metasploit | 9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1

Analysis

max time kernel
106s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
Size

275KB
MD5

98d5da824fabf016acea65ce4f45b4ad
SHA1

9e24b0782145056654a531125416901784f65a33
SHA256

9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1
SHA512

c18eb94030b507e54b8dd7d593f602e249ffd6bcd09a777f0541bdb39d3989ba1db32c6a2f480b0232b0fe92a0151a74f10f8e63f6542c08907a9778f8a4a82c
SSDEEP

6144:ZUZj3LOq20acQcCY/RBUlj/8IBaNgwqD3t5kgBwfg/JhG8N4Ccs+R:2Zj3LzZN0/vBaNgt5BwKJhXNWd

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 51 IoCs

pid	Process
1756	qiuecot.exe
2752	dnaknzm.exe
2788	iydiess.exe
2564	zczlnej.exe
2312	lrfwgup.exe
2456	cynustn.exe
2448	sujxbfm.exe
1752	xbahpum.exe
1028	kndngfk.exe
1508	xgxlwzr.exe
408	octofli.exe
980	ywfoyvi.exe
1592	dewzlki.exe
1424	tlwpxbg.exe
2116	jkenjze.exe
1472	zrmdvqc.exe
2808	qrtthga.exe
2428	vcoryag.exe
2864	ljvhjqw.exe
2784	yvymakd.exe
2764	ocgcmaa.exe
2548	ebfsyqy.exe
2016	manicpw.exe
2464	xrowzvy.exe
2480	nyvmllw.exe
2472	dxdcpcu.exe
1872	hujnqzz.exe
2972	ytrluqp.exe
1500	opnodko.exe
1844	bmtyxat.exe
2260	rlbojqr.exe
328	ztievpp.exe
1800	psichfn.exe
1288	frqsswc.exe
2376	vyyieua.exe
2156	indtykg.exe
2040	quljkje.exe
2228	gutzozb.exe
2372	tnnfmki.exe
2168	jmvvqjg.exe
2876	zmdlczw.exe
2692	efxistc.exe
2768	vbutcft.exe
2816	labjnwr.exe
2680	ytehepy.exe
2820	lfyfviw.exe
268	tmgdgzu.exe
2476	jicgqll.exe
316	wtfeges.exe
2348	mancsvq.exe
544	czmsetn.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
1756	qiuecot.exe
1756	qiuecot.exe
2752	dnaknzm.exe
2752	dnaknzm.exe
2788	iydiess.exe
2788	iydiess.exe
2564	zczlnej.exe
2564	zczlnej.exe
2312	lrfwgup.exe
2312	lrfwgup.exe
2456	cynustn.exe
2456	cynustn.exe
2448	sujxbfm.exe
2448	sujxbfm.exe
1752	xbahpum.exe
1752	xbahpum.exe
1028	kndngfk.exe
1028	kndngfk.exe
1508	xgxlwzr.exe
1508	xgxlwzr.exe
408	octofli.exe
408	octofli.exe
980	ywfoyvi.exe
980	ywfoyvi.exe
1592	dewzlki.exe
1592	dewzlki.exe
1424	tlwpxbg.exe
1424	tlwpxbg.exe
2116	jkenjze.exe
2116	jkenjze.exe
1472	zrmdvqc.exe
1472	zrmdvqc.exe
2808	qrtthga.exe
2808	qrtthga.exe
2428	vcoryag.exe
2428	vcoryag.exe
2864	ljvhjqw.exe
2864	ljvhjqw.exe
2784	yvymakd.exe
2784	yvymakd.exe
2764	ocgcmaa.exe
2764	ocgcmaa.exe
2548	ebfsyqy.exe
