cobaltstrike | dc4378994fa084346aed82ad5f75ae2ee8e1131d67daf86bf3b83d35a0c3b063

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 17:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8906e6b789ed395a4bde3f0d7e06590N.exe
Size

5.2MB
MD5

a8906e6b789ed395a4bde3f0d7e06590
SHA1

f0825df64b10e57a0d438deb170b186061d07e62
SHA256

dc4378994fa084346aed82ad5f75ae2ee8e1131d67daf86bf3b83d35a0c3b063
SHA512

81b77f7227b84aaca6084f2467500ee6821184fcaefa4659324d58905172339ac3832a263f788a3282b267ca1801dd7d6cc59f54e85993b1a1912df58d73c539
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a0000000234f3-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350f-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023517-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351b-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351c-108.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351d-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351e-123.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350c-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023521-139.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023522-142.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/1004-53-0x00007FF631EE0000-0x00007FF632231000-memory.dmp	xmrig
behavioral2/memory/2624-47-0x00007FF708750000-0x00007FF708AA1000-memory.dmp	xmrig
behavioral2/memory/2608-38-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp	xmrig
behavioral2/memory/4744-33-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp	xmrig
behavioral2/memory/2368-69-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp	xmrig
behavioral2/memory/4444-79-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp	xmrig
behavioral2/memory/3420-83-0x00007FF605900000-0x00007FF605C51000-memory.dmp	xmrig
behavioral2/memory/1988-86-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp	xmrig
behavioral2/memory/3084-85-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp	xmrig
behavioral2/memory/4652-80-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp	xmrig
behavioral2/memory/1140-109-0x00007FF7D5080000-0x00007FF7D53D1000-memory.dmp	xmrig
behavioral2/memory/4440-110-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp	xmrig
behavioral2/memory/2624-105-0x00007FF708750000-0x00007FF708AA1000-memory.dmp	xmrig
behavioral2/memory/3568-96-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp	xmrig
behavioral2/memory/2036-121-0x00007FF63F430000-0x00007FF63F781000-memory.dmp	xmrig
behavioral2/memory/208-136-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp	xmrig
behavioral2/memory/2052-145-0x00007FF7A1FC0000-0x00007FF7A2311000-memory.dmp	xmrig
behavioral2/memory/4164-149-0x00007FF6F7500000-0x00007FF6F7851000-memory.dmp	xmrig
behavioral2/memory/3084-150-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp	xmrig
behavioral2/memory/4648-151-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp	xmrig
behavioral2/memory/1416-152-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp	xmrig
behavioral2/memory/4748-160-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp	xmrig
behavioral2/memory/3532-158-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp	xmrig
behavioral2/memory/3616-159-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp	xmrig
behavioral2/memory/2368-162-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp	xmrig
behavioral2/memory/4444-221-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp	xmrig
behavioral2/memory/4652-223-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp	xmrig
behavioral2/memory/1988-225-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp	xmrig
behavioral2/memory/4744-227-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp	xmrig
behavioral2/memory/2608-229-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp	xmrig
behavioral2/memory/1004-231-0x00007FF631EE0000-0x00007FF632231000-memory.dmp	xmrig
behavioral2/memory/2624-233-0x00007FF708750000-0x00007FF708AA1000-memory.dmp	xmrig
behavioral2/memory/3568-235-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp	xmrig
behavioral2/memory/4440-237-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp	xmrig
behavioral2/memory/2036-239-0x00007FF63F430000-0x00007FF63F781000-memory.dmp	xmrig
behavioral2/memory/208-241-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp	xmrig
behavioral2/memory/3420-247-0x00007FF605900000-0x00007FF605C51000-memory.dmp	xmrig
behavioral2/memory/3084-249-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp	xmrig
behavioral2/memory/4648-255-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp	xmrig
behavioral2/memory/1416-257-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp	xmrig
behavioral2/memory/1140-259-0x00007FF7D5080000-0x00007FF7D53D1000-memory.dmp	xmrig
behavioral2/memory/4748-263-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp	xmrig
behavioral2/memory/3532-262-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp	xmrig
behavioral2/memory/3616-265-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp	xmrig
behavioral2/memory/2052-269-0x00007FF7A1FC0000-0x00007FF7A2311000-memory.dmp	xmrig
behavioral2/memory/4164-271-0x00007FF6F7500000-0x00007FF6F7851000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4444	BshHcNq.exe
4652	OFxmuPL.exe
1988	WoNGmnE.exe
4744	QUZJsRm.exe
2608	iUseFmT.exe
2624	ZPMQhFl.exe
3568	GygkxnK.exe
1004	PrxaLFD.exe
4440	lkDxUIQ.exe
2036	EljIUGr.exe
208	DIejpCI.exe
3420	aQGIDzv.exe
3084	lgexbjf.exe
4648	htXMlZu.exe
1416	HKGkEDF.exe
1140	hNoLSjv.exe
4748	aQXLKJl.exe
3532	hEEPPrI.exe
3616	TKCuvCb.exe
2052	rDntmNj.exe
4164	CityfBt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2368-0-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp	upx
behavioral2/files/0x000a0000000234f3-4.dat	upx
behavioral2/files/0x000800000002350b-11.dat	upx
behavioral2/memory/1988-20-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp	upx
behavioral2/files/0x000700000002350f-22.dat	upx
behavioral2/files/0x0007000000023513-37.dat	upx
behavioral2/files/0x0007000000023515-48.dat	upx
behavioral2/memory/1004-53-0x00007FF631EE0000-0x00007FF632231000-memory.dmp	upx
behavioral2/memory/4440-61-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp	upx
behavioral2/files/0x0007000000023516-64.dat	upx
behavioral2/files/0x0007000000023517-67.dat	upx
behavioral2/memory/208-66-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp	upx
behavioral2/memory/2036-63-0x00007FF63F430000-0x00007FF63F781000-memory.dmp	upx
behavioral2/memory/2624-47-0x00007FF708750000-0x00007FF708AA1000-memory.dmp	upx
behavioral2/memory/3568-45-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp	upx
behavioral2/files/0x0007000000023514-43.dat	upx
behavioral2/files/0x0007000000023512-42.dat	upx
behavioral2/memory/2608-38-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp	upx
behavioral2/memory/4744-33-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp	upx
behavioral2/files/0x0007000000023511-31.dat	upx
behavioral2/files/0x0007000000023510-25.dat	upx
behavioral2/memory/4652-16-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp	upx
behavioral2/memory/4444-10-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp	upx
behavioral2/memory/2368-69-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp	upx
behavioral2/files/0x0007000000023518-71.dat	upx
behavioral2/memory/4444-79-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp	upx
behavioral2/memory/3420-83-0x00007FF605900000-0x00007FF605C51000-memory.dmp	upx
behavioral2/files/0x000700000002351a-89.dat	upx
behavioral2/files/0x0007000000023519-87.dat	upx
behavioral2/memory/1988-86-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp	upx
behavioral2/memory/3084-85-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp	upx
