cobaltstrike | c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
Size

5.9MB
MD5

4a6c5a06a045e6f803dfca59f2d45f08
SHA1

81f25be6bfe73dd93cae385eab9d67a9403a320b
SHA256

c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e
SHA512

d2c80b1d1987c64d378b9b63265b3cd474128dea1854bb14b219094b8d543ad644ee22b595f64220e85608fd26dd101c2f0fec0f0ae097d65d24761043e0184a
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUU:T+856utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023486-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-9.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e9-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-41.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e7-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f3-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-88.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001692d-95.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234f8-108.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234f6-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fa-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fc-129.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234f9-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fb-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2112-0-0x00007FF663760000-0x00007FF663AB4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023486-6.dat	xmrig
behavioral2/files/0x00070000000234ea-9.dat	xmrig
behavioral2/memory/1708-11-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	xmrig
behavioral2/files/0x00080000000234e9-10.dat	xmrig
behavioral2/memory/4564-15-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	xmrig
behavioral2/memory/1384-18-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ec-30.dat	xmrig
behavioral2/files/0x00070000000234eb-28.dat	xmrig
behavioral2/files/0x00070000000234ed-34.dat	xmrig
behavioral2/memory/5008-35-0x00007FF72E200000-0x00007FF72E554000-memory.dmp	xmrig
behavioral2/memory/3944-36-0x00007FF738CE0000-0x00007FF739034000-memory.dmp	xmrig
behavioral2/memory/2524-26-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ee-41.dat	xmrig
behavioral2/files/0x00080000000234e7-46.dat	xmrig
behavioral2/files/0x00070000000234ef-51.dat	xmrig
behavioral2/memory/1324-48-0x00007FF616FA0000-0x00007FF6172F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f0-60.dat	xmrig
behavioral2/memory/3300-54-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp	xmrig
behavioral2/memory/1052-52-0x00007FF752A40000-0x00007FF752D94000-memory.dmp	xmrig
behavioral2/memory/4564-64-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	xmrig
behavioral2/memory/4968-65-0x00007FF6B4260000-0x00007FF6B45B4000-memory.dmp	xmrig
behavioral2/memory/1708-63-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	xmrig
behavioral2/memory/2112-62-0x00007FF663760000-0x00007FF663AB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f1-67.dat	xmrig
behavioral2/memory/3872-69-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f2-74.dat	xmrig
behavioral2/memory/3412-78-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp	xmrig
behavioral2/memory/2524-80-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f3-84.dat	xmrig
behavioral2/memory/3680-82-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp	xmrig
behavioral2/memory/1384-79-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f4-88.dat	xmrig
behavioral2/memory/1804-90-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	xmrig
behavioral2/memory/5008-89-0x00007FF72E200000-0x00007FF72E554000-memory.dmp	xmrig
behavioral2/files/0x000400000001692d-95.dat	xmrig
behavioral2/files/0x00080000000234f8-108.dat	xmrig
behavioral2/files/0x00080000000234f6-103.dat	xmrig
behavioral2/memory/3944-106-0x00007FF738CE0000-0x00007FF739034000-memory.dmp	xmrig
behavioral2/memory/1224-99-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp	xmrig
behavioral2/files/0x00070000000234fa-115.dat	xmrig
behavioral2/memory/5052-121-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp	xmrig
behavioral2/memory/64-124-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234fc-129.dat	xmrig
behavioral2/memory/3692-131-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp	xmrig
behavioral2/memory/896-132-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp	xmrig
behavioral2/memory/1052-130-0x00007FF752A40000-0x00007FF752D94000-memory.dmp	xmrig
behavioral2/files/0x00080000000234f9-122.dat	xmrig
behavioral2/files/0x00070000000234fb-118.dat	xmrig
behavioral2/memory/5100-117-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp	xmrig
behavioral2/memory/3568-113-0x00007FF713310000-0x00007FF713664000-memory.dmp	xmrig
behavioral2/memory/3300-136-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp	xmrig
behavioral2/memory/3872-137-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp	xmrig
behavioral2/memory/3412-138-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp	xmrig
behavioral2/memory/3680-139-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp	xmrig
behavioral2/memory/1804-140-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	xmrig
behavioral2/memory/1224-141-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp	xmrig
behavioral2/memory/5100-142-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp	xmrig
behavioral2/memory/5052-143-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp	xmrig
behavioral2/memory/64-144-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp	xmrig
behavioral2/memory/3692-145-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp	xmrig
behavioral2/memory/896-146-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp	xmrig
behavioral2/memory/1708-147-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	xmrig
behavioral2/memory/4564-148-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1708	iHwzeRu.exe
4564	EfOKvez.exe
1384	OlgbwTx.exe
2524	aPWxIsY.exe
5008	dkZRHoU.exe
3944	HEZUzrZ.exe
1324	SkFNBnl.exe
1052	AwwHIBv.exe
3300	GYWXAkj.exe
4968	EAUAZUt.exe
3872	qUtmemE.exe
3412	wzSBcgv.exe
3680	eWtMljA.exe
1804	gJLsPnE.exe
1224	DiayIdu.exe
3568	GOcjqcq.exe
64	eZOctxE.exe
5100	grPADje.exe
3692	PSVlerO.exe
5052	ASCUyXc.exe
896	eHCRsuH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-0-0x00007FF663760000-0x00007FF663AB4000-memory.dmp	upx
behavioral2/files/0x0009000000023486-6.dat	upx
behavioral2/files/0x00070000000234ea-9.dat	upx
behavioral2/memory/1708-11-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	upx
behavioral2/files/0x00080000000234e9-10.dat	upx
behavioral2/memory/4564-15-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	upx
behavioral2/memory/1384-18-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-30.dat	upx
behavioral2/files/0x00070000000234eb-28.dat	upx
behavioral2/files/0x00070000000234ed-34.dat	upx
behavioral2/memory/5008-35-0x00007FF72E200000-0x00007FF72E554000-memory.dmp	upx
behavioral2/memory/3944-36-0x00007FF738CE0000-0x00007FF739034000-memory.dmp	upx
behavioral2/memory/2524-26-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-41.dat	upx
behavioral2/files/0x00080000000234e7-46.dat	upx
behavioral2/files/0x00070000000234ef-51.dat	upx
behavioral2/memory/1324-48-0x00007FF616FA0000-0x00007FF6172F4000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-60.dat	upx
behavioral2/memory/3300-54-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp	upx
behavioral2/memory/1052-52-0x00007FF752A40000-0x00007FF752D94000-memory.dmp	upx
behavioral2/memory/4564-64-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	upx
behavioral2/memory/4968-65-0x00007FF6B4260000-0x00007FF6B45B4000-memory.dmp	upx
behavioral2/memory/1708-63-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	upx
behavioral2/memory/2112-62-0x00007FF663760000-0x00007FF663AB4000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-67.dat	upx
behavioral2/memory/3872-69-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-74.dat	upx
