cobaltstrike | 9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
Size

5.9MB
MD5

83f161e4d6806c40182717910e7a2333
SHA1

6e74fbb9d7a176959b84238f690a11a066b3a9af
SHA256

9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b
SHA512

b956d6a8b13e19654b10492bab28757a0cf9ce90b51e957429f4ef0e5dbe15490f1e090e77f13ae0591ccf15979c5fe4faa96422aa8113dfe1dd20713bfc8661
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU5:Q+856utgpPF8u/75

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023420-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-36.dat	cobalt_reflective_dll
behavioral2/files/0x000b00000002338d-42.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023424-51.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000022a94-53.dat	cobalt_reflective_dll
behavioral2/files/0x000c00000002338b-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4592-0-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp	xmrig
behavioral2/files/0x000a000000023420-4.dat	xmrig
behavioral2/memory/1748-8-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-10.dat	xmrig
behavioral2/memory/4728-14-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-11.dat	xmrig
behavioral2/memory/2624-19-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	xmrig
behavioral2/files/0x0007000000023429-23.dat	xmrig
behavioral2/memory/652-26-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	xmrig
behavioral2/files/0x000700000002342a-29.dat	xmrig
behavioral2/memory/3724-32-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	xmrig
behavioral2/files/0x000700000002342b-36.dat	xmrig
behavioral2/memory/3672-39-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp	xmrig
behavioral2/files/0x000b00000002338d-42.dat	xmrig
behavioral2/files/0x0009000000023424-51.dat	xmrig
behavioral2/files/0x0009000000022a94-53.dat	xmrig
behavioral2/memory/376-56-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	xmrig
behavioral2/files/0x000c00000002338b-59.dat	xmrig
behavioral2/memory/2184-48-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	xmrig
behavioral2/memory/432-61-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	xmrig
behavioral2/memory/4592-60-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp	xmrig
behavioral2/memory/5364-44-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342c-67.dat	xmrig
behavioral2/memory/3000-78-0x00007FF7F2780000-0x00007FF7F2AD4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-77.dat	xmrig
behavioral2/memory/3500-82-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp	xmrig
behavioral2/memory/2624-79-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-73.dat	xmrig
behavioral2/memory/3612-71-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-84.dat	xmrig
behavioral2/memory/5132-87-0x00007FF602B30000-0x00007FF602E84000-memory.dmp	xmrig
behavioral2/memory/652-86-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	xmrig
behavioral2/files/0x0007000000023430-93.dat	xmrig
behavioral2/memory/3724-95-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	xmrig
behavioral2/memory/5128-96-0x00007FF784210000-0x00007FF784564000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-100.dat	xmrig
behavioral2/files/0x0007000000023432-106.dat	xmrig
behavioral2/memory/2392-102-0x00007FF6874F0000-0x00007FF687844000-memory.dmp	xmrig
behavioral2/memory/5600-108-0x00007FF764710000-0x00007FF764A64000-memory.dmp	xmrig
behavioral2/memory/5428-115-0x00007FF7DED00000-0x00007FF7DF054000-memory.dmp	xmrig
behavioral2/memory/2184-113-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-112.dat	xmrig
behavioral2/files/0x0007000000023436-124.dat	xmrig
behavioral2/memory/432-128-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	xmrig
behavioral2/memory/5164-129-0x00007FF65B7D0000-0x00007FF65BB24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-131.dat	xmrig
behavioral2/memory/5340-121-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp	xmrig
behavioral2/memory/376-120-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-119.dat	xmrig
behavioral2/memory/4104-134-0x00007FF7A44B0000-0x00007FF7A4804000-memory.dmp	xmrig
behavioral2/memory/3500-135-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp	xmrig
behavioral2/memory/5132-136-0x00007FF602B30000-0x00007FF602E84000-memory.dmp	xmrig
behavioral2/memory/5340-137-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp	xmrig
behavioral2/memory/1748-138-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp	xmrig
behavioral2/memory/4728-139-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp	xmrig
behavioral2/memory/2624-140-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	xmrig
behavioral2/memory/652-141-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	xmrig
behavioral2/memory/3724-142-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	xmrig
behavioral2/memory/3672-143-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp	xmrig
behavioral2/memory/5364-144-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp	xmrig
behavioral2/memory/2184-145-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	xmrig
behavioral2/memory/376-146-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	xmrig
behavioral2/memory/432-147-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	xmrig
behavioral2/memory/3612-148-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1748	EGzaNnc.exe
4728	DhYJCrq.exe
2624	qYaOyXi.exe
652	ilIibmM.exe
3724	yJsxTiv.exe
3672	eNToTkx.exe
5364	dMXGxTc.exe
2184	RrhDzjH.exe
376	iHyWLSK.exe
432	xxYynIR.exe
3612	fWdvOHY.exe
3000	hpRZdpm.exe
3500	jlkMbaO.exe
5132	vlIHmmz.exe
5128	sCGkyOW.exe
2392	nMTxrZU.exe
5600	kyFAMVZ.exe
5428	vmcfBTw.exe
5340	iTbnHeY.exe
5164	ssZNgMH.exe
4104	MtkzNoB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4592-0-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp	upx
behavioral2/files/0x000a000000023420-4.dat	upx
behavioral2/memory/1748-8-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp	upx
behavioral2/files/0x0007000000023427-10.dat	upx
behavioral2/memory/4728-14-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp	upx
behavioral2/files/0x0007000000023428-11.dat	upx
behavioral2/memory/2624-19-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	upx
behavioral2/files/0x0007000000023429-23.dat	upx
behavioral2/memory/652-26-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	upx
behavioral2/files/0x000700000002342a-29.dat	upx
behavioral2/memory/3724-32-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	upx
behavioral2/files/0x000700000002342b-36.dat	upx
behavioral2/memory/3672-39-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp	upx
behavioral2/files/0x000b00000002338d-42.dat	upx
behavioral2/files/0x0009000000023424-51.dat	upx
behavioral2/files/0x0009000000022a94-53.dat	upx
behavioral2/memory/376-56-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	upx
behavioral2/files/0x000c00000002338b-59.dat	upx
behavioral2/memory/2184-48-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	upx
behavioral2/memory/432-61-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	upx
behavioral2/memory/4592-60-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp	upx
behavioral2/memory/5364-44-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp	upx
behavioral2/files/0x000700000002342c-67.dat	upx
behavioral2/memory/3000-78-0x00007FF7F2780000-0x00007FF7F2AD4000-memory.dmp	upx
behavioral2/files/0x000700000002342e-77.dat	upx
behavioral2/memory/3500-82-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp	upx
behavioral2/memory/2624-79-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	upx
behavioral2/files/0x000700000002342d-73.dat	upx
behavioral2/memory/3612-71-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp	upx
behavioral2/files/0x000700000002342f-84.dat	upx