behavioral2/memory/4652-80-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp	upx
behavioral2/files/0x000700000002351b-100.dat	upx
behavioral2/files/0x000700000002351c-108.dat	upx
behavioral2/memory/1140-109-0x00007FF7D5080000-0x00007FF7D53D1000-memory.dmp	upx
behavioral2/files/0x000700000002351d-114.dat	upx
behavioral2/memory/3532-115-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp	upx
behavioral2/memory/4748-111-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp	upx
behavioral2/memory/4440-110-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp	upx
behavioral2/memory/2624-105-0x00007FF708750000-0x00007FF708AA1000-memory.dmp	upx
behavioral2/memory/3568-96-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp	upx
behavioral2/memory/1416-94-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp	upx
behavioral2/memory/4648-92-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp	upx
behavioral2/files/0x000700000002351e-123.dat	upx
behavioral2/memory/3616-122-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp	upx
behavioral2/memory/2036-121-0x00007FF63F430000-0x00007FF63F781000-memory.dmp	upx
behavioral2/files/0x000800000002350c-78.dat	upx
behavioral2/memory/208-136-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp	upx
behavioral2/files/0x0007000000023521-139.dat	upx
behavioral2/files/0x0007000000023522-142.dat	upx
behavioral2/memory/2052-145-0x00007FF7A1FC0000-0x00007FF7A2311000-memory.dmp	upx
behavioral2/memory/4164-149-0x00007FF6F7500000-0x00007FF6F7851000-memory.dmp	upx
behavioral2/memory/3084-150-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp	upx
behavioral2/memory/4648-151-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp	upx
behavioral2/memory/1416-152-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp	upx
behavioral2/memory/4748-160-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp	upx
behavioral2/memory/3532-158-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp	upx
behavioral2/memory/3616-159-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp	upx
behavioral2/memory/2368-162-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp	upx
behavioral2/memory/4444-221-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp	upx
behavioral2/memory/4652-223-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp	upx
behavioral2/memory/1988-225-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp	upx
behavioral2/memory/4744-227-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp	upx
behavioral2/memory/2608-229-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aQGIDzv.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\HKGkEDF.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\CityfBt.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\OFxmuPL.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\GygkxnK.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\PrxaLFD.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\lkDxUIQ.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\htXMlZu.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\TKCuvCb.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\ZPMQhFl.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\EljIUGr.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\DIejpCI.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\lgexbjf.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\hNoLSjv.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\aQXLKJl.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\hEEPPrI.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\rDntmNj.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\BshHcNq.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\WoNGmnE.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\QUZJsRm.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe
File created	C:\Windows\System\iUseFmT.exe	a8906e6b789ed395a4bde3f0d7e06590N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe
Token: SeLockMemoryPrivilege	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4444	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	85
PID 2368 wrote to memory of 4444	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	85
PID 2368 wrote to memory of 4652	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	86
PID 2368 wrote to memory of 4652	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	86
PID 2368 wrote to memory of 1988	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	87
PID 2368 wrote to memory of 1988	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	87
PID 2368 wrote to memory of 4744	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	88
PID 2368 wrote to memory of 4744	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	88
PID 2368 wrote to memory of 2608	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	89
PID 2368 wrote to memory of 2608	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	89
PID 2368 wrote to memory of 2624	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	90
PID 2368 wrote to memory of 2624	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	90
PID 2368 wrote to memory of 3568	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	91
PID 2368 wrote to memory of 3568	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	91
PID 2368 wrote to memory of 1004	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	92
PID 2368 wrote to memory of 1004	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	92
PID 2368 wrote to memory of 4440	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	93
PID 2368 wrote to memory of 4440	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	93
PID 2368 wrote to memory of 2036	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	94
PID 2368 wrote to memory of 2036	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	94
PID 2368 wrote to memory of 208	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	95
PID 2368 wrote to memory of 208	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	95
PID 2368 wrote to memory of 3420	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	96
PID 2368 wrote to memory of 3420	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	96
PID 2368 wrote to memory of 3084	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	97
PID 2368 wrote to memory of 3084	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	97
PID 2368 wrote to memory of 4648	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	98
PID 2368 wrote to memory of 4648	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	98
PID 2368 wrote to memory of 1416	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	99
PID 2368 wrote to memory of 1416	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	99
PID 2368 wrote to memory of 1140	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	100
PID 2368 wrote to memory of 1140	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	100
PID 2368 wrote to memory of 4748	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	101
PID 2368 wrote to memory of 4748	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	101
PID 2368 wrote to memory of 3532	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	102
PID 2368 wrote to memory of 3532	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	102
PID 2368 wrote to memory of 3616	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	103
PID 2368 wrote to memory of 3616	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	103
PID 2368 wrote to memory of 2052	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	104
PID 2368 wrote to memory of 2052	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	104
PID 2368 wrote to memory of 4164	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	107
PID 2368 wrote to memory of 4164	2368	a8906e6b789ed395a4bde3f0d7e06590N.exe	107

C:\Users\Admin\AppData\Local\Temp\a8906e6b789ed395a4bde3f0d7e06590N.exe
"C:\Users\Admin\AppData\Local\Temp\a8906e6b789ed395a4bde3f0d7e06590N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System\BshHcNq.exe
  C:\Windows\System\BshHcNq.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\OFxmuPL.exe
  C:\Windows\System\OFxmuPL.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\WoNGmnE.exe
  C:\Windows\System\WoNGmnE.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\QUZJsRm.exe
  C:\Windows\System\QUZJsRm.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\iUseFmT.exe
  C:\Windows\System\iUseFmT.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\ZPMQhFl.exe
  C:\Windows\System\ZPMQhFl.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\GygkxnK.exe
  C:\Windows\System\GygkxnK.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\PrxaLFD.exe
  C:\Windows\System\PrxaLFD.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\lkDxUIQ.exe
  C:\Windows\System\lkDxUIQ.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\EljIUGr.exe
  C:\Windows\System\EljIUGr.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\DIejpCI.exe
  C:\Windows\System\DIejpCI.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\aQGIDzv.exe
  C:\Windows\System\aQGIDzv.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\lgexbjf.exe
  C:\Windows\System\lgexbjf.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\htXMlZu.exe
  C:\Windows\System\htXMlZu.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\HKGkEDF.exe
  C:\Windows\System\HKGkEDF.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\hNoLSjv.exe
  C:\Windows\System\hNoLSjv.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\aQXLKJl.exe
  C:\Windows\System\aQXLKJl.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\hEEPPrI.exe
  C:\Windows\System\hEEPPrI.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\TKCuvCb.exe
  C:\Windows\System\TKCuvCb.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\rDntmNj.exe
  C:\Windows\System\rDntmNj.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\CityfBt.exe
  C:\Windows\System\CityfBt.exe
  2⤵
  - Executes dropped EXE
  PID:4164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BshHcNq.exe

Filesize
5.2MB

MD5
c3015f1eeb4bab62830e26aa6978b69f

SHA1
ad84d20dd701dac58cfe5888181e45fff65db9c3

SHA256
4949f1f95a322a4c403528b8db9511d5ce0c58a6eb131ab863418906a6ccaabc

SHA512
c760ae8713638805bf029d0e2c8270fc2a8a8c69cea4e75612e3a61c64ea4cd5504beb0db8445f7364d529a0fe2b59fc0010fb5915f8a4f6acb997f287f97b28

Download Submit
C:\Windows\System\CityfBt.exe

Filesize
5.2MB

MD5
1c1c5e863f52fe9c1b479656d48f5dc0

SHA1
b289c18b7499e7ac4421f0bdeb313f30d81cdaf8

SHA256
c3807926f4230a96f4dfd5d01452768ec55d8a5265f055f7e6b002b18b47989b

SHA512
443dca032589a59c40b829e281834b08c6a787d3e3f306940f81dc5a56061d36855a0e5c533f12524478cdd0995e9d2a94fb13b5331264ec017900539e28fe19

Download Submit
C:\Windows\System\DIejpCI.exe

Filesize
5.2MB

MD5
6de61c6d266101c1335297c55214f767

SHA1
4ec36c874529fa59104f67cc033854bb636de595

SHA256
549dee04670126ec3d4a46e14cbc1ff0c9508dabd0ebac03c29a6be733e482f5

SHA512
09946170f4cd46b4dd377c0ce20fe69737bf36374cf473291ab8d6499c0934da1d029479ec38beee7317c3e67be409524ba72ca5c003c7002694facb0b92fc4e

Download Submit
C:\Windows\System\EljIUGr.exe

Filesize
5.2MB

MD5
61c61c7fa372e3ef498f1672e35037aa

SHA1
25ec4f0fb6a8151e76badc1c8e8331ff15992d30

SHA256
ad4722255d88da323eabe08af96a5999dce01007e8bc1757638c10a29f0f05c9

SHA512
56a15b03dd77fc32fda7eb6c195bd1e55866dd21bfa7f75929290b7376467380ec01202736aa9af9235dbbc95a43686ff27e8368a848d779d12c48929f8b36ff

Download Submit
C:\Windows\System\GygkxnK.exe

Filesize
5.2MB

MD5
da7dabe619ceff1fca05ecf1232082c6

SHA1
62a5a26968aa2bc3bd1b8c5ed99e0d2530069989

SHA256
bf4b11c366604536c60075b68867b5e12cefd022eb989c04297d6ca95061d6c8

SHA512
b8c6180a40018012e2d33c571a75da65a604f35fef67d5eac52546537397d437f6a9ceb90365815f594ff5f2244fd71213162d6db69b7890a216f982582d01f2

Download Submit
C:\Windows\System\HKGkEDF.exe

Filesize
5.2MB

MD5
026cf09978d0aac89f174275bd7257b4

SHA1
44a7941f487ed3340992a002b1de728a13163055

SHA256
5521c04c0975a65fec5b7593c756607679350a980d2d3b3af2d6147a00ede1fb

SHA512
5ace263099fe3b40c01971eeaeff38f88c451eaff40d917834cd1b9b1b287593df514fcfe1c86adf7356982c075488c05bbff979fefca80ac8500051cc451470

Download Submit
C:\Windows\System\OFxmuPL.exe

Filesize
5.2MB

MD5
3890ef19361e55b4ca951570ccbc397c

SHA1
b03a3bd065e4a45da8bc90431a82f3e713bb052b

SHA256
d8d23edf27de83c8d034a9841a06a0c1daa18911bc8edcbdd9783ab6f8b5054e

SHA512
fd9aa2f156ad08fd9807978490a5838b8d97886bfaf3945992107473fde98acef47f4d4bfa8239520a1c3deca5d1eade1d03f1b66a1967fea2caa5a3acf17c1d

Download Submit
C:\Windows\System\PrxaLFD.exe

Filesize
5.2MB

MD5
abee22752a1cb0ca27493b9a50f88d36

SHA1
a8265c7aaead10a43e4ac98acb94b63fc6ca6405

SHA256
624f6099674381497330854da49cc59e387b88c2cbf7d4f940202428cc2a70f8

SHA512
9dc07be61fcd5b5d91e6139ce8f16f44cd2350180ee5d8ddb813880a7a7e32ac7e65f331819729b6a149b12995f7df417c35cc07149d5bd7faacdc5022b22dc2

Download Submit
C:\Windows\System\QUZJsRm.exe

Filesize
5.2MB

MD5
8910d5d8c069d76ff0b20f7131fec7e8

SHA1
28b2206b8632f1eb8c9d25ca86c37f90c5ccc9e9

SHA256
fa4b2d95118d58b607add66c4f0a2b7ff1b369f6013bcec38ce3527172940dc8

SHA512
7890f8285a47c21d6b48c765385b50c18d23cb37f60dc3b5c9113805cdeb7a235d03ac432d37133067713dfbff83dd71d01011a88cb283c9b0ca5310eabb3173

Download Submit
C:\Windows\System\TKCuvCb.exe

Filesize
5.2MB

MD5
f215626a40ee2cc8b8e0e5be0202853b

SHA1
5e09f0e2c6bb87931f474710e7b195cf8ae8716c

SHA256
210d400939ceaf22ff1744e1b102deee9eb01fe8c2c6e209275139f4d527b90b

SHA512
a77e4b006b1b8c858d6d5a730d874e7b87d4d933944bfd820d2f6a69f20a782d40e219738c7ebaabfbeadb5cdc8a33b221bf565f31b40e863d381261807fd776

Download Submit
C:\Windows\System\WoNGmnE.exe

Filesize
5.2MB

MD5
bbe8497dd426de186891161aac0ca5f1

SHA1
ca63c3d3955f53267dd610c834dfe9c165287a1a

SHA256
175e1d41449c9b7c38c4f73e19fb8f74dc2b66f90e464c4d513970144db67b26

SHA512
f5b150cd619a6c97e2e97a58b5db399b3482a956939e7218ea7824d9855ee2287826fc2812478fe85faacbeca32c909d02317bb23d9b976c9ebe61d51d2e09f6

Download Submit
C:\Windows\System\ZPMQhFl.exe

Filesize
5.2MB

MD5
746ff64931b3b822bc929cc2056b6d8c

SHA1
960d62104fafb4755d2eb175201612b75040e149

SHA256
b7e416a16084a8fb2c30191773215acf1c412ee50d857e4797c683d0c9567be0

SHA512
1733dc525586d848b705c73f9df9abeefd683ea33f080f838cc27b242b58cf11ee2e618fd39ba13c1e7154d20e6cda81c348c108caabba640dd180e09b414d33

Download Submit
C:\Windows\System\aQGIDzv.exe

Filesize
5.2MB

MD5
d4387fff048f1ea64002c93454cfabc0

SHA1
8a831cd3efb042505d33203d74f156d255a529eb

SHA256
cb9ce45adb9558d50ca900b9c73aa3e32b31915bd6cd34ad9323c70de1edfc67

SHA512
e925ee381e7aa9085c60059ce719f7ce077c3c755e9a67c76224e491cdf640f3cab97d57f71bdd6e9c2b196f8d963c6524f38d63fcce23951fcbda691ec79a83

Download Submit
C:\Windows\System\aQXLKJl.exe

Filesize
5.2MB

MD5
77727eabef49aaa83bfdfb625443bdae

SHA1
c10f0f8b51ea11d1a999b3d1f139883f037bd846

SHA256
b619dd73f515cdfeaad7ebca1964da25a568bc1e1630b217510d404536a02ac8

SHA512
cc71677bedaba40783407c09509e8fc597ba20e05f3589e835d97d738d8777d6a416be1b6be2683e57153b7df9662891878137beaf049a94d95ad095e8d87635

Download Submit
C:\Windows\System\hEEPPrI.exe

Filesize
5.2MB

MD5
aa638a3ca2dc6e461153d94fb6d52639

SHA1
6b15bccd8e2338b0e15791ceb3cc121c31b4573a

SHA256
9fc12e4ebe01d8e2225972481542ef37a176be1a0b2aa57172183eaecd0fcb83

SHA512
4c9fef03807179f0192862bede881e525793c948ae47709f6117b57eb92cb9524dff304901f8ca234293e76797fc84af15ae42e4965481980096d977af0b1a9f

Download Submit
C:\Windows\System\hNoLSjv.exe

Filesize
5.2MB

MD5
ded2b504e3618e3f61778a1cc7ff923f

SHA1
f10dede77b8109c07f3726051cc7a1b4a5c30205

SHA256
f15cfbf901097e7d4387ac0ff6008920689602879297663f22582b46b52ac369

SHA512
e7ed868a521701e6530dd69df546415fb8d8bb033fcd7e7db50bdfd1c8cedc39a684cdfbeea48f0dce83be1b56a3fc75e64a3e351b95e940d8ea306a43787f1d

Download Submit
C:\Windows\System\htXMlZu.exe

Filesize
5.2MB

MD5
5dda655e61311dcd130b5e562ba5b481

SHA1
f773cf465807a56c258f547f6edaf6cb4c24e7f9

SHA256
3700c85e0083aec3463f8f8bacddacf194542b218a60f047808ba80f1f06747f

SHA512
0da744a2f9b7655c8f0e1f049f108a0694341bd5dfdc4884f0de4cc204ba8de2053e20fc85d59b7983a792798f05ea9390007a20fc49de67c2047094c0a8ff3b

Download Submit
C:\Windows\System\iUseFmT.exe

Filesize
5.2MB

MD5
e3de97c2d45ba727fda6a5d2ed34cacd

SHA1
b2367ee7ddbe6bd6e9bd1e9d53dc7b52f84a4568

SHA256
b86c258717ad960318ed93333bc253bf76fff609526a929c316bcf7d2201c4d2

SHA512
a0a9910d673f021abf391391c981bbb38b9c337b45a636ecfa44d4baddd88f5069ae9ca3c53be2acbb5aa74d0af91d27491549dcde4825c4f6de7263ad1b690f

Download Submit
C:\Windows\System\lgexbjf.exe

Filesize
5.2MB

MD5
ad49ad6d36cd2649b9fd6bed36ee1a7e

SHA1
0fa1ae816a98ba744cd2b6cb9b1cc96e24c96daa

SHA256
a9cbb882d257331bab681d37967580181880de71cb279b143225f036292fbb64

SHA512
0f71fa97e313a722d111e6da5ef67ce34bec2762cf0b2ce6bd27b3d0543dbfcf4c3dc8c70b655ed44ef29605dcb290b0fb555cf090b83e89884adcd5f6e85ca9

Download Submit
C:\Windows\System\lkDxUIQ.exe

Filesize
5.2MB

MD5
62a8ede584d91867b016798ad35e263b

SHA1
6d963752306769d3f7a0f65835a37a1b09b2a66e

SHA256
92bedb93f9cb472102de2aab7e069ab119ca982e3dbd5f865ce3bde5bf19969d

SHA512
3a61cead4601cae7c7d2f346a7922f574050dbba4d5750decd3ffb6991e379c58800b5c7068fb20a0c9e313125eb6332697b8218a7e425d63169aee458391ed2

Download Submit
C:\Windows\System\rDntmNj.exe

Filesize
5.2MB

MD5
21429b0872ebf2656a285a9edec56751

SHA1
e1c74ad96a77b6d65bc1071068c9aab0b260a517

SHA256
c544f61b426a123f5a1ad7b4f572c8744f2e0d98e974bb4b23765cee03776948

SHA512
99c9bd7e26d19403c19e76b92d39d6afe7da8010222a991c7914acf6e2d7ca66989c1e6801635cef7c2ef5bd7d34b23e42a177390db6d777ca06fb7cff873294

Download Submit
memory/208-136-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp

Filesize
3.3MB

Download
memory/208-66-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp

Filesize
3.3MB

Download
memory/208-241-0x00007FF6A0AB0000-0x00007FF6A0E01000-memory.dmp

Filesize
3.3MB

Download
memory/1004-231-0x00007FF631EE0000-0x00007FF632231000-memory.dmp

Filesize
3.3MB

Download
memory/1004-53-0x00007FF631EE0000-0x00007FF632231000-memory.dmp

Filesize
3.3MB

Download
memory/1140-259-0x00007FF7D5080000-0x00007FF7D53D1000-memory.dmp

Filesize
3.3MB

Download
memory/1140-109-0x00007FF7D5080000-0x00007FF7D53D1000-memory.dmp

Filesize
3.3MB

Download
memory/1416-94-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp

Filesize
3.3MB

Download
memory/1416-257-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp

Filesize
3.3MB

Download
memory/1416-152-0x00007FF7F8110000-0x00007FF7F8461000-memory.dmp

Filesize
3.3MB

Download
memory/1988-86-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp

Filesize
3.3MB

Download
memory/1988-225-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp

Filesize
3.3MB

Download
memory/1988-20-0x00007FF77F5E0000-0x00007FF77F931000-memory.dmp

Filesize
3.3MB

Download
memory/2036-63-0x00007FF63F430000-0x00007FF63F781000-memory.dmp

Filesize
3.3MB

Download
memory/2036-121-0x00007FF63F430000-0x00007FF63F781000-memory.dmp

Filesize
3.3MB

Download
memory/2036-239-0x00007FF63F430000-0x00007FF63F781000-memory.dmp

Filesize
3.3MB

Download
memory/2052-145-0x00007FF7A1FC0000-0x00007FF7A2311000-memory.dmp

Filesize
3.3MB

Download
memory/2052-269-0x00007FF7A1FC0000-0x00007FF7A2311000-memory.dmp

Filesize
3.3MB

Download
memory/2368-162-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-1-0x0000016C58430000-0x0000016C58440000-memory.dmp

Filesize
64KB

Download
memory/2368-69-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-0-0x00007FF7B4B70000-0x00007FF7B4EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-229-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-38-0x00007FF6AAB50000-0x00007FF6AAEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-47-0x00007FF708750000-0x00007FF708AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-105-0x00007FF708750000-0x00007FF708AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-233-0x00007FF708750000-0x00007FF708AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-249-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-150-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-85-0x00007FF6B0590000-0x00007FF6B08E1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-83-0x00007FF605900000-0x00007FF605C51000-memory.dmp

Filesize
3.3MB

Download
memory/3420-247-0x00007FF605900000-0x00007FF605C51000-memory.dmp

Filesize
3.3MB

Download
memory/3532-262-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp

Filesize
3.3MB

Download
memory/3532-158-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp

Filesize
3.3MB

Download
memory/3532-115-0x00007FF7B09E0000-0x00007FF7B0D31000-memory.dmp

Filesize
3.3MB

Download