behavioral2/memory/3412-78-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp	upx
behavioral2/memory/2524-80-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp	upx
behavioral2/files/0x00070000000234f3-84.dat	upx
behavioral2/memory/3680-82-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp	upx
behavioral2/memory/1384-79-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-88.dat	upx
behavioral2/memory/1804-90-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	upx
behavioral2/memory/5008-89-0x00007FF72E200000-0x00007FF72E554000-memory.dmp	upx
behavioral2/files/0x000400000001692d-95.dat	upx
behavioral2/files/0x00080000000234f8-108.dat	upx
behavioral2/files/0x00080000000234f6-103.dat	upx
behavioral2/memory/3944-106-0x00007FF738CE0000-0x00007FF739034000-memory.dmp	upx
behavioral2/memory/1224-99-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-115.dat	upx
behavioral2/memory/5052-121-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp	upx
behavioral2/memory/64-124-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp	upx
behavioral2/files/0x00070000000234fc-129.dat	upx
behavioral2/memory/3692-131-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp	upx
behavioral2/memory/896-132-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp	upx
behavioral2/memory/1052-130-0x00007FF752A40000-0x00007FF752D94000-memory.dmp	upx
behavioral2/files/0x00080000000234f9-122.dat	upx
behavioral2/files/0x00070000000234fb-118.dat	upx
behavioral2/memory/5100-117-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp	upx
behavioral2/memory/3568-113-0x00007FF713310000-0x00007FF713664000-memory.dmp	upx
behavioral2/memory/3300-136-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp	upx
behavioral2/memory/3872-137-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp	upx
behavioral2/memory/3412-138-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp	upx
behavioral2/memory/3680-139-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp	upx
behavioral2/memory/1804-140-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	upx
behavioral2/memory/1224-141-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp	upx
behavioral2/memory/5100-142-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp	upx
behavioral2/memory/5052-143-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp	upx
behavioral2/memory/64-144-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp	upx
behavioral2/memory/3692-145-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp	upx
behavioral2/memory/896-146-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp	upx
behavioral2/memory/1708-147-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp	upx
behavioral2/memory/4564-148-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PSVlerO.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\HEZUzrZ.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\AwwHIBv.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\qUtmemE.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\grPADje.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\EAUAZUt.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\ASCUyXc.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\eHCRsuH.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\wzSBcgv.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\DiayIdu.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\iHwzeRu.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\EfOKvez.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\aPWxIsY.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\dkZRHoU.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\gJLsPnE.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\GOcjqcq.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\eZOctxE.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\OlgbwTx.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\SkFNBnl.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\GYWXAkj.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
File created	C:\Windows\System\eWtMljA.exe	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
Token: SeLockMemoryPrivilege	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1708	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	85
PID 2112 wrote to memory of 1708	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	85
PID 2112 wrote to memory of 4564	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	86
PID 2112 wrote to memory of 4564	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	86
PID 2112 wrote to memory of 1384	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	87
PID 2112 wrote to memory of 1384	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	87
PID 2112 wrote to memory of 2524	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	88
PID 2112 wrote to memory of 2524	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	88
PID 2112 wrote to memory of 5008	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	89
PID 2112 wrote to memory of 5008	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	89
PID 2112 wrote to memory of 3944	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	90
PID 2112 wrote to memory of 3944	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	90
PID 2112 wrote to memory of 1324	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	93
PID 2112 wrote to memory of 1324	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	93
PID 2112 wrote to memory of 1052	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	94
PID 2112 wrote to memory of 1052	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	94
PID 2112 wrote to memory of 3300	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	95
PID 2112 wrote to memory of 3300	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	95
PID 2112 wrote to memory of 4968	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	96
PID 2112 wrote to memory of 4968	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	96
PID 2112 wrote to memory of 3872	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	97
PID 2112 wrote to memory of 3872	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	97
PID 2112 wrote to memory of 3412	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	98
PID 2112 wrote to memory of 3412	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	98
PID 2112 wrote to memory of 3680	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	99
PID 2112 wrote to memory of 3680	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	99
PID 2112 wrote to memory of 1804	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	100
PID 2112 wrote to memory of 1804	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	100
PID 2112 wrote to memory of 1224	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	101
PID 2112 wrote to memory of 1224	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	101
PID 2112 wrote to memory of 3568	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	102
PID 2112 wrote to memory of 3568	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	102
PID 2112 wrote to memory of 64	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	103
PID 2112 wrote to memory of 64	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	103
PID 2112 wrote to memory of 5100	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	104
PID 2112 wrote to memory of 5100	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	104
PID 2112 wrote to memory of 3692	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	105
PID 2112 wrote to memory of 3692	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	105
PID 2112 wrote to memory of 5052	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	106
PID 2112 wrote to memory of 5052	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	106
PID 2112 wrote to memory of 896	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	107
PID 2112 wrote to memory of 896	2112	c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe	107