2548	ebfsyqy.exe
2016	manicpw.exe
2016	manicpw.exe
2464	xrowzvy.exe
2464	xrowzvy.exe
2480	nyvmllw.exe
2480	nyvmllw.exe
2472	dxdcpcu.exe
2472	dxdcpcu.exe
1872	hujnqzz.exe
1872	hujnqzz.exe
2972	ytrluqp.exe
2972	ytrluqp.exe
1500	opnodko.exe
1500	opnodko.exe
1844	bmtyxat.exe
1844	bmtyxat.exe
2260	rlbojqr.exe
2260	rlbojqr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dxdcpcu.exe	nyvmllw.exe
File opened for modification	C:\Windows\SysWOW64\indtykg.exe	vyyieua.exe
File opened for modification	C:\Windows\SysWOW64\quljkje.exe	indtykg.exe
File created	C:\Windows\SysWOW64\czmsetn.exe	mancsvq.exe
File opened for modification	C:\Windows\SysWOW64\nyvmllw.exe	xrowzvy.exe
File opened for modification	C:\Windows\SysWOW64\bmtyxat.exe	opnodko.exe
File created	C:\Windows\SysWOW64\ztievpp.exe	rlbojqr.exe
File opened for modification	C:\Windows\SysWOW64\ztievpp.exe	rlbojqr.exe
File created	C:\Windows\SysWOW64\psichfn.exe	ztievpp.exe
File created	C:\Windows\SysWOW64\vyyieua.exe	frqsswc.exe
File created	C:\Windows\SysWOW64\gutzozb.exe	quljkje.exe
File created	C:\Windows\SysWOW64\tmgdgzu.exe	lfyfviw.exe
File created	C:\Windows\SysWOW64\hujnqzz.exe	dxdcpcu.exe
File opened for modification	C:\Windows\SysWOW64\lrfwgup.exe	zczlnej.exe
File created	C:\Windows\SysWOW64\xgxlwzr.exe	kndngfk.exe
File created	C:\Windows\SysWOW64\dewzlki.exe	ywfoyvi.exe
File created	C:\Windows\SysWOW64\ocgcmaa.exe	yvymakd.exe
File created	C:\Windows\SysWOW64\indtykg.exe	vyyieua.exe
File opened for modification	C:\Windows\SysWOW64\gutzozb.exe	quljkje.exe
File opened for modification	C:\Windows\SysWOW64\wtfeges.exe	jicgqll.exe
File opened for modification	C:\Windows\SysWOW64\dnaknzm.exe	qiuecot.exe
File created	C:\Windows\SysWOW64\sujxbfm.exe	cynustn.exe
File created	C:\Windows\SysWOW64\yvymakd.exe	ljvhjqw.exe
File opened for modification	C:\Windows\SysWOW64\manicpw.exe	ebfsyqy.exe
File created	C:\Windows\SysWOW64\quljkje.exe	indtykg.exe
File opened for modification	C:\Windows\SysWOW64\tnnfmki.exe	gutzozb.exe
File created	C:\Windows\SysWOW64\ytehepy.exe	labjnwr.exe
File created	C:\Windows\SysWOW64\ywfoyvi.exe	octofli.exe
File opened for modification	C:\Windows\SysWOW64\ywfoyvi.exe	octofli.exe
File created	C:\Windows\SysWOW64\ljvhjqw.exe	vcoryag.exe
