cobaltstrike | 3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6

Analysis

max time kernel
137s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
Size

5.2MB
MD5

34075a26c0e1398f76144c380c21260f
SHA1

268b3b339b73556caf31f5e29921cec662a8f9bf
SHA256

3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6
SHA512

5ae4c04612f12aea2eb97bf90ea869a082c2048f2536007ded26b0128780ea0ebd36c759780647a196af275fbc40d9eaf83cdc4436f53072def236d6e3b26ebe

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 42 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vfHYGHG.exe	cobalt_reflective_dll
C:\Windows\System\vfHYGHG.exe	cobalt_reflective_dll
C:\Windows\System\iDRMkGh.exe	cobalt_reflective_dll
C:\Windows\System\iDRMkGh.exe	cobalt_reflective_dll
C:\Windows\System\vJtNdXW.exe	cobalt_reflective_dll
C:\Windows\System\vJtNdXW.exe	cobalt_reflective_dll
C:\Windows\System\OBPuzGN.exe	cobalt_reflective_dll
C:\Windows\System\gXkKyVi.exe	cobalt_reflective_dll
C:\Windows\System\gXkKyVi.exe	cobalt_reflective_dll
C:\Windows\System\bjtqtIJ.exe	cobalt_reflective_dll
C:\Windows\System\OBPuzGN.exe	cobalt_reflective_dll
C:\Windows\System\bjtqtIJ.exe	cobalt_reflective_dll
C:\Windows\System\NfsyOOf.exe	cobalt_reflective_dll
C:\Windows\System\wMQeEGr.exe	cobalt_reflective_dll
C:\Windows\System\ckVISbM.exe	cobalt_reflective_dll
C:\Windows\System\dsOcoJt.exe	cobalt_reflective_dll
C:\Windows\System\dsOcoJt.exe	cobalt_reflective_dll
C:\Windows\System\OBDsSZC.exe	cobalt_reflective_dll
C:\Windows\System\OBDsSZC.exe	cobalt_reflective_dll
C:\Windows\System\ckVISbM.exe	cobalt_reflective_dll
C:\Windows\System\wMQeEGr.exe	cobalt_reflective_dll
C:\Windows\System\NfsyOOf.exe	cobalt_reflective_dll
C:\Windows\System\bDttnfo.exe	cobalt_reflective_dll
C:\Windows\System\KDESrFx.exe	cobalt_reflective_dll
C:\Windows\System\KDESrFx.exe	cobalt_reflective_dll
C:\Windows\System\OPELoCa.exe	cobalt_reflective_dll
C:\Windows\System\gyMTZdJ.exe	cobalt_reflective_dll
C:\Windows\System\gyMTZdJ.exe	cobalt_reflective_dll
C:\Windows\System\OPELoCa.exe	cobalt_reflective_dll
C:\Windows\System\bDttnfo.exe	cobalt_reflective_dll
C:\Windows\System\xIwlGRy.exe	cobalt_reflective_dll
C:\Windows\System\xIwlGRy.exe	cobalt_reflective_dll
C:\Windows\System\GHvtXvs.exe	cobalt_reflective_dll
C:\Windows\System\DTgCMCF.exe	cobalt_reflective_dll
C:\Windows\System\DTgCMCF.exe	cobalt_reflective_dll
C:\Windows\System\TBXVIdS.exe	cobalt_reflective_dll
C:\Windows\System\GHvtXvs.exe	cobalt_reflective_dll
C:\Windows\System\tHmifoD.exe	cobalt_reflective_dll
C:\Windows\System\vwhUOZC.exe	cobalt_reflective_dll
C:\Windows\System\tHmifoD.exe	cobalt_reflective_dll
C:\Windows\System\vwhUOZC.exe	cobalt_reflective_dll
C:\Windows\System\TBXVIdS.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 21 IoCs

Processes:

vfHYGHG.exeiDRMkGh.exevJtNdXW.exeOBPuzGN.exegXkKyVi.exebjtqtIJ.exeNfsyOOf.exewMQeEGr.execkVISbM.exedsOcoJt.exeOBDsSZC.exebDttnfo.exegyMTZdJ.exeKDESrFx.exeOPELoCa.exexIwlGRy.exeGHvtXvs.exeDTgCMCF.exeTBXVIdS.exetHmifoD.exevwhUOZC.exe