C:\Users\Admin\AppData\Local\Temp\c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe
"C:\Users\Admin\AppData\Local\Temp\c82472cc484b0bcf643da028828c9060f16c6cb008c7ea24ae102b0869899b4e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System\iHwzeRu.exe
  C:\Windows\System\iHwzeRu.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\EfOKvez.exe
  C:\Windows\System\EfOKvez.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\OlgbwTx.exe
  C:\Windows\System\OlgbwTx.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\aPWxIsY.exe
  C:\Windows\System\aPWxIsY.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\dkZRHoU.exe
  C:\Windows\System\dkZRHoU.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\HEZUzrZ.exe
  C:\Windows\System\HEZUzrZ.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\SkFNBnl.exe
  C:\Windows\System\SkFNBnl.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\AwwHIBv.exe
  C:\Windows\System\AwwHIBv.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\GYWXAkj.exe
  C:\Windows\System\GYWXAkj.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\EAUAZUt.exe
  C:\Windows\System\EAUAZUt.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\qUtmemE.exe
  C:\Windows\System\qUtmemE.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\wzSBcgv.exe
  C:\Windows\System\wzSBcgv.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\eWtMljA.exe
  C:\Windows\System\eWtMljA.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\gJLsPnE.exe
  C:\Windows\System\gJLsPnE.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\DiayIdu.exe
  C:\Windows\System\DiayIdu.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\GOcjqcq.exe
  C:\Windows\System\GOcjqcq.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\eZOctxE.exe
  C:\Windows\System\eZOctxE.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\grPADje.exe
  C:\Windows\System\grPADje.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\PSVlerO.exe
  C:\Windows\System\PSVlerO.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\ASCUyXc.exe
  C:\Windows\System\ASCUyXc.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\eHCRsuH.exe
  C:\Windows\System\eHCRsuH.exe
  2⤵
  - Executes dropped EXE
  PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ASCUyXc.exe