File created	C:\Windows\SysWOW64\iydiess.exe	dnaknzm.exe
File created	C:\Windows\SysWOW64\lrfwgup.exe	zczlnej.exe
File opened for modification	C:\Windows\SysWOW64\ocgcmaa.exe	yvymakd.exe
File opened for modification	C:\Windows\SysWOW64\psichfn.exe	ztievpp.exe
File created	C:\Windows\SysWOW64\efxistc.exe	zmdlczw.exe
File opened for modification	C:\Windows\SysWOW64\vbutcft.exe	efxistc.exe
File opened for modification	C:\Windows\SysWOW64\jicgqll.exe	tmgdgzu.exe
File created	C:\Windows\SysWOW64\wtfeges.exe	jicgqll.exe
File opened for modification	C:\Windows\SysWOW64\tlwpxbg.exe	dewzlki.exe
File created	C:\Windows\SysWOW64\jkenjze.exe	tlwpxbg.exe
File opened for modification	C:\Windows\SysWOW64\sujxbfm.exe	cynustn.exe
File created	C:\Windows\SysWOW64\kndngfk.exe	xbahpum.exe
File opened for modification	C:\Windows\SysWOW64\zrmdvqc.exe	jkenjze.exe
File opened for modification	C:\Windows\SysWOW64\rlbojqr.exe	bmtyxat.exe
File opened for modification	C:\Windows\SysWOW64\ytehepy.exe	labjnwr.exe
File opened for modification	C:\Windows\SysWOW64\lfyfviw.exe	ytehepy.exe
File opened for modification	C:\Windows\SysWOW64\czmsetn.exe	mancsvq.exe
File created	C:\Windows\SysWOW64\qiuecot.exe	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
File opened for modification	C:\Windows\SysWOW64\zczlnej.exe	iydiess.exe
File created	C:\Windows\SysWOW64\octofli.exe	xgxlwzr.exe
File created	C:\Windows\SysWOW64\tlwpxbg.exe	dewzlki.exe
File created	C:\Windows\SysWOW64\xrowzvy.exe	manicpw.exe
File created	C:\Windows\SysWOW64\dxdcpcu.exe	nyvmllw.exe
File opened for modification	C:\Windows\SysWOW64\hujnqzz.exe	dxdcpcu.exe
File opened for modification	C:\Windows\SysWOW64\frqsswc.exe	psichfn.exe
File created	C:\Windows\SysWOW64\vcoryag.exe	qrtthga.exe
File opened for modification	C:\Windows\SysWOW64\vcoryag.exe	qrtthga.exe
File created	C:\Windows\SysWOW64\ytrluqp.exe	hujnqzz.exe
File opened for modification	C:\Windows\SysWOW64\vyyieua.exe	frqsswc.exe
File opened for modification	C:\Windows\SysWOW64\xbahpum.exe	sujxbfm.exe
File opened for modification	C:\Windows\SysWOW64\octofli.exe	xgxlwzr.exe
File opened for modification	C:\Windows\SysWOW64\ljvhjqw.exe	vcoryag.exe
File created	C:\Windows\SysWOW64\nyvmllw.exe	xrowzvy.exe
File created	C:\Windows\SysWOW64\bmtyxat.exe	opnodko.exe

