download