pid	process
2024	vfHYGHG.exe
3844	iDRMkGh.exe
2272	vJtNdXW.exe
2484	OBPuzGN.exe
2564	gXkKyVi.exe
2168	bjtqtIJ.exe
3136	NfsyOOf.exe
676	wMQeEGr.exe
640	ckVISbM.exe
492	dsOcoJt.exe
192	OBDsSZC.exe
2000	bDttnfo.exe
3292	gyMTZdJ.exe
2828	KDESrFx.exe
1128	OPELoCa.exe
2096	xIwlGRy.exe
692	GHvtXvs.exe
2516	DTgCMCF.exe
2960	TBXVIdS.exe
3480	tHmifoD.exe
3464	vwhUOZC.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\System\vfHYGHG.exe	upx
C:\Windows\System\vfHYGHG.exe	upx
C:\Windows\System\iDRMkGh.exe	upx
C:\Windows\System\iDRMkGh.exe	upx
C:\Windows\System\vJtNdXW.exe	upx
C:\Windows\System\vJtNdXW.exe	upx
C:\Windows\System\OBPuzGN.exe	upx
C:\Windows\System\gXkKyVi.exe	upx
C:\Windows\System\gXkKyVi.exe	upx
C:\Windows\System\bjtqtIJ.exe	upx
C:\Windows\System\OBPuzGN.exe	upx
C:\Windows\System\bjtqtIJ.exe	upx
C:\Windows\System\NfsyOOf.exe	upx
C:\Windows\System\wMQeEGr.exe	upx
C:\Windows\System\ckVISbM.exe	upx
C:\Windows\System\dsOcoJt.exe	upx
C:\Windows\System\dsOcoJt.exe	upx
C:\Windows\System\OBDsSZC.exe	upx
C:\Windows\System\OBDsSZC.exe	upx
C:\Windows\System\ckVISbM.exe	upx
C:\Windows\System\wMQeEGr.exe	upx
C:\Windows\System\NfsyOOf.exe	upx
C:\Windows\System\bDttnfo.exe	upx
C:\Windows\System\KDESrFx.exe	upx
C:\Windows\System\KDESrFx.exe	upx
C:\Windows\System\OPELoCa.exe	upx
C:\Windows\System\gyMTZdJ.exe	upx
C:\Windows\System\gyMTZdJ.exe	upx
C:\Windows\System\OPELoCa.exe	upx
C:\Windows\System\bDttnfo.exe	upx
C:\Windows\System\xIwlGRy.exe	upx
C:\Windows\System\xIwlGRy.exe	upx
C:\Windows\System\GHvtXvs.exe	upx
C:\Windows\System\DTgCMCF.exe	upx
C:\Windows\System\DTgCMCF.exe	upx
C:\Windows\System\TBXVIdS.exe	upx
C:\Windows\System\GHvtXvs.exe	upx
C:\Windows\System\tHmifoD.exe	upx
C:\Windows\System\vwhUOZC.exe	upx
C:\Windows\System\tHmifoD.exe	upx
C:\Windows\System\vwhUOZC.exe	upx
C:\Windows\System\TBXVIdS.exe	upx

JavaScript code in executable 42 IoCs

Processes:

resource	yara_rule
C:\Windows\System\vfHYGHG.exe	js
C:\Windows\System\vfHYGHG.exe	js
C:\Windows\System\iDRMkGh.exe	js
C:\Windows\System\iDRMkGh.exe	js
C:\Windows\System\vJtNdXW.exe	js
C:\Windows\System\vJtNdXW.exe	js
C:\Windows\System\OBPuzGN.exe	js
C:\Windows\System\gXkKyVi.exe	js
C:\Windows\System\gXkKyVi.exe	js
C:\Windows\System\bjtqtIJ.exe	js
C:\Windows\System\OBPuzGN.exe	js
C:\Windows\System\bjtqtIJ.exe	js
C:\Windows\System\NfsyOOf.exe	js
C:\Windows\System\wMQeEGr.exe	js
C:\Windows\System\ckVISbM.exe	js
C:\Windows\System\dsOcoJt.exe	js
C:\Windows\System\dsOcoJt.exe	js
C:\Windows\System\OBDsSZC.exe	js
C:\Windows\System\OBDsSZC.exe	js
C:\Windows\System\ckVISbM.exe	js
C:\Windows\System\wMQeEGr.exe	js
C:\Windows\System\NfsyOOf.exe	js
C:\Windows\System\bDttnfo.exe	js
C:\Windows\System\KDESrFx.exe	js
C:\Windows\System\KDESrFx.exe	js
C:\Windows\System\OPELoCa.exe	js
C:\Windows\System\gyMTZdJ.exe	js
C:\Windows\System\gyMTZdJ.exe	js
C:\Windows\System\OPELoCa.exe	js
C:\Windows\System\bDttnfo.exe	js
C:\Windows\System\xIwlGRy.exe	js
C:\Windows\System\xIwlGRy.exe	js
C:\Windows\System\GHvtXvs.exe	js
C:\Windows\System\DTgCMCF.exe	js
C:\Windows\System\DTgCMCF.exe	js
C:\Windows\System\TBXVIdS.exe	js
C:\Windows\System\GHvtXvs.exe	js
C:\Windows\System\tHmifoD.exe	js
C:\Windows\System\vwhUOZC.exe	js
C:\Windows\System\tHmifoD.exe	js
C:\Windows\System\vwhUOZC.exe	js
C:\Windows\System\TBXVIdS.exe	js

Drops file in Windows directory 21 IoCs

Processes:

3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe

description	ioc	process
File created	C:\Windows\System\OBPuzGN.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\gXkKyVi.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\dsOcoJt.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\TBXVIdS.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\gyMTZdJ.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\KDESrFx.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\OPELoCa.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\GHvtXvs.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\vfHYGHG.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\vJtNdXW.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\bjtqtIJ.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\NfsyOOf.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\tHmifoD.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\ckVISbM.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\bDttnfo.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\DTgCMCF.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\vwhUOZC.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\iDRMkGh.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\wMQeEGr.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\OBDsSZC.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
File created	C:\Windows\System\xIwlGRy.exe	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe

description	pid	process
Token: SeLockMemoryPrivilege	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
Token: SeLockMemoryPrivilege	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe

description	pid	process	target process
PID 980 wrote to memory of 2024	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vfHYGHG.exe
PID 980 wrote to memory of 2024	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vfHYGHG.exe
PID 980 wrote to memory of 3844	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	iDRMkGh.exe
PID 980 wrote to memory of 3844	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	iDRMkGh.exe
PID 980 wrote to memory of 2272	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vJtNdXW.exe
PID 980 wrote to memory of 2272	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vJtNdXW.exe
PID 980 wrote to memory of 2484	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OBPuzGN.exe
PID 980 wrote to memory of 2484	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OBPuzGN.exe
PID 980 wrote to memory of 2564	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	gXkKyVi.exe
PID 980 wrote to memory of 2564	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	gXkKyVi.exe
PID 980 wrote to memory of 2168	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	bjtqtIJ.exe
PID 980 wrote to memory of 2168	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	bjtqtIJ.exe
PID 980 wrote to memory of 3136	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	NfsyOOf.exe
PID 980 wrote to memory of 3136	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	NfsyOOf.exe
PID 980 wrote to memory of 676	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	wMQeEGr.exe
PID 980 wrote to memory of 676	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	wMQeEGr.exe
PID 980 wrote to memory of 640	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	ckVISbM.exe
PID 980 wrote to memory of 640	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	ckVISbM.exe
PID 980 wrote to memory of 492	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	dsOcoJt.exe
PID 980 wrote to memory of 492	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	dsOcoJt.exe
PID 980 wrote to memory of 192	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OBDsSZC.exe
PID 980 wrote to memory of 192	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OBDsSZC.exe
PID 980 wrote to memory of 2000	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	bDttnfo.exe
PID 980 wrote to memory of 2000	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	bDttnfo.exe
PID 980 wrote to memory of 3292	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	gyMTZdJ.exe
PID 980 wrote to memory of 3292	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	gyMTZdJ.exe
PID 980 wrote to memory of 2828	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	KDESrFx.exe
PID 980 wrote to memory of 2828	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	KDESrFx.exe
PID 980 wrote to memory of 1128	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OPELoCa.exe
PID 980 wrote to memory of 1128	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	OPELoCa.exe
PID 980 wrote to memory of 2096	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	xIwlGRy.exe
PID 980 wrote to memory of 2096	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	xIwlGRy.exe
PID 980 wrote to memory of 692	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	GHvtXvs.exe
PID 980 wrote to memory of 692	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	GHvtXvs.exe
PID 980 wrote to memory of 2516	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	DTgCMCF.exe
PID 980 wrote to memory of 2516	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	DTgCMCF.exe
PID 980 wrote to memory of 2960	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	TBXVIdS.exe
PID 980 wrote to memory of 2960	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	TBXVIdS.exe
PID 980 wrote to memory of 3480	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	tHmifoD.exe
PID 980 wrote to memory of 3480	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	tHmifoD.exe
PID 980 wrote to memory of 3464	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vwhUOZC.exe
PID 980 wrote to memory of 3464	980	3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe	vwhUOZC.exe

C:\Users\Admin\AppData\Local\Temp\3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe
"C:\Users\Admin\AppData\Local\Temp\3f081140a85c7b5fac637003923a03357a1fae6affbe6309da2d1ca9bf0546e6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System\vfHYGHG.exe
C:\Windows\System\vfHYGHG.exe
2⤵
- Executes dropped EXE
PID:2024

C:\Windows\System\iDRMkGh.exe
C:\Windows\System\iDRMkGh.exe
2⤵
- Executes dropped EXE
PID:3844

C:\Windows\System\vJtNdXW.exe
C:\Windows\System\vJtNdXW.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\OBPuzGN.exe
C:\Windows\System\OBPuzGN.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\gXkKyVi.exe
C:\Windows\System\gXkKyVi.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\bjtqtIJ.exe
C:\Windows\System\bjtqtIJ.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\NfsyOOf.exe
C:\Windows\System\NfsyOOf.exe
2⤵
- Executes dropped EXE
PID:3136

C:\Windows\System\wMQeEGr.exe
C:\Windows\System\wMQeEGr.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\ckVISbM.exe
C:\Windows\System\ckVISbM.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\dsOcoJt.exe
C:\Windows\System\dsOcoJt.exe
2⤵
- Executes dropped EXE
PID:492

C:\Windows\System\OBDsSZC.exe
C:\Windows\System\OBDsSZC.exe
2⤵
- Executes dropped EXE
PID:192

C:\Windows\System\bDttnfo.exe
C:\Windows\System\bDttnfo.exe
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\System\gyMTZdJ.exe
C:\Windows\System\gyMTZdJ.exe
2⤵
- Executes dropped EXE
PID:3292

C:\Windows\System\KDESrFx.exe
C:\Windows\System\KDESrFx.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\OPELoCa.exe
C:\Windows\System\OPELoCa.exe
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\System\xIwlGRy.exe
C:\Windows\System\xIwlGRy.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\System\GHvtXvs.exe
C:\Windows\System\GHvtXvs.exe
2⤵
- Executes dropped EXE
PID:692

C:\Windows\System\DTgCMCF.exe
C:\Windows\System\DTgCMCF.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\TBXVIdS.exe
C:\Windows\System\TBXVIdS.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\tHmifoD.exe
C:\Windows\System\tHmifoD.exe
2⤵
- Executes dropped EXE
PID:3480

C:\Windows\System\vwhUOZC.exe
C:\Windows\System\vwhUOZC.exe
2⤵
- Executes dropped EXE
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DTgCMCF.exe
MD5
6734fb82cc03f34202c08920c64c5bc3

SHA1
0f98d143649750424336b559dd0dd6e2853a8e69

SHA256
2a38d7fbdba78243a65d22c0a8ca44a97bf4a34852eb6390a8a98fc509969bb7

SHA512
d6e6dc9d2e69acdaf22b3d7d7e03bd147fd99246bf976bde60a207f0834e4a018c07beda6c86db5859c75b4023224ca4402c7f03eb3fd77aa43f695b05266f19

Download Submit
C:\Windows\System\DTgCMCF.exe
MD5
6734fb82cc03f34202c08920c64c5bc3

SHA1
0f98d143649750424336b559dd0dd6e2853a8e69

SHA256
2a38d7fbdba78243a65d22c0a8ca44a97bf4a34852eb6390a8a98fc509969bb7

SHA512
d6e6dc9d2e69acdaf22b3d7d7e03bd147fd99246bf976bde60a207f0834e4a018c07beda6c86db5859c75b4023224ca4402c7f03eb3fd77aa43f695b05266f19

Download Submit
C:\Windows\System\GHvtXvs.exe
MD5
ffedc36831d6b9a41793c1cb47ff0327

SHA1
9591131cc26a3714dad44671a9614b12aa84232c

SHA256
aab17d371667d53e0a859cbdea9f84e0afebbe1c5dc7ae4576a5a1659eec3ebe

SHA512
a5261d22903f7196be191460bcbcbe068741b5399483183b5234eecd24af5452aa88f5e03f86a01734ad8ab70e6741b609e52e9ebb32cc917539d74daff9906b

Download Submit
C:\Windows\System\GHvtXvs.exe
MD5
ffedc36831d6b9a41793c1cb47ff0327

SHA1
9591131cc26a3714dad44671a9614b12aa84232c

SHA256
aab17d371667d53e0a859cbdea9f84e0afebbe1c5dc7ae4576a5a1659eec3ebe

SHA512
a5261d22903f7196be191460bcbcbe068741b5399483183b5234eecd24af5452aa88f5e03f86a01734ad8ab70e6741b609e52e9ebb32cc917539d74daff9906b

Download Submit
C:\Windows\System\KDESrFx.exe
MD5
e42382c3ff93d01b91cc5e66ec1edd02

SHA1
ed8411f3fb6248c11b8036682f419f28c01a138e

SHA256
a9c241068554695ee4e4f599ea3febe26da5636a62243dedc31d7c5b0be001a0

SHA512
ada57b082a601ea723390c1e696c7a2c7cb0a73eb3e5171ab3f463a1e227c10a03cf14c0c8f10a44cfa6677d367c0b3da021f104b0a73eb9b519e7cba95c46d4

Download Submit
C:\Windows\System\KDESrFx.exe
MD5
e42382c3ff93d01b91cc5e66ec1edd02

SHA1
ed8411f3fb6248c11b8036682f419f28c01a138e

SHA256
a9c241068554695ee4e4f599ea3febe26da5636a62243dedc31d7c5b0be001a0

SHA512
ada57b082a601ea723390c1e696c7a2c7cb0a73eb3e5171ab3f463a1e227c10a03cf14c0c8f10a44cfa6677d367c0b3da021f104b0a73eb9b519e7cba95c46d4

Download Submit
C:\Windows\System\NfsyOOf.exe
MD5
686e1db0bb8bef15a6d8bd6d80a56ed8

SHA1
12c81c98262a8bfb55e51366c32b71b5f1fccad9

SHA256
6cd604075ca14ebaee4779e0d04e5c1bef043e65842266f2935ecd9a1594f802

SHA512
e935c25494d30a5ff1b7c51fbc085495f8fc54b01409c585e5b286b768d4a6f3c6d9a299c1d820418d55a22bb20ea609d014cbd75cc80e4959e23a674359c5d2

Download Submit
C:\Windows\System\NfsyOOf.exe
MD5
686e1db0bb8bef15a6d8bd6d80a56ed8

SHA1
12c81c98262a8bfb55e51366c32b71b5f1fccad9

SHA256
6cd604075ca14ebaee4779e0d04e5c1bef043e65842266f2935ecd9a1594f802

SHA512
e935c25494d30a5ff1b7c51fbc085495f8fc54b01409c585e5b286b768d4a6f3c6d9a299c1d820418d55a22bb20ea609d014cbd75cc80e4959e23a674359c5d2

Download Submit
C:\Windows\System\OBDsSZC.exe
MD5
626e672159c208b033646cabea268296

SHA1
814381557da7d9efafbccdb5c3c2ffdeeb02e511

SHA256
9f95daad0002c37954cee3fa4e75fa7a330454cc9ca3d111d9fac764672bca3b

SHA512
5d399a94e983690c79ea2584d1ac7d9fd1dc73b4e777eff042650c1e2ae6ec235ccb41dc1176bed4979454d18d2f858e57a0a321ee974e4c7fbeea052cf4be94

Download Submit
C:\Windows\System\OBDsSZC.exe
MD5
626e672159c208b033646cabea268296

SHA1
814381557da7d9efafbccdb5c3c2ffdeeb02e511

SHA256
9f95daad0002c37954cee3fa4e75fa7a330454cc9ca3d111d9fac764672bca3b

SHA512
5d399a94e983690c79ea2584d1ac7d9fd1dc73b4e777eff042650c1e2ae6ec235ccb41dc1176bed4979454d18d2f858e57a0a321ee974e4c7fbeea052cf4be94

Download Submit
C:\Windows\System\OBPuzGN.exe
MD5
9b1aadd83d2aebc3d1ae626fa83db14d

SHA1
97816ba12090b7f83fa482510d139bde48b51988

SHA256
7ce6f5bf2ed25dfcb76029465c3198e682015699cf1d143f1b903ad7e2690fd5

SHA512
355af0bf233acd1677354f91f80ffa87d100eb7303dd87e3b3ad576e141d6dbce111d4e0b5a5ae8ee3d6623b35484e2d55b32b708090fb44ec7c3ec3df9cbf61

Download Submit
C:\Windows\System\OBPuzGN.exe
MD5
9b1aadd83d2aebc3d1ae626fa83db14d

SHA1
97816ba12090b7f83fa482510d139bde48b51988

SHA256
7ce6f5bf2ed25dfcb76029465c3198e682015699cf1d143f1b903ad7e2690fd5

SHA512
355af0bf233acd1677354f91f80ffa87d100eb7303dd87e3b3ad576e141d6dbce111d4e0b5a5ae8ee3d6623b35484e2d55b32b708090fb44ec7c3ec3df9cbf61

Download Submit
C:\Windows\System\OPELoCa.exe
MD5
265d944c52eca4e94c9df292ff0eb827

SHA1
b41df2516a97d807079c8c012c0a78d1443aedad

SHA256
afd7c9da8fa3f6e2071fa819ce1715ea51d25ce41be5866afb919b078b5d5734

SHA512
d6dcaa3ee300fb363054c4f0bb622b804eda13bf67f4b29267524827c71a828644b5fea4ed134553f279e9da146e0cbabc24fcc007e631b31fdcbf964784c820

Download Submit
C:\Windows\System\OPELoCa.exe
MD5
265d944c52eca4e94c9df292ff0eb827

SHA1
b41df2516a97d807079c8c012c0a78d1443aedad

SHA256
afd7c9da8fa3f6e2071fa819ce1715ea51d25ce41be5866afb919b078b5d5734

SHA512
d6dcaa3ee300fb363054c4f0bb622b804eda13bf67f4b29267524827c71a828644b5fea4ed134553f279e9da146e0cbabc24fcc007e631b31fdcbf964784c820

Download Submit
C:\Windows\System\TBXVIdS.exe
MD5
2be2f9a47e33dd2f519d20ab627fe537

SHA1
c13be37a286bc4b57f6bac315b36ba50e2284641

SHA256
ddc6a8b95984e2fc160f21c0af8a544aeb993fafcf601eab05b261ce770c3492

SHA512
98212f1bbc1c6b53bc4ccc7fc3dd94b1d23c0c44084874da41b9a995fb54cc261a3122a18ad5f4cf397d0c83a41ef5b1a1fb8a2a4f98980b00da5f6117011791

Download Submit
C:\Windows\System\TBXVIdS.exe
MD5
2be2f9a47e33dd2f519d20ab627fe537

SHA1
c13be37a286bc4b57f6bac315b36ba50e2284641

SHA256
ddc6a8b95984e2fc160f21c0af8a544aeb993fafcf601eab05b261ce770c3492

SHA512
98212f1bbc1c6b53bc4ccc7fc3dd94b1d23c0c44084874da41b9a995fb54cc261a3122a18ad5f4cf397d0c83a41ef5b1a1fb8a2a4f98980b00da5f6117011791

Download Submit
C:\Windows\System\bDttnfo.exe
MD5
4fc3d2f7a47392a9c8e10195870a53cb

SHA1
d14749c230cdbbc693a58309d231696e7272ea07

SHA256
1d9feec3e52a3c2d948c5c3b598f40169cf763863d9753c3ae383fb445536994

SHA512
105c44f1c5d1bab6ee62972663b169e8f4d1b238964e81bce7a9263f8bd755c7122c948e15e6896f132586bb9cb7ed256f6fc8be9c676300e7834290f0133d14

Download Submit
C:\Windows\System\bDttnfo.exe
MD5
4fc3d2f7a47392a9c8e10195870a53cb

SHA1
d14749c230cdbbc693a58309d231696e7272ea07

SHA256
1d9feec3e52a3c2d948c5c3b598f40169cf763863d9753c3ae383fb445536994

SHA512
105c44f1c5d1bab6ee62972663b169e8f4d1b238964e81bce7a9263f8bd755c7122c948e15e6896f132586bb9cb7ed256f6fc8be9c676300e7834290f0133d14

Download Submit
C:\Windows\System\bjtqtIJ.exe
MD5
221ef366dafefc83497a1c86e165d115

SHA1
e1bb71a8dacf1e60764e0ff8f3e02be8e6f028c3

SHA256
6a1f9694acbae3bd77ca0e231955df98a9362981b0269fec2fcbc242c1362439

SHA512
53a92e684ff7f33b9bb3bfe668b9a8e968b8050eef08d3a84e50af6fd5dbc55ed814560bced50fe5283e6d0a9d063ec97a99c42368a1f1e38cce48ffa767d64d

Download Submit
C:\Windows\System\bjtqtIJ.exe
MD5
221ef366dafefc83497a1c86e165d115

SHA1
e1bb71a8dacf1e60764e0ff8f3e02be8e6f028c3

SHA256
6a1f9694acbae3bd77ca0e231955df98a9362981b0269fec2fcbc242c1362439

SHA512
53a92e684ff7f33b9bb3bfe668b9a8e968b8050eef08d3a84e50af6fd5dbc55ed814560bced50fe5283e6d0a9d063ec97a99c42368a1f1e38cce48ffa767d64d

Download Submit
C:\Windows\System\ckVISbM.exe
MD5
1fc3ceb25371d4bd046ece5bfe81c12b

SHA1
cf1b2fa5a4854bd69ce07450418c23c7759abf2d

SHA256
46d89278ae042ac689d5a4549255512ac79fb984f3411dd5a66d6c6bc3ce1b8d

SHA512
a5859f835cc759ea507f8e631789596133a7aa877c53a02f3171e2c77b458e7b76425bf211418d9e809ce0198fec2d1954fbc33960c84d79383c999e39cd5a9a

Download Submit
C:\Windows\System\ckVISbM.exe
MD5
1fc3ceb25371d4bd046ece5bfe81c12b

SHA1
cf1b2fa5a4854bd69ce07450418c23c7759abf2d

SHA256
46d89278ae042ac689d5a4549255512ac79fb984f3411dd5a66d6c6bc3ce1b8d

SHA512
a5859f835cc759ea507f8e631789596133a7aa877c53a02f3171e2c77b458e7b76425bf211418d9e809ce0198fec2d1954fbc33960c84d79383c999e39cd5a9a

Download Submit
C:\Windows\System\dsOcoJt.exe
MD5
c05375c6d7e9355374bafd963774ace1

SHA1
0c307a77373ca1ce8fd28bef948894d646e12038

SHA256
b5531c815cad88176153d92d0fe67a2e653c24f7394be167cdbc86064531f664

SHA512
b2733aa5437bcf597025d4d970dba817c8bb770058fee949385def5f055b92a7f11a01787f020cefc2f59467b30cafd58322f91728d71f65f0b0a29b9cdfb40a

Download Submit
C:\Windows\System\dsOcoJt.exe
MD5
c05375c6d7e9355374bafd963774ace1

SHA1
0c307a77373ca1ce8fd28bef948894d646e12038

SHA256
b5531c815cad88176153d92d0fe67a2e653c24f7394be167cdbc86064531f664

SHA512
b2733aa5437bcf597025d4d970dba817c8bb770058fee949385def5f055b92a7f11a01787f020cefc2f59467b30cafd58322f91728d71f65f0b0a29b9cdfb40a

Download Submit
C:\Windows\System\gXkKyVi.exe
MD5
ef35863179f7a8daef61ecedcb798649

SHA1
51146dde247c6b86e1d876cac9e1ad08c1d78066

SHA256
26dd6c625799ec046b99f82e764a2b63135a6f32e0671bb866c6cdaaa74a646b

SHA512
db33df70ee739cceb010b0e556a097a3e9bf1878d29e54ba17981cf2926c58a03891f7c5e68747c183abeacec19123c94b4bc34c555d3afc2b71f5cc4a6ce75b

Download Submit
C:\Windows\System\gXkKyVi.exe
MD5
ef35863179f7a8daef61ecedcb798649

SHA1
51146dde247c6b86e1d876cac9e1ad08c1d78066

SHA256
26dd6c625799ec046b99f82e764a2b63135a6f32e0671bb866c6cdaaa74a646b

SHA512
db33df70ee739cceb010b0e556a097a3e9bf1878d29e54ba17981cf2926c58a03891f7c5e68747c183abeacec19123c94b4bc34c555d3afc2b71f5cc4a6ce75b

Download Submit
C:\Windows\System\gyMTZdJ.exe
MD5
573caffb35da01d1da3c9f70f14720e2

SHA1
f94ca9c85dbf4b5a3baf63754c5f93bb941001dd

SHA256
77b1ae7054b06772dee2ac3c3e42700d84dbb487aa65d109ba1fa006c54424eb

SHA512
4b6eddc70ac6c0adb8a223a324a2c958ced3d8ce55cac8210995e99863992e09a759a9b36d56c2fc597188d9bd44aee49ef69cc81f06d48629a9f2f70e941665

Download Submit
C:\Windows\System\gyMTZdJ.exe
MD5
573caffb35da01d1da3c9f70f14720e2

SHA1
f94ca9c85dbf4b5a3baf63754c5f93bb941001dd

SHA256
77b1ae7054b06772dee2ac3c3e42700d84dbb487aa65d109ba1fa006c54424eb

SHA512
4b6eddc70ac6c0adb8a223a324a2c958ced3d8ce55cac8210995e99863992e09a759a9b36d56c2fc597188d9bd44aee49ef69cc81f06d48629a9f2f70e941665

Download Submit
C:\Windows\System\iDRMkGh.exe
MD5
085acd1ca046bc3c648bdffa50a121db

SHA1
4a8a182891b2461fdf5c555fc72479a25fee77e2

SHA256
a0654f704d4e02a80fa8ae1001f9d96896f169ee713b6a46a37bdd1fcb31a673

SHA512
5e04ae1449b8f8fb39eb9188999001712da9e844ffa1acb0acb8ea77739e838632194a520c87f556afb42843333074820721e0f5997ba2c8da0c90108786b5c3

Download Submit
C:\Windows\System\iDRMkGh.exe
MD5
085acd1ca046bc3c648bdffa50a121db

SHA1
4a8a182891b2461fdf5c555fc72479a25fee77e2

SHA256
a0654f704d4e02a80fa8ae1001f9d96896f169ee713b6a46a37bdd1fcb31a673

SHA512
5e04ae1449b8f8fb39eb9188999001712da9e844ffa1acb0acb8ea77739e838632194a520c87f556afb42843333074820721e0f5997ba2c8da0c90108786b5c3

Download Submit
C:\Windows\System\tHmifoD.exe
MD5
c9da908a8cb83d5836dd3ceabe1d295a

SHA1
98b674db92e119d29d855aca2ad464095bde0673

SHA256
a1c043043c5d4d78d81a7b531ff9a88c8a157a4da3c15b6e6640c41da102c96f

SHA512
b9f5278246a127aea476bf2e5201a3164a52dff829d001830498c30b60ef781f528e4713f099dd8765807f5e5c8946ff17035f1607dbdaedecdd9c9d501ab61a

Download Submit
C:\Windows\System\tHmifoD.exe
MD5
c9da908a8cb83d5836dd3ceabe1d295a

SHA1
98b674db92e119d29d855aca2ad464095bde0673

SHA256
a1c043043c5d4d78d81a7b531ff9a88c8a157a4da3c15b6e6640c41da102c96f

SHA512
b9f5278246a127aea476bf2e5201a3164a52dff829d001830498c30b60ef781f528e4713f099dd8765807f5e5c8946ff17035f1607dbdaedecdd9c9d501ab61a

Download Submit
C:\Windows\System\vJtNdXW.exe
MD5
5b35cee86833649084509fc7e3d0a38a

SHA1
e1b24f9b1be3a005b056ed5284f227232e6be62d

SHA256
05383390cc2e539164e23817db58985796933eb66de35f45da8f5f760fb002b4

SHA512
f59ce6c5f4d1c8fef9c0f1c05b95939b8ad645f8151ac91ca1dd9d1c7e112924ef529af6baff62f7c2f9656ab94bf00f2b2e1ee680ee1105ec2b36f34dd84618

Download Submit
C:\Windows\System\vJtNdXW.exe
MD5
5b35cee86833649084509fc7e3d0a38a

SHA1
e1b24f9b1be3a005b056ed5284f227232e6be62d

SHA256
05383390cc2e539164e23817db58985796933eb66de35f45da8f5f760fb002b4

SHA512
f59ce6c5f4d1c8fef9c0f1c05b95939b8ad645f8151ac91ca1dd9d1c7e112924ef529af6baff62f7c2f9656ab94bf00f2b2e1ee680ee1105ec2b36f34dd84618

Download Submit
C:\Windows\System\vfHYGHG.exe
MD5
33452127b878591468cc6816420e00db

SHA1
b60cf8156f0b195f79a859450128afa973273967

SHA256
d52f0882b2b45b79f610966567599d36142ef8a36e8669333ce0c77a6dc352f9

SHA512
e1a796db9b0cbcb83eb4a47a487463f7b0ab00e03c0981822122ce2f06c13c4701f82f199690b6a297100f179a610f55514ec0b252ee3f5022d6df4295e8eba9

Download Submit
C:\Windows\System\vfHYGHG.exe
MD5
33452127b878591468cc6816420e00db

SHA1
b60cf8156f0b195f79a859450128afa973273967

SHA256
d52f0882b2b45b79f610966567599d36142ef8a36e8669333ce0c77a6dc352f9

SHA512
e1a796db9b0cbcb83eb4a47a487463f7b0ab00e03c0981822122ce2f06c13c4701f82f199690b6a297100f179a610f55514ec0b252ee3f5022d6df4295e8eba9

Download Submit
C:\Windows\System\vwhUOZC.exe
MD5
e2103cbf514c3d5445f49d57d05ef834

SHA1
5b6a4ef1460cfff84370c264264189c42615cef1

SHA256
997ecf8b8a0ff2effb590591de77a93e73d6eab40a39dd18ff6af7e80846f03e

SHA512
9f91141857bbd20fa4a0f809bb7b3236a029cbfef89dec6b47c67878ac6003e615541295823f126812598f962bf9c828ddfd6659ee4135947da81d06bf82626c

Download Submit
C:\Windows\System\vwhUOZC.exe
MD5
e2103cbf514c3d5445f49d57d05ef834

SHA1
5b6a4ef1460cfff84370c264264189c42615cef1

SHA256
997ecf8b8a0ff2effb590591de77a93e73d6eab40a39dd18ff6af7e80846f03e

SHA512
9f91141857bbd20fa4a0f809bb7b3236a029cbfef89dec6b47c67878ac6003e615541295823f126812598f962bf9c828ddfd6659ee4135947da81d06bf82626c

Download Submit
C:\Windows\System\wMQeEGr.exe
MD5
d3ae40966e7de93868828a0751b93487

SHA1
b42973a6496e0f9baf0cce91807a3d8e30dd80e1

SHA256
31a113d2d0942eefbd138ff19d4973c6791b5b7ecd75dd1b43f8bcb173ff52db

SHA512
127ad05e36c8da5dde5ae1126ef9a8cb7b365db1649879293a8b867a8dc1b1271ac7f1166a2c2fab8901bf647acea4284ef49fb8c24483b9f64a6fd8a9b01bef

Download Submit
C:\Windows\System\wMQeEGr.exe
MD5
d3ae40966e7de93868828a0751b93487

SHA1
b42973a6496e0f9baf0cce91807a3d8e30dd80e1

SHA256
31a113d2d0942eefbd138ff19d4973c6791b5b7ecd75dd1b43f8bcb173ff52db

SHA512
127ad05e36c8da5dde5ae1126ef9a8cb7b365db1649879293a8b867a8dc1b1271ac7f1166a2c2fab8901bf647acea4284ef49fb8c24483b9f64a6fd8a9b01bef

Download Submit
C:\Windows\System\xIwlGRy.exe
MD5
90b18b0cbbf07768254a67ceecaca229

SHA1
73ed99d8e8c749d5db45be7cc442a37acfe84f3a

SHA256
55582afb187ad298cd01dbd1b1d9a3b18660a4dea0b42ea06083b592b7d1dfa9

SHA512
a646e49918f09f51dfb8210fd3ed41263fba702ba63b017df84cf47152ddb7562f5a660d07e1c6ddb43f56922fea1e4b51158d5e72b9f282c0e740ad3c0e6a00

Download Submit
C:\Windows\System\xIwlGRy.exe
MD5
90b18b0cbbf07768254a67ceecaca229

SHA1
73ed99d8e8c749d5db45be7cc442a37acfe84f3a

SHA256
55582afb187ad298cd01dbd1b1d9a3b18660a4dea0b42ea06083b592b7d1dfa9

SHA512
a646e49918f09f51dfb8210fd3ed41263fba702ba63b017df84cf47152ddb7562f5a660d07e1c6ddb43f56922fea1e4b51158d5e72b9f282c0e740ad3c0e6a00

Download Submit
memory/192-28-0x0000000000000000-mapping.dmp

Download
memory/492-26-0x0000000000000000-mapping.dmp

Download
memory/640-22-0x0000000000000000-mapping.dmp

Download
memory/676-19-0x0000000000000000-mapping.dmp

Download
memory/692-48-0x0000000000000000-mapping.dmp

Download
memory/1128-42-0x0000000000000000-mapping.dmp

Download
memory/2000-31-0x0000000000000000-mapping.dmp

Download
memory/2024-0-0x0000000000000000-mapping.dmp

Download
memory/2096-45-0x0000000000000000-mapping.dmp

Download
memory/2168-14-0x0000000000000000-mapping.dmp

Download
memory/2272-6-0x0000000000000000-mapping.dmp

Download
memory/2484-9-0x0000000000000000-mapping.dmp

Download
memory/2516-50-0x0000000000000000-mapping.dmp

Download
memory/2564-12-0x0000000000000000-mapping.dmp

Download
memory/2828-39-0x0000000000000000-mapping.dmp

Download
memory/2960-54-0x0000000000000000-mapping.dmp

Download
memory/3136-15-0x0000000000000000-mapping.dmp

Download
memory/3292-35-0x0000000000000000-mapping.dmp

Download
memory/3464-58-0x0000000000000000-mapping.dmp

Download
memory/3480-56-0x0000000000000000-mapping.dmp

Download
memory/3844-3-0x0000000000000000-mapping.dmp

Download