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ztievpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jmvvqjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocgcmaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywfoyvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dewzlki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xgxlwzr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfyfviw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qrtthga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmtyxat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	indtykg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytehepy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jicgqll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mancsvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zczlnej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbahpum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyvmllw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdcpcu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efxistc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmgdgzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtfeges.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czmsetn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iydiess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	manicpw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hujnqzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytrluqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psichfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frqsswc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	labjnwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ljvhjqw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lrfwgup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sujxbfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jkenjze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcoryag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmdlczw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbutcft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnaknzm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlwpxbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebfsyqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrowzvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opnodko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rlbojqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gutzozb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	octofli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiuecot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cynustn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zrmdvqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvymakd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyyieua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quljkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnnfmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kndngfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1756	2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	31
PID 2848 wrote to memory of 1756	2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	31
PID 2848 wrote to memory of 1756	2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	31
PID 2848 wrote to memory of 1756	2848	JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe	31
PID 1756 wrote to memory of 2752	1756	qiuecot.exe	32
PID 1756 wrote to memory of 2752	1756	qiuecot.exe	32
PID 1756 wrote to memory of 2752	1756	qiuecot.exe	32
PID 1756 wrote to memory of 2752	1756	qiuecot.exe	32
PID 2752 wrote to memory of 2788	2752	dnaknzm.exe	33
PID 2752 wrote to memory of 2788	2752	dnaknzm.exe	33
PID 2752 wrote to memory of 2788	2752	dnaknzm.exe	33
PID 2752 wrote to memory of 2788	2752	dnaknzm.exe	33
PID 2788 wrote to memory of 2564	2788	iydiess.exe	34
PID 2788 wrote to memory of 2564	2788	iydiess.exe	34
PID 2788 wrote to memory of 2564	2788	iydiess.exe	34
PID 2788 wrote to memory of 2564	2788	iydiess.exe	34
PID 2564 wrote to memory of 2312	2564	zczlnej.exe	35
PID 2564 wrote to memory of 2312	2564	zczlnej.exe	35
PID 2564 wrote to memory of 2312	2564	zczlnej.exe	35
PID 2564 wrote to memory of 2312	2564	zczlnej.exe	35
PID 2312 wrote to memory of 2456	2312	lrfwgup.exe	36
PID 2312 wrote to memory of 2456	2312	lrfwgup.exe	36
PID 2312 wrote to memory of 2456	2312	lrfwgup.exe	36
PID 2312 wrote to memory of 2456	2312	lrfwgup.exe	36
PID 2456 wrote to memory of 2448	2456	cynustn.exe	37
PID 2456 wrote to memory of 2448	2456	cynustn.exe	37
PID 2456 wrote to memory of 2448	2456	cynustn.exe	37
PID 2456 wrote to memory of 2448	2456	cynustn.exe	37
PID 2448 wrote to memory of 1752	2448	sujxbfm.exe	38
PID 2448 wrote to memory of 1752	2448	sujxbfm.exe	38
PID 2448 wrote to memory of 1752	2448	sujxbfm.exe	38
PID 2448 wrote to memory of 1752	2448	sujxbfm.exe	38
PID 1752 wrote to memory of 1028	1752	xbahpum.exe	39
PID 1752 wrote to memory of 1028	1752	xbahpum.exe	39
PID 1752 wrote to memory of 1028	1752	xbahpum.exe	39
PID 1752 wrote to memory of 1028	1752	xbahpum.exe	39
PID 1028 wrote to memory of 1508	1028	kndngfk.exe	40
PID 1028 wrote to memory of 1508	1028	kndngfk.exe	40
PID 1028 wrote to memory of 1508	1028	kndngfk.exe	40
PID 1028 wrote to memory of 1508	1028	kndngfk.exe	40
PID 1508 wrote to memory of 408	1508	xgxlwzr.exe	41
PID 1508 wrote to memory of 408	1508	xgxlwzr.exe	41
PID 1508 wrote to memory of 408	1508	xgxlwzr.exe	41
PID 1508 wrote to memory of 408	1508	xgxlwzr.exe	41
PID 408 wrote to memory of 980	408	octofli.exe	42
PID 408 wrote to memory of 980	408	octofli.exe	42
PID 408 wrote to memory of 980	408	octofli.exe	42
PID 408 wrote to memory of 980	408	octofli.exe	42
PID 980 wrote to memory of 1592	980	ywfoyvi.exe	43
PID 980 wrote to memory of 1592	980	ywfoyvi.exe	43
PID 980 wrote to memory of 1592	980	ywfoyvi.exe	43
PID 980 wrote to memory of 1592	980	ywfoyvi.exe	43
PID 1592 wrote to memory of 1424	1592	dewzlki.exe	44
PID 1592 wrote to memory of 1424	1592	dewzlki.exe	44
PID 1592 wrote to memory of 1424	1592	dewzlki.exe	44
PID 1592 wrote to memory of 1424	1592	dewzlki.exe	44
PID 1424 wrote to memory of 2116	1424	tlwpxbg.exe	45
PID 1424 wrote to memory of 2116	1424	tlwpxbg.exe	45
PID 1424 wrote to memory of 2116	1424	tlwpxbg.exe	45
PID 1424 wrote to memory of 2116	1424	tlwpxbg.exe	45
PID 2116 wrote to memory of 1472	2116	jkenjze.exe	46
PID 2116 wrote to memory of 1472	2116	jkenjze.exe	46
PID 2116 wrote to memory of 1472	2116	jkenjze.exe	46
PID 2116 wrote to memory of 1472	2116	jkenjze.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\qiuecot.exe
  C:\Windows\system32\qiuecot.exe 584 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98d5da824fabf016acea65ce4f45b4ad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\dnaknzm.exe
    C:\Windows\system32\dnaknzm.exe 580 "C:\Windows\SysWOW64\qiuecot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\iydiess.exe
      C:\Windows\system32\iydiess.exe 548 "C:\Windows\SysWOW64\dnaknzm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\zczlnej.exe
        