behavioral2/memory/5132-87-0x00007FF602B30000-0x00007FF602E84000-memory.dmp	upx
behavioral2/memory/652-86-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	upx
behavioral2/files/0x0007000000023430-93.dat	upx
behavioral2/memory/3724-95-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	upx
behavioral2/memory/5128-96-0x00007FF784210000-0x00007FF784564000-memory.dmp	upx
behavioral2/files/0x0007000000023431-100.dat	upx
behavioral2/files/0x0007000000023432-106.dat	upx
behavioral2/memory/2392-102-0x00007FF6874F0000-0x00007FF687844000-memory.dmp	upx
behavioral2/memory/5600-108-0x00007FF764710000-0x00007FF764A64000-memory.dmp	upx
behavioral2/memory/5428-115-0x00007FF7DED00000-0x00007FF7DF054000-memory.dmp	upx
behavioral2/memory/2184-113-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	upx
behavioral2/files/0x0007000000023433-112.dat	upx
behavioral2/files/0x0007000000023436-124.dat	upx
behavioral2/memory/432-128-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	upx
behavioral2/memory/5164-129-0x00007FF65B7D0000-0x00007FF65BB24000-memory.dmp	upx
behavioral2/files/0x0007000000023437-131.dat	upx
behavioral2/memory/5340-121-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp	upx
behavioral2/memory/376-120-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	upx
behavioral2/files/0x0007000000023434-119.dat	upx
behavioral2/memory/4104-134-0x00007FF7A44B0000-0x00007FF7A4804000-memory.dmp	upx
behavioral2/memory/3500-135-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp	upx
behavioral2/memory/5132-136-0x00007FF602B30000-0x00007FF602E84000-memory.dmp	upx
behavioral2/memory/5340-137-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp	upx
behavioral2/memory/1748-138-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp	upx
behavioral2/memory/4728-139-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp	upx
behavioral2/memory/2624-140-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp	upx
behavioral2/memory/652-141-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp	upx
behavioral2/memory/3724-142-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp	upx
behavioral2/memory/3672-143-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp	upx
behavioral2/memory/5364-144-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp	upx
behavioral2/memory/2184-145-0x00007FF775FB0000-0x00007FF776304000-memory.dmp	upx
behavioral2/memory/376-146-0x00007FF770180000-0x00007FF7704D4000-memory.dmp	upx
behavioral2/memory/432-147-0x00007FF6972E0000-0x00007FF697634000-memory.dmp	upx
behavioral2/memory/3612-148-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DhYJCrq.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\jlkMbaO.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\MtkzNoB.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\kyFAMVZ.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\ssZNgMH.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\ilIibmM.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\RrhDzjH.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\iHyWLSK.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\fWdvOHY.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\vlIHmmz.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\sCGkyOW.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\nMTxrZU.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\vmcfBTw.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\EGzaNnc.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\qYaOyXi.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\yJsxTiv.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\hpRZdpm.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\iTbnHeY.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\eNToTkx.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\dMXGxTc.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
File created	C:\Windows\System\xxYynIR.exe	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
Token: SeLockMemoryPrivilege	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 1748	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	83
PID 4592 wrote to memory of 1748	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	83
PID 4592 wrote to memory of 4728	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	84
PID 4592 wrote to memory of 4728	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	84
PID 4592 wrote to memory of 2624	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	86
PID 4592 wrote to memory of 2624	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	86
PID 4592 wrote to memory of 652	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	88
PID 4592 wrote to memory of 652	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	88
PID 4592 wrote to memory of 3724	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	89
PID 4592 wrote to memory of 3724	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	89
PID 4592 wrote to memory of 3672	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	90
PID 4592 wrote to memory of 3672	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	90
PID 4592 wrote to memory of 5364	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	91
PID 4592 wrote to memory of 5364	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	91
PID 4592 wrote to memory of 2184	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	92
PID 4592 wrote to memory of 2184	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	92
PID 4592 wrote to memory of 376	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	93
PID 4592 wrote to memory of 376	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	93
PID 4592 wrote to memory of 432	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	94
PID 4592 wrote to memory of 432	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	94
PID 4592 wrote to memory of 3612	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	95
PID 4592 wrote to memory of 3612	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	95
PID 4592 wrote to memory of 3000	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	96
PID 4592 wrote to memory of 3000	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	96
PID 4592 wrote to memory of 3500	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	97
PID 4592 wrote to memory of 3500	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	97
PID 4592 wrote to memory of 5132	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	98
PID 4592 wrote to memory of 5132	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	98
PID 4592 wrote to memory of 5128	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	99
PID 4592 wrote to memory of 5128	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	99
PID 4592 wrote to memory of 2392	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	100
PID 4592 wrote to memory of 2392	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	100
PID 4592 wrote to memory of 5600	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	103
PID 4592 wrote to memory of 5600	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	103
PID 4592 wrote to memory of 5428	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	104
PID 4592 wrote to memory of 5428	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	104
PID 4592 wrote to memory of 5340	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	105
PID 4592 wrote to memory of 5340	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	105
PID 4592 wrote to memory of 5164	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	107
PID 4592 wrote to memory of 5164	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	107
PID 4592 wrote to memory of 4104	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	108
PID 4592 wrote to memory of 4104	4592	9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe	108