Filesize
5.9MB

MD5
99b5af9653b129b358f36f3c307efd92

SHA1
6c77080844adb86fff710022ff2e592233fd374f

SHA256
146fad3ca6b9c8e731ec2b1281984de2c49d4fb9f45b977de907e6cf9e0ef40d

SHA512
a00ac26a54d9894e751b8134b2ca85bc3dc1a63deaa65dfd9b0f930ef608106b4a2bd001562203592ea113b6bf4fd7ce586e3a2fec123e5683ccbd7eeeea421a

Download Submit
C:\Windows\System\AwwHIBv.exe

Filesize
5.9MB

MD5
e8c3dd8ef55246470ac0169bb2b93341

SHA1
fda210a28430fc946d02626434db3952536f8dec

SHA256
d3ac9354928f6c5075541b8897830511b0cc3c8725f74fda07cbb1592e253c1d

SHA512
6993d34bb5d2b5d790e606eec55f07b1d07c75fd1f5fc8e670b9522577489366f9011a47cc8d44acc8580378feff0dbfa53c13a5d4b7d96de9238408ec5a7612

Download Submit
C:\Windows\System\DiayIdu.exe

Filesize
5.9MB

MD5
9b606087c421012acef576b2bd5ab91f

SHA1
87f1eb9bb9879ff79c540a9e6dd5ca3902332ebf

SHA256
e8536c0547b9f5d0bedeafeb82ccafd2503383bf349ced42356c4879af84028e

SHA512
69b2ff7923a522978ee03d5129f69acb787c9db6fe1ec55a6040f72ab4a2350d5dde58aad5b0fc00c60edc940fe45c8377518ae845febad208ae8ac9e778fd2b

Download Submit
C:\Windows\System\EAUAZUt.exe

Filesize
5.9MB

MD5
cbda371e1083d3f9503204f88c772010

SHA1
4b6d7bc75a774f83fe40a5e648816496165e17df

SHA256
f5ad4fee93bc1c679415d759f04657dce6a15f2e73c4afc4e65c348e5bc1cbfb

SHA512
6b83b17472b9c4620b05762eba802017e47d1f60e2f40dc769f970ac0b04289cecdd1ad17ac1e1bf6e4834c03fa824e162b0bafcf2e7c7bcf30f27a6e27c7659

Download Submit
C:\Windows\System\EfOKvez.exe

Filesize
5.9MB

MD5
ab3f4de7434c81c5b495e74764c4b040

SHA1
ba7803f4ece3a4fb395767e1e0195b4d3d622779

SHA256
7d972b3487af5839443d2335fe7f50b26f370aa163d24f13e1a84117d67e2654

SHA512
15ad834f6a9105d102f6accec0754f84a387f308b07537e6be97d9ea9003444d4a0897746723e94274d5f1e721d907ee46333ae128e0a56b736ba28d7d5d10a7

Download Submit
C:\Windows\System\GOcjqcq.exe

Filesize
5.9MB

MD5
c0d2f327459e8c9c65574a065c5ec1e4

SHA1
3928f5e50849e7357bd8c93264163e6eec73f1f1

SHA256
6399545463c7d9e771176b134af8bd80c1e7a0727e280d712f7324f1693e7c90

SHA512
f341675235f218b22b5e8c07695c8028b088e29d1bb3ac812ec39a0ce90c7fa75cccb70e7065bb83bdc6d8b14828a27f7bfd0b50c7b4f451530a909e4278ae3d

Download Submit
C:\Windows\System\GYWXAkj.exe

Filesize
5.9MB

MD5
5eecf35c7c03cd59c6dd0d35c029c015

SHA1
9f4dc79d293ab596457d432b034d4897f801e5c5

SHA256
520ce39fe14116c2ee618b8035667c874ab447b99586c6949e2c3c73a766da58

SHA512
1de9765b21a37d9b63d41261b6a96a97dda9a32ac56840ea009b1332301844945801af4e3f8d83cf8e4cc9e2339639cb96559aa8f49fd9f6fb949fddaa0da8c8

Download Submit
C:\Windows\System\HEZUzrZ.exe

Filesize
5.9MB

MD5
acb224e50931661e18d289282d328ab5

SHA1
a76ef049a00340d0bc168387231c87b1a0b51e93

SHA256
773eda0a38fd0facb11d297a9612c1624cc34496e719acb15191033005c26c92

SHA512
5fb2230b2fbf0f80cf4941889451bcbf6656b0897ba8bfd366bb4e0cf42953065ffeda3da9fbcdad223f15042fa0ed02fe3a6cbaa28c6446f6ccf1ebad0c7dca

Download Submit
C:\Windows\System\OlgbwTx.exe

Filesize
5.9MB

MD5
fc7cf1c627be476a775570cc8eb03e4a

SHA1
898dbd6d0dab46f2e78061692288590fae733116

SHA256
408301a3ae4d4dfa6f192322578ed6ae2d2e5a02eea8086ec7d70502e24337aa

SHA512
6e05f3728afc8953f3fc40174398d3db21a05a2f23ffa7de253494256b60a8c40d1aa0236891af84695ce60d5324cb801f3c0369cb7d62e3d0f41d13fb405fbf

Download Submit
C:\Windows\System\PSVlerO.exe

Filesize
5.9MB

MD5
fa7220b45b4dfe8a0dd9422ef3bf3746

SHA1
0e59ec2631589e23ae0bd01b8b5231517400b4cc

SHA256
91447a35c1b34f07248deba36d39944e026b5c3868622904147cf4ff00aac751

SHA512
b14a3d72ba995504490f07e850c6d0017ceffccb58090ede72f02726d41896abb2d328a50f64e44660ab8e05f1a6d14bc8687060459bd4eeecb460850da9c2c8