        C:\Windows\system32\zczlnej.exe 604 "C:\Windows\SysWOW64\iydiess.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\lrfwgup.exe
        
        C:\Windows\system32\lrfwgup.exe 620 "C:\Windows\SysWOW64\zczlnej.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\cynustn.exe
        
        C:\Windows\system32\cynustn.exe 632 "C:\Windows\SysWOW64\lrfwgup.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\sujxbfm.exe
        
        C:\Windows\system32\sujxbfm.exe 588 "C:\Windows\SysWOW64\cynustn.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\xbahpum.exe
        
        C:\Windows\system32\xbahpum.exe 596 "C:\Windows\SysWOW64\sujxbfm.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\kndngfk.exe
        
        C:\Windows\system32\kndngfk.exe 652 "C:\Windows\SysWOW64\xbahpum.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\xgxlwzr.exe
        
        C:\Windows\system32\xgxlwzr.exe 600 "C:\Windows\SysWOW64\kndngfk.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\octofli.exe
        
        C:\Windows\system32\octofli.exe 592 "C:\Windows\SysWOW64\xgxlwzr.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\ywfoyvi.exe
        
        C:\Windows\system32\ywfoyvi.exe 572 "C:\Windows\SysWOW64\octofli.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\dewzlki.exe
        
        C:\Windows\system32\dewzlki.exe 560 "C:\Windows\SysWOW64\ywfoyvi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\tlwpxbg.exe
        
        C:\Windows\system32\tlwpxbg.exe 568 "C:\Windows\SysWOW64\dewzlki.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\jkenjze.exe
        
        C:\Windows\system32\jkenjze.exe 612 "C:\Windows\SysWOW64\tlwpxbg.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\zrmdvqc.exe
        
        C:\Windows\system32\zrmdvqc.exe 636 "C:\Windows\SysWOW64\jkenjze.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\qrtthga.exe
        
        C:\Windows\system32\qrtthga.exe 616 "C:\Windows\SysWOW64\zrmdvqc.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\vcoryag.exe
        
        C:\Windows\system32\vcoryag.exe 644 "C:\Windows\SysWOW64\qrtthga.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\ljvhjqw.exe
        
        C:\Windows\system32\ljvhjqw.exe 544 "C:\Windows\SysWOW64\vcoryag.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\yvymakd.exe
        
        C:\Windows\system32\yvymakd.exe 608 "C:\Windows\SysWOW64\ljvhjqw.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\ocgcmaa.exe
        
        C:\Windows\system32\ocgcmaa.exe 576 "C:\Windows\SysWOW64\yvymakd.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\ebfsyqy.exe
        
        C:\Windows\system32\ebfsyqy.exe 672 "C:\Windows\SysWOW64\ocgcmaa.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\manicpw.exe
        
        C:\Windows\system32\manicpw.exe 708 "C:\Windows\SysWOW64\ebfsyqy.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\xrowzvy.exe
        
        C:\Windows\system32\xrowzvy.exe 668 "C:\Windows\SysWOW64\manicpw.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\nyvmllw.exe
        
        C:\Windows\system32\nyvmllw.exe 716 "C:\Windows\SysWOW64\xrowzvy.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\dxdcpcu.exe
        