C:\Users\Admin\AppData\Local\Temp\9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe
"C:\Users\Admin\AppData\Local\Temp\9254e7e330dd896ae4519fc0ae676ce6680c8d920197e0b10e3f003f71720a1b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\System\EGzaNnc.exe
  C:\Windows\System\EGzaNnc.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\DhYJCrq.exe
  C:\Windows\System\DhYJCrq.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\qYaOyXi.exe
  C:\Windows\System\qYaOyXi.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\ilIibmM.exe
  C:\Windows\System\ilIibmM.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\yJsxTiv.exe
  C:\Windows\System\yJsxTiv.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\eNToTkx.exe
  C:\Windows\System\eNToTkx.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\dMXGxTc.exe
  C:\Windows\System\dMXGxTc.exe
  2⤵
  - Executes dropped EXE
  PID:5364
- C:\Windows\System\RrhDzjH.exe
  C:\Windows\System\RrhDzjH.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\iHyWLSK.exe
  C:\Windows\System\iHyWLSK.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\xxYynIR.exe
  C:\Windows\System\xxYynIR.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\fWdvOHY.exe
  C:\Windows\System\fWdvOHY.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\hpRZdpm.exe
  C:\Windows\System\hpRZdpm.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\jlkMbaO.exe
  C:\Windows\System\jlkMbaO.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\vlIHmmz.exe
  C:\Windows\System\vlIHmmz.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System\sCGkyOW.exe
  C:\Windows\System\sCGkyOW.exe
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System\nMTxrZU.exe
  C:\Windows\System\nMTxrZU.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\kyFAMVZ.exe
  C:\Windows\System\kyFAMVZ.exe
  2⤵
  - Executes dropped EXE
  PID:5600
- C:\Windows\System\vmcfBTw.exe
  C:\Windows\System\vmcfBTw.exe
  2⤵
  - Executes dropped EXE
  PID:5428
- C:\Windows\System\iTbnHeY.exe
  C:\Windows\System\iTbnHeY.exe
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Windows\System\ssZNgMH.exe
  C:\Windows\System\ssZNgMH.exe
  2⤵
  - Executes dropped EXE
  PID:5164
- C:\Windows\System\MtkzNoB.exe
  C:\Windows\System\MtkzNoB.exe
  2⤵
  - Executes dropped EXE
  PID:4104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DhYJCrq.exe