Download Submit
C:\Windows\System\SkFNBnl.exe

Filesize
5.9MB

MD5
79b7bedc263bd9556c98405573265047

SHA1
cba85e957c0af32921f744d7dbab9f4dcf3f833f

SHA256
82c571825bad80fb02b3845f7ec3c47ba570571a49c86868771ca9ba2f29dee7

SHA512
d52a908062016a66d5c689720084f03e3fa7fc8b4baefa64aef62869fb648d9f870d354ede8f9049c42d459207cd486af109a493a909be1432b9cc22de21510d

Download Submit
C:\Windows\System\aPWxIsY.exe

Filesize
5.9MB

MD5
6607fdd562f1dc9b43c5c649474bfe67

SHA1
9792d22463cebb870a41ce833836f39e38a3bd11

SHA256
735b2400b290f8a3ddf64ba8b084ee91912c772c95b4647de7d6e3396d2d2b03

SHA512
2ba256ee40cc671643276f46fadb1853ffb33b9e650ee7afaf426565ca003d3a744b82859573de7a13863b68824f68604797b41bd4364cf1c37c5e7800507fd4

Download Submit
C:\Windows\System\dkZRHoU.exe

Filesize
5.9MB

MD5
e10d68c1a63bd28c227d25eed7c41da8

SHA1
7cc9054012030363bd36ab97a693fbcea17a7af1

SHA256
81eb29df45aeb977017fb113750980e5f545b590cc9ae9c74af1b2010bb83d2e

SHA512
0c31304e66cce8b383c6d40a5eff90bf133d9e028cc985aa211c0deacdb3b9c96a42fb55a93a04f6e2c4b41dd7a31b80d723cbb7c9b1613fd49eb4d6e0df5ee1

Download Submit
C:\Windows\System\eHCRsuH.exe

Filesize
5.9MB

MD5
26f4008c7894db23e69987339cf15dbd

SHA1
73c97a19bfbcf97cbdfab727a970a42b047d00eb

SHA256
134708953dc982d3e5056ec8a509977a836bfc14fec920c8a0be48e4abcbd81b

SHA512
99c5059b185d36370a5a736fdc124f05e2d790907600b6c95ced9f71ab3d6c0e942c4b84f64e9e699a99f8feaee11e52ac5357e18ff45310e531ab03d7402565

Download Submit
C:\Windows\System\eWtMljA.exe

Filesize
5.9MB

MD5
06ea7dee03436cc6a7fb989ed4c522e9

SHA1
9037d3e2c0b62e584a5026b1975efa2c93a60c79

SHA256
d7697d638cdc1d08196ec7f873f1cb0fabde7d769e9b112aa4431ff0b34b7f25

SHA512
c2acb92ab3cd92fd17768b3bfc2faba9d3f54acad045f121f806138d2c559ab62c10e6433f625d242191cd8f569d4e4d7ad428873d5e0d9d4a6ea05cfad9e896

Download Submit
C:\Windows\System\eZOctxE.exe

Filesize
5.9MB

MD5
171d75b9d54832cacf6451ef8e7793fb

SHA1
e59d4535f833a9c49c08bfc911e0c83b4a9058a6

SHA256
4906908cb372a8490c4102e578f95c7c77c330c9db013d0108de7dd4f6263443

SHA512
d00a68affd2af8392aff41f8a3beda96983d1536350863dc17c9a574e47bdecab58ca5a70d0042ed251686bd839822a2eb83df54f81587834777d96b429d8e25

Download Submit
C:\Windows\System\gJLsPnE.exe

Filesize
5.9MB

MD5
8038dc8e60ea79b882e2f19688b49ab6

SHA1
f1f9baad25e3f13161342ffe618dbcec7ae1eaa1

SHA256
58b245d6bae6136fa2339d4626dce0d438701d50b73492aab5bd0c42fb0feb85

SHA512
6d5fbd259c553ea62ea4395f8331cc8dc34582f8614c94ca6e13871212a81aaf41b9b4b01f7f7e3d657ecb081fd4c0495cc64bfa6a53ba6af2004b43a8a24f1a

Download Submit
C:\Windows\System\grPADje.exe

Filesize
5.9MB

MD5
fe677a3951838f890632d8b65f0e8fdc

SHA1
0d9f1dc08ddc0827001771428d18d5f0eb377d48

SHA256
07b79a98f1c7289977d4bc9078305c93f6b30049301f5630ea381bc537ea25e6

SHA512
5a3247bf71cf9a0c665c0a2d1aa45c40cd9df34336a1611b8414854e7bcf579a1536059c94fb9c5c37810072cbdf9ec7124edca6f47e9715226524a188e6fa6b

Download Submit
C:\Windows\System\iHwzeRu.exe

Filesize
5.9MB

MD5
8ed0f2a8a0f90ba22b8042f3693a046c

SHA1
6c75fdba04b8727c596ff19dc665cd0c1388b628

SHA256
9f2bdf646abf9534ddc8e04303e325855f366ad4c7f773d1ccdf27d5cbdfe707

SHA512
02879baa504f2565cb26fb71f99a805bab9a870d8376e22628b2371365eddfb26e054cdc4c6b8ce9999a407f45b06703d36762773eb83944258c7fca3f278bce

Download Submit
C:\Windows\System\qUtmemE.exe

Filesize
5.9MB

MD5
ed8ea6f4e54f83f2768c2cd5c00c5be7

SHA1
5b5265de2cb34531fbee7bde10dd5912c7d84660

SHA256
08de11d2aae5ce3c755cad252349dee2f6e66e6f5e96880f1f32f18f72a0e938

SHA512
919ace17a48594007063ddaf50851430e52629deb89c622108dd9085c1fef343bc8bf48374c3900f43177ad4a24ff3f7e74165febc6abb30361c99b359b27d8c

Download Submit
C:\Windows\System\wzSBcgv.exe

Filesize
5.9MB

MD5
de5e3d9d0fbe970b5b7cc24496aa8675

SHA1
e1b64941f6fc5ee8deca3f4bc7fd9b37da8430ca

SHA256
e688e11471b17ba7b1841393def1749925f3f107cae672181f98c0a5c629e25f

SHA512
7befe03c422ea3fa32e68354e20e78e52c34e1c9c6f30687cc09d420ad01274ef8fda43e651682437df8b8405edc7807322f911cae9625d6eb9cedf8a23fe9b9

Download Submit
memory/64-124-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp

Filesize
3.3MB

Download
memory/64-144-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp

Filesize
3.3MB

Download
memory/64-165-0x00007FF78ADA0000-0x00007FF78B0F4000-memory.dmp

Filesize
3.3MB

Download
memory/896-132-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp

Filesize
3.3MB

Download
memory/896-146-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp

Filesize
3.3MB

Download
memory/896-167-0x00007FF70F5C0000-0x00007FF70F914000-memory.dmp

Filesize
3.3MB

Download
memory/1052-52-0x00007FF752A40000-0x00007FF752D94000-memory.dmp

Filesize
3.3MB

Download
memory/1052-154-0x00007FF752A40000-0x00007FF752D94000-memory.dmp

Filesize
3.3MB

Download
memory/1052-130-0x00007FF752A40000-0x00007FF752D94000-memory.dmp

Filesize
3.3MB

Download
memory/1224-162-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp

Filesize
3.3MB

Download
memory/1224-141-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp

Filesize
3.3MB

Download
memory/1224-99-0x00007FF7BFCE0000-0x00007FF7C0034000-memory.dmp

Filesize
3.3MB

Download
memory/1324-48-0x00007FF616FA0000-0x00007FF6172F4000-memory.dmp

Filesize
3.3MB

Download
memory/1324-153-0x00007FF616FA0000-0x00007FF6172F4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-18-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp

Filesize
3.3MB

Download
memory/1384-79-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp

Filesize
3.3MB

Download
memory/1384-149-0x00007FF7039E0000-0x00007FF703D34000-memory.dmp

Filesize
3.3MB

Download
memory/1708-147-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp

Filesize
3.3MB

Download
memory/1708-11-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp

Filesize
3.3MB

Download
memory/1708-63-0x00007FF60D0F0000-0x00007FF60D444000-memory.dmp

Filesize
3.3MB

Download
memory/1804-90-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

Filesize
3.3MB

Download
memory/1804-160-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

Filesize
3.3MB

Download
memory/1804-140-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

Filesize
3.3MB

Download
memory/2112-0-0x00007FF663760000-0x00007FF663AB4000-memory.dmp

Filesize
3.3MB

Download
memory/2112-1-0x00000281873D0000-0x00000281873E0000-memory.dmp

Filesize
64KB

Download
memory/2112-62-0x00007FF663760000-0x00007FF663AB4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-150-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-26-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-80-0x00007FF76CA60000-0x00007FF76CDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3300-136-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp

Filesize
3.3MB

Download
memory/3300-54-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp

Filesize
3.3MB

Download
memory/3300-155-0x00007FF6E3580000-0x00007FF6E38D4000-memory.dmp

Filesize
3.3MB

Download
memory/3412-78-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp

Filesize
3.3MB

Download
memory/3412-138-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp

Filesize
3.3MB

Download
memory/3412-157-0x00007FF7FDF30000-0x00007FF7FE284000-memory.dmp

Filesize
3.3MB

Download
memory/3568-113-0x00007FF713310000-0x00007FF713664000-memory.dmp

Filesize
3.3MB

Download
memory/3568-161-0x00007FF713310000-0x00007FF713664000-memory.dmp

Filesize
3.3MB

Download
memory/3680-139-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp

Filesize
3.3MB

Download
memory/3680-82-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp

Filesize
3.3MB

Download
memory/3680-159-0x00007FF638AC0000-0x00007FF638E14000-memory.dmp

Filesize
3.3MB

Download
memory/3692-131-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp

Filesize
3.3MB

Download
memory/3692-145-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp

Filesize
3.3MB

Download
memory/3692-166-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp

Filesize
3.3MB

Download
memory/3872-137-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-69-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-158-0x00007FF6F9750000-0x00007FF6F9AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3944-151-0x00007FF738CE0000-0x00007FF739034000-memory.dmp

Filesize
3.3MB

Download
memory/3944-36-0x00007FF738CE0000-0x00007FF739034000-memory.dmp

Filesize
3.3MB

Download
memory/3944-106-0x00007FF738CE0000-0x00007FF739034000-memory.dmp

Filesize
3.3MB

Download
memory/4564-148-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp

Filesize
3.3MB

Download
memory/4564-15-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp

Filesize
3.3MB

Download
memory/4564-64-0x00007FF6CDB40000-0x00007FF6CDE94000-memory.dmp

Filesize
3.3MB

Download
memory/4968-156-0x00007FF6B4260000-0x00007FF6B45B4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-65-0x00007FF6B4260000-0x00007FF6B45B4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-35-0x00007FF72E200000-0x00007FF72E554000-memory.dmp

Filesize
3.3MB

Download
memory/5008-152-0x00007FF72E200000-0x00007FF72E554000-memory.dmp

Filesize
3.3MB

Download
memory/5008-89-0x00007FF72E200000-0x00007FF72E554000-memory.dmp

Filesize
3.3MB

Download
memory/5052-143-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp

Filesize
3.3MB

Download
memory/5052-163-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp

Filesize
3.3MB

Download
memory/5052-121-0x00007FF68D2F0000-0x00007FF68D644000-memory.dmp

Filesize
3.3MB

Download
memory/5100-142-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp

Filesize
3.3MB

Download
memory/5100-164-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp

Filesize
3.3MB

Download
memory/5100-117-0x00007FF6B0FE0000-0x00007FF6B1334000-memory.dmp

Filesize
3.3MB

Download