        C:\Windows\system32\dxdcpcu.exe 664 "C:\Windows\SysWOW64\nyvmllw.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\hujnqzz.exe
        
        C:\Windows\system32\hujnqzz.exe 688 "C:\Windows\SysWOW64\dxdcpcu.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\ytrluqp.exe
        
        C:\Windows\system32\ytrluqp.exe 556 "C:\Windows\SysWOW64\hujnqzz.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\opnodko.exe
        
        C:\Windows\system32\opnodko.exe 692 "C:\Windows\SysWOW64\ytrluqp.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\bmtyxat.exe
        
        C:\Windows\system32\bmtyxat.exe 700 "C:\Windows\SysWOW64\opnodko.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\rlbojqr.exe
        
        C:\Windows\system32\rlbojqr.exe 704 "C:\Windows\SysWOW64\bmtyxat.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\ztievpp.exe
        
        C:\Windows\system32\ztievpp.exe 676 "C:\Windows\SysWOW64\rlbojqr.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\psichfn.exe
        
        C:\Windows\system32\psichfn.exe 624 "C:\Windows\SysWOW64\ztievpp.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\frqsswc.exe
        
        C:\Windows\system32\frqsswc.exe 732 "C:\Windows\SysWOW64\psichfn.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\vyyieua.exe
        
        C:\Windows\system32\vyyieua.exe 724 "C:\Windows\SysWOW64\frqsswc.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\indtykg.exe
        
        C:\Windows\system32\indtykg.exe 660 "C:\Windows\SysWOW64\vyyieua.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\quljkje.exe
        
        C:\Windows\system32\quljkje.exe 772 "C:\Windows\SysWOW64\indtykg.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\gutzozb.exe
        
        C:\Windows\system32\gutzozb.exe 728 "C:\Windows\SysWOW64\quljkje.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\tnnfmki.exe
        
        C:\Windows\system32\tnnfmki.exe 720 "C:\Windows\SysWOW64\gutzozb.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\jmvvqjg.exe
        
        C:\Windows\system32\jmvvqjg.exe 656 "C:\Windows\SysWOW64\tnnfmki.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\zmdlczw.exe
        
        C:\Windows\system32\zmdlczw.exe 648 "C:\Windows\SysWOW64\jmvvqjg.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\efxistc.exe
        
        C:\Windows\system32\efxistc.exe 748 "C:\Windows\SysWOW64\zmdlczw.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\vbutcft.exe
        
        C:\Windows\system32\vbutcft.exe 696 "C:\Windows\SysWOW64\efxistc.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\labjnwr.exe
        
        C:\Windows\system32\labjnwr.exe 752 "C:\Windows\SysWOW64\vbutcft.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\ytehepy.exe
        
        C:\Windows\system32\ytehepy.exe 684 "C:\Windows\SysWOW64\labjnwr.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\lfyfviw.exe
        
        C:\Windows\system32\lfyfviw.exe 712 "C:\Windows\SysWOW64\ytehepy.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\tmgdgzu.exe
        
        C:\Windows\system32\tmgdgzu.exe 776 "C:\Windows\SysWOW64\lfyfviw.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:268
        
        C:\Windows\SysWOW64\jicgqll.exe
        
        C:\Windows\system32\jicgqll.exe 764 "C:\Windows\SysWOW64\tmgdgzu.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\wtfeges.exe
        
        C:\Windows\system32\wtfeges.exe 552 "C:\Windows\SysWOW64\jicgqll.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\mancsvq.exe
        
        C:\Windows\system32\mancsvq.exe 768 "C:\Windows\SysWOW64\wtfeges.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\czmsetn.exe
        
        C:\Windows\system32\czmsetn.exe 824 "C:\Windows\SysWOW64\mancsvq.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\ilppufm.exe
        
        C:\Windows\system32\ilppufm.exe 736 "C:\Windows\SysWOW64\czmsetn.exe"
        53⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\yhlserl.exe
        