Filesize
5.9MB

MD5
2812b34deb4eaf400ef6e93e6fef7024

SHA1
26583372605c1028e0b8931d32f9df1c7238619b

SHA256
1e3d631be9fb17c81d93d68cf2641492cd0a99458d102df74a4aefb7d9634fff

SHA512
eb7be1398262f47069b12416467f0c00f0916ba658738e3e0726c7208e990b67fba1d879c6ce18d85b3cae563ed4c845d06d39aefe6e3210dc5446c3c5dc0383

Download Submit
C:\Windows\System\EGzaNnc.exe

Filesize
5.9MB

MD5
437369b8baa3efdd012c48d28844dab8

SHA1
cb3796ea89531cf3c48d5febeafb32214369bc23

SHA256
5236e8ab5e2bbd8f2ac5145d0ab9055cf52ee20a87ec982b44adad071ff8e523

SHA512
3223ffc995b41a73c9f9f3ea16bf851faa0107e4533807c4aae2f8b5d7176dac155882d9f7854674b9a6e969b2157f8b697ec4422c7204bcd7c84f8c9d200416

Download Submit
C:\Windows\System\MtkzNoB.exe

Filesize
5.9MB

MD5
ce369faf7abe3d28cc3210b189ad144b

SHA1
b3c6b3ff5291f970abc5e2275c74e7bc7cffd91e

SHA256
bfa3b44ee56b393566eaa790ed315482b572c5425be58761fe60824be359b83e

SHA512
656e87bcdb229d65d41c9d17f0f70c95c412e264a93bc0a5765aa0fe0d57b0690d88dbc9ac9db43e0deaa3926aadbb0c24edd60b32232afdc87cc221e10537ef

Download Submit
C:\Windows\System\RrhDzjH.exe

Filesize
5.9MB

MD5
b6048918a417023c1a3e8c85a13854b5

SHA1
436596706ab3db307ad5fe7ea9e237c8c7dd65ee

SHA256
3b982ae04e5977fb5255d5ed83ad78356b93b91d4581c5a47f56d38acb1fd745

SHA512
16f71dccb7aa96960788259b67505f3c1848b49e8ba2640b50c845af948a26a960d7f05ecf198b3d811a4bdf1e90e5348d99321024523bc05cee478815684ff8

Download Submit
C:\Windows\System\dMXGxTc.exe

Filesize
5.9MB

MD5
5d7b3061117a5ed0efafa292383c8bb4

SHA1
0dacb6ed1357a6606b808d2c7ccd2fbf15d61f00

SHA256
67246a43e24b856d2d820d4b51d8aed5508d94a9cf22a4d5b8d902fe989412f6

SHA512
97e93a3e5e9761838303f8708e4971c9cf558722448eca224bab8fa71c5dadb15b72f709cb7f5c0d918b389a62edec3604bd704877c418f76ea8e0bf84c14e41

Download Submit
C:\Windows\System\eNToTkx.exe

Filesize
5.9MB

MD5
b8d4460f4ddea670b9b4d4a10c7207ad

SHA1
7f8082b05772c29e7a3a593534376a635d96e946

SHA256
3dc452314767f5ea35f42061d043dd4b70b98ec6bde3002138aa467ca96210e7

SHA512
99c946110431cf8cbd24c934da54f34633faa14da52edea34511d508dc64fc951358bd1bd24eddcec480292727f0fde5a40c0c59acee431bed0c4f78ff526a54

Download Submit
C:\Windows\System\fWdvOHY.exe

Filesize
5.9MB

MD5
56ed4b51c3e22237d561fca068146546

SHA1
2627dc2d58f810fa4288ee2494156e3b3f4d3293

SHA256
28f8eb899160e1120918ecb027609196da781eb10b03d3e12d55edb28c5051c4

SHA512
58e832ae363e40b6fa6cb5a71ec646fc23ce033c106d34ca86cc01c949ac2ba6513cdcf51d98be865a0d71a3378bba534aeb4b32fd499ba6997694d43ee4341c

Download Submit
C:\Windows\System\hpRZdpm.exe

Filesize
5.9MB

MD5
e439a61a0c9e2f3543fc639296842759

SHA1
61d2d2f6f1a5ecd8642dd8202b0282897d3a97e4

SHA256
07c2a644969dc181c33db206271b21154f58c165af56b7d2f1c7d1275697b7bf

SHA512
93899aaed29543bf038b64904362dff59fc1760222d75d9dc8491f8ab07eaa7af89da12ae7e96e76ac39b2d38806721530c81971be77ac5101792098dde78304

Download Submit
C:\Windows\System\iHyWLSK.exe

Filesize
5.9MB

MD5
c7cc2e506d60dd882bee9622a44ed136

SHA1
1a2e6ce504e2dc9b51250a53e605cc51639f4fed

SHA256
e3384394953d6828c649a3724c8de58aa1868ed4e5f4c7b868c92a3e618d61d1

SHA512
0a53e627d9e2ee9e8f985f26e258d17451772522eec9fe9a16142ed763749ae36d953d9fdff36f28b39c0bb76e1ef5d98ff5a56eafd2bed52bb177509f61077e

Download Submit
C:\Windows\System\iTbnHeY.exe

Filesize
5.9MB

MD5
089b3e10f5340821e492587febdc199b

SHA1
97b3a44634037a2ef39e8884b92f8c64765ff63f

SHA256
6bac2f2843250e25ecd59554f2158ac8fdba277e74bc265f4d793624f9553eae

SHA512
b57651f9bcd6d6769649fac883cfcbcd2f0ff045809526f64ad4fd1b1b776af6cd65072f65de7715d3272205d069d6d0017f3c7ed435f53b076f786eca5a9628

Download Submit
C:\Windows\System\ilIibmM.exe

Filesize
5.9MB

MD5
10caa5c60b0bbb9d888daf196ca1c8a4

SHA1
ed72dc594db1960fc2efc243848bf113059acec9

SHA256
c7efb093db39196cfd2b28c2183362bd46e3cdc56c5e8476ca18d37ea9525e58

SHA512
5319a1f6fd3062e2200d966870b466650e81b9d8a9ae5644f4b50df2eccbffe31ec8833e867e3b6e75573e7009f122f625371a4c9a554c6f364491d0476469ee

Download Submit
C:\Windows\System\jlkMbaO.exe

Filesize
5.9MB

MD5
4ec8098c3008183602c813455a43c00f

SHA1
0232149278bbaaec99229d2b7e72473e796d0ff6

SHA256
73d4f536776d0c1110bec84d9f883dd6ecb9c6797ea6e2aa7e6ef1961e15c1db

SHA512
fba80191fbb3eb137933a61fc2b091e8a4669665f5078acaf5bc685b2c447c4f0e1182fdf6df80d97063a261f28aec86c29c57f971d40c0c1e482bccd85c9197

Download Submit
C:\Windows\System\kyFAMVZ.exe

Filesize
5.9MB

MD5
e651c7ad8a771c13e7319e86af271fd9

SHA1
5b93dbfe1f84adfb075ebc1a4090cb4221b58050

SHA256
ddf2ed9254c8ca1663d956a68316e14354c9de65d80818848d6a0357c1b6e216

SHA512
a64faf5d0cba086ffc7368eb5877d7df1f58264aa7cdc8dbea922786dec81000ce61e770bee3d1013a59f9b7a2588d5033cdaac7849991a069fad55c9579fc4e

Download Submit
C:\Windows\System\nMTxrZU.exe

Filesize
5.9MB

MD5
50e157a5260cb94c2de28662c97b5952

SHA1
71358a8736e4405eea71d48ffb04279c2f09df0c

SHA256
9dd872b7bf0bf7925687d36695be9048ee8ba9df5995421995c72592503d8b5a

SHA512
11fc17f52c385cd1e9569253fbd9983b29599ea7d73e74a9b50f7e9b73d940d285b196b6f4733839be3adaeba43c715b4748e3eeb388896d0b064b7945332f7f

Download Submit
C:\Windows\System\qYaOyXi.exe

Filesize
5.9MB

MD5
6681ac95d4d12ab03dfcf84a3cecb812

SHA1
c236cc49d9c1c2528153d61a5bc178cede32857f

SHA256
f6d5923bb13e16d0bcf9e1c897c877d4b1ac437c025f635bcb46a5cd53a0e37b

SHA512
eed7f7a095811b6d21a84804e830e47884eff535a043c463e1d14d345eead3e5f16223a145c0ed18575bda306f163abbf646186bf607b085263eda9831c14d3d

Download Submit
C:\Windows\System\sCGkyOW.exe

Filesize
5.9MB

MD5
6e93023349a7425c092d755461432d4b

SHA1
8750aee6d8a3e04b9666d7536411576ee9afc5b3

SHA256
2a85953c960fee92eb6251dcd315a08260fe3fada3be10f478715f114db8889f

SHA512
d03affc1a8e487587c6629dc055afc8248eba31536c4133f602a2df5f6d394afb85582a830f45a0feea8bbc92ed7596f78e47027d32f4c4b8074195dae2e961b

Download Submit
C:\Windows\System\ssZNgMH.exe

Filesize
5.9MB

MD5
d1e01d1055bf22d47df33b770add50e9

SHA1
deca29ef7f728f15e3ac83e47c50b98868352fbe

SHA256
227e1e2b96370cf63fa0333181257799ebbc35114d0f8e2c024c4ffbd28a6878

SHA512
b1409c12fa25426ef2ef0843f2dfd106d2189bd7ea56aecd15899ca04d15bfeb0bc60803a8e8811f7a18f5e012aca719617ebd314abbcaf4dddda3adc70aa7ac

Download Submit
C:\Windows\System\vlIHmmz.exe

Filesize
5.9MB

MD5
80e333268fcd5374818008ac608c0f7b

SHA1
585733323b43783d146ee7cb3e60f4b13bb8c0c5

SHA256
e5cbef3221a26b1647d6b62242c45000b21b2d7758a81ead9fc26514dea31aac

SHA512
5bdc8ed1bcd2090b6a4d676d185d0a2f39ea608a5518aa415dba325df5db7e1519c14150d46d259c55744ab814b416036231a71f624deba5661d43c8482eac2b

Download Submit
C:\Windows\System\vmcfBTw.exe

Filesize
5.9MB

MD5
5422440c1ae6512c6873f2aac676c3c1

SHA1
dea279e475443415023cdfe5c848269a84be8da7

SHA256
bc1fe1af527f9ae65d9d122c096f2a84653bd967431effca18f47a2f1b8edba1

SHA512
be91ec2809e99a50e98686f8b3000b340817286a1b44d50127248b70faa8903d5190114e56d54966228a360fb5a0cd6203b817b8dab945daffcf5185befad548

Download Submit
C:\Windows\System\xxYynIR.exe

Filesize
5.9MB

MD5
670be2ca7f872f3770eb5935c7767c39

SHA1
3ae6ac09dfc739718940123719f2a01be7972a0f

SHA256
cfb1446c13307a11675c2dbcfe5ef33d3c985bebd542fc529a34dca087437363

SHA512
de146838f84c4cf2d503d449380971be094722e5f294d76b0d75b2df34f08839c12379b48830ed6967315b1f2aadfd6a3fd678864d46b796b056453782131b03

Download Submit
C:\Windows\System\yJsxTiv.exe

Filesize
5.9MB

MD5
1469b34415950eec4d6cc8cc91578aee

SHA1
37cd3f3349fdc4655797e2672625eb4b596dbad6

SHA256
cb76ca2a9661d897ef178e894141e4a4b506cb193f1a39de4d8d28c62703e0ca

SHA512
4eb82ee3b0948a21cb83427d6f4fb54a8cdadbf2633270a166613ab8cd57f77efd6d753f87e5b51893b98eb4d23ebd2cf8fb1d91c293894a8d08bb6776488665

Download Submit
memory/376-56-0x00007FF770180000-0x00007FF7704D4000-memory.dmp

Filesize
3.3MB

Download
memory/376-120-0x00007FF770180000-0x00007FF7704D4000-memory.dmp

Filesize
3.3MB

Download
memory/376-146-0x00007FF770180000-0x00007FF7704D4000-memory.dmp

Filesize
3.3MB

Download
memory/432-128-0x00007FF6972E0000-0x00007FF697634000-memory.dmp

Filesize
3.3MB

Download
memory/432-61-0x00007FF6972E0000-0x00007FF697634000-memory.dmp

Filesize
3.3MB

Download
memory/432-147-0x00007FF6972E0000-0x00007FF697634000-memory.dmp

Filesize
3.3MB

Download
memory/652-26-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp

Filesize
3.3MB

Download
memory/652-86-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp

Filesize
3.3MB

Download
memory/652-141-0x00007FF7A0FF0000-0x00007FF7A1344000-memory.dmp

Filesize
3.3MB

Download
memory/1748-8-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp

Filesize
3.3MB

Download
memory/1748-138-0x00007FF61F2B0000-0x00007FF61F604000-memory.dmp

Filesize
3.3MB

Download
memory/2184-113-0x00007FF775FB0000-0x00007FF776304000-memory.dmp

Filesize
3.3MB

Download
memory/2184-48-0x00007FF775FB0000-0x00007FF776304000-memory.dmp

Filesize
3.3MB

Download
memory/2184-145-0x00007FF775FB0000-0x00007FF776304000-memory.dmp

Filesize
3.3MB

Download
memory/2392-102-0x00007FF6874F0000-0x00007FF687844000-memory.dmp

Filesize
3.3MB

Download
memory/2392-153-0x00007FF6874F0000-0x00007FF687844000-memory.dmp

Filesize
3.3MB

Download
memory/2624-140-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp

Filesize
3.3MB

Download
memory/2624-19-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp

Filesize
3.3MB

Download
memory/2624-79-0x00007FF7E3310000-0x00007FF7E3664000-memory.dmp

Filesize
3.3MB

Download
memory/3000-149-0x00007FF7F2780000-0x00007FF7F2AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-78-0x00007FF7F2780000-0x00007FF7F2AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-82-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-135-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3500-150-0x00007FF7E1B60000-0x00007FF7E1EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3612-148-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp

Filesize
3.3MB

Download
memory/3612-71-0x00007FF6A7610000-0x00007FF6A7964000-memory.dmp

Filesize
3.3MB

Download
memory/3672-143-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp

Filesize
3.3MB

Download
memory/3672-39-0x00007FF6BA5D0000-0x00007FF6BA924000-memory.dmp

Filesize
3.3MB

Download
memory/3724-32-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp

Filesize
3.3MB

Download
memory/3724-95-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp

Filesize
3.3MB

Download
memory/3724-142-0x00007FF67EEB0000-0x00007FF67F204000-memory.dmp

Filesize
3.3MB

Download
memory/4104-134-0x00007FF7A44B0000-0x00007FF7A4804000-memory.dmp

Filesize
3.3MB

Download
memory/4104-158-0x00007FF7A44B0000-0x00007FF7A4804000-memory.dmp

Filesize
3.3MB

Download
memory/4592-60-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp

Filesize
3.3MB

Download
memory/4592-1-0x0000024DB1270000-0x0000024DB1280000-memory.dmp

Filesize
64KB

Download
memory/4592-0-0x00007FF62D1C0000-0x00007FF62D514000-memory.dmp

Filesize
3.3MB

Download
memory/4728-139-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp

Filesize
3.3MB

Download
memory/4728-14-0x00007FF6686B0000-0x00007FF668A04000-memory.dmp

Filesize
3.3MB

Download
memory/5128-152-0x00007FF784210000-0x00007FF784564000-memory.dmp

Filesize
3.3MB

Download
memory/5128-96-0x00007FF784210000-0x00007FF784564000-memory.dmp

Filesize
3.3MB

Download
memory/5132-136-0x00007FF602B30000-0x00007FF602E84000-memory.dmp

Filesize
3.3MB

Download
memory/5132-151-0x00007FF602B30000-0x00007FF602E84000-memory.dmp

Filesize
3.3MB

Download
memory/5132-87-0x00007FF602B30000-0x00007FF602E84000-memory.dmp

Filesize
3.3MB

Download
memory/5164-129-0x00007FF65B7D0000-0x00007FF65BB24000-memory.dmp

Filesize
3.3MB

Download
memory/5164-157-0x00007FF65B7D0000-0x00007FF65BB24000-memory.dmp

Filesize
3.3MB

Download
memory/5340-121-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp

Filesize
3.3MB

Download
memory/5340-156-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp

Filesize
3.3MB

Download
memory/5340-137-0x00007FF73D3F0000-0x00007FF73D744000-memory.dmp

Filesize
3.3MB

Download
memory/5364-44-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp

Filesize
3.3MB

Download
memory/5364-144-0x00007FF74B050000-0x00007FF74B3A4000-memory.dmp

Filesize
3.3MB

Download
memory/5428-115-0x00007FF7DED00000-0x00007FF7DF054000-memory.dmp

Filesize
3.3MB

Download
memory/5428-155-0x00007FF7DED00000-0x00007FF7DF054000-memory.dmp

Filesize
3.3MB

Download
memory/5600-108-0x00007FF764710000-0x00007FF764A64000-memory.dmp

Filesize
3.3MB

Download
memory/5600-154-0x00007FF764710000-0x00007FF764A64000-memory.dmp

Filesize
3.3MB

Download