        C:\Windows\system32\yhlserl.exe 828 "C:\Windows\SysWOW64\ilppufm.exe"
        54⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\laoyulk.exe
        
        C:\Windows\system32\laoyulk.exe 680 "C:\Windows\SysWOW64\yhlserl.exe"
        55⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\bznogbi.exe
        
        C:\Windows\system32\bznogbi.exe 784 "C:\Windows\SysWOW64\laoyulk.exe"
        56⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\gtqmxuo.exe
        
        C:\Windows\system32\gtqmxuo.exe 796 "C:\Windows\SysWOW64\bznogbi.exe"
        57⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wsycale.exe
        
        C:\Windows\system32\wsycale.exe 792 "C:\Windows\SysWOW64\gtqmxuo.exe"
        58⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\jlszzel.exe
        
        C:\Windows\system32\jlszzel.exe 808 "C:\Windows\SysWOW64\wsycale.exe"
        59⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\zkaxdvi.exe
        
        C:\Windows\system32\zkaxdvi.exe 812 "C:\Windows\SysWOW64\jlszzel.exe"
        60⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\qgwampz.exe
        
        C:\Windows\system32\qgwampz.exe 856 "C:\Windows\SysWOW64\zkaxdvi.exe"
        61⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\vrzydag.exe
        
        C:\Windows\system32\vrzydag.exe 832 "C:\Windows\SysWOW64\qgwampz.exe"
        62⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\iltwtuf.exe
        
        C:\Windows\system32\iltwtuf.exe 800 "C:\Windows\SysWOW64\vrzydag.exe"
        63⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\ykbufkc.exe
        
        C:\Windows\system32\ykbufkc.exe 816 "C:\Windows\SysWOW64\iltwtuf.exe"
        64⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\ogxxoxu.exe
        
        C:\Windows\system32\ogxxoxu.exe 628 "C:\Windows\SysWOW64\ykbufkc.exe"
        65⤵
        
        PID:592
        
        C:\Windows\SysWOW64\bzavfqa.exe
        
        C:\Windows\system32\bzavfqa.exe 836 "C:\Windows\SysWOW64\ogxxoxu.exe"
        66⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\ghrnsfa.exe
        
        C:\Windows\system32\ghrnsfa.exe 884 "C:\Windows\SysWOW64\bzavfqa.exe"
        67⤵
        
        PID:304
        
        C:\Windows\SysWOW64\upaygma.exe
        
        C:\Windows\system32\upaygma.exe 848 "C:\Windows\SysWOW64\ghrnsfa.exe"
        68⤵
        
        PID:580
        
        C:\Windows\SysWOW64\kwiosly.exe
        
        C:\Windows\system32\kwiosly.exe 788 "C:\Windows\SysWOW64\upaygma.exe"
        69⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\avpmebv.exe
        
        C:\Windows\system32\avpmebv.exe 640 "C:\Windows\SysWOW64\kwiosly.exe"
        70⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\qvxcqst.exe
        
        C:\Windows\system32\qvxcqst.exe 840 "C:\Windows\SysWOW64\avpmebv.exe"
        71⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\vsdnjpz.exe
        
        C:\Windows\system32\vsdnjpz.exe 540 "C:\Windows\SysWOW64\qvxcqst.exe"
        72⤵
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qiuecot.exe

Filesize
275KB

MD5
98d5da824fabf016acea65ce4f45b4ad

SHA1
9e24b0782145056654a531125416901784f65a33

SHA256
9a72961f7e496936d6ba0c059fd83896e25cec2a629787df149a701ed95107e1

SHA512
c18eb94030b507e54b8dd7d593f602e249ffd6bcd09a777f0541bdb39d3989ba1db32c6a2f480b0232b0fe92a0151a74f10f8e63f6542c08907a9778f8a4a82c

Download Submit
memory/328-396-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/408-183-0x00000000033A0000-0x00000000034E2000-memory.dmp

Filesize
1.3MB

Download
memory/408-170-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/408-186-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/980-199-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/980-184-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1028-157-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1288-412-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1424-226-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1424-224-0x0000000003100000-0x0000000003242000-memory.dmp

Filesize
1.3MB

Download
memory/1472-251-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1472-239-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1500-372-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1508-171-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1508-169-0x0000000003080000-0x00000000031C2000-memory.dmp

Filesize
1.3MB

Download
memory/1508-155-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1592-212-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1592-209-0x0000000003240000-0x0000000003382000-memory.dmp

Filesize
1.3MB

Download
memory/1592-198-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1752-129-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1752-143-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1752-141-0x0000000003110000-0x0000000003252000-memory.dmp

Filesize
1.3MB

Download
memory/1756-38-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1756-19-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1756-22-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1756-23-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1756-24-0x0000000000560000-0x000000000058C000-memory.dmp

Filesize
176KB

Download
memory/1756-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1756-39-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1756-36-0x0000000003170000-0x00000000032B2000-memory.dmp

Filesize
1.3MB

Download
memory/1756-18-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1800-404-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1844-380-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1872-356-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2016-321-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2016-309-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2016-317-0x0000000003140000-0x0000000003282000-memory.dmp

Filesize
1.3MB

Download
memory/2040-436-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2116-237-0x0000000003270000-0x00000000033B2000-memory.dmp

Filesize
1.3MB

Download
memory/2116-240-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2116-225-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2156-428-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2168-460-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2228-444-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2260-388-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2312-87-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2312-101-0x00000000030E0000-0x0000000003222000-memory.dmp

Filesize
1.3MB

Download
memory/2312-102-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2372-452-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2376-420-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2428-269-0x0000000003230000-0x0000000003372000-memory.dmp

Filesize
1.3MB

Download
memory/2428-260-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2428-272-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2448-130-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2448-128-0x0000000003160000-0x00000000032A2000-memory.dmp

Filesize
1.3MB

Download
memory/2456-116-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2456-113-0x00000000032F0000-0x0000000003432000-memory.dmp

Filesize
1.3MB

Download
memory/2464-319-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2464-330-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2472-348-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2472-338-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2480-340-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2480-329-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2548-300-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2548-310-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2564-86-0x0000000003390000-0x00000000034D2000-memory.dmp

Filesize
1.3MB

Download
memory/2564-89-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2564-72-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2680-500-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2692-476-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2752-37-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2752-57-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2752-40-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2752-54-0x00000000032B0000-0x00000000033F2000-memory.dmp

Filesize
1.3MB

Download
memory/2752-58-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2752-42-0x0000000000390000-0x00000000003BC000-memory.dmp

Filesize
176KB

Download
memory/2752-41-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2764-290-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2764-298-0x00000000033E0000-0x0000000003522000-memory.dmp

Filesize
1.3MB

Download
memory/2764-301-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2768-484-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2784-291-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2784-281-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-74-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2788-71-0x0000000003110000-0x0000000003252000-memory.dmp

Filesize
1.3MB

Download
memory/2788-59-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-53-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2788-73-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-55-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2788-56-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2808-261-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2808-258-0x0000000003260000-0x00000000033A2000-memory.dmp

Filesize
1.3MB

Download
memory/2808-249-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2816-492-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2820-508-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-21-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2848-4-0x0000000000370000-0x0000000000375000-memory.dmp

Filesize
20KB

Download
memory/2848-20-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-17-0x00000000034B0000-0x00000000035F2000-memory.dmp

Filesize
1.3MB

Download
memory/2848-5-0x0000000000650000-0x000000000067C000-memory.dmp

Filesize
176KB

Download
memory/2848-1-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-3-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2848-2-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2864-280-0x0000000003160000-0x00000000032A2000-memory.dmp

Filesize
1.3MB

Download
memory/2864-270-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2864-282-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2876-468-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2972-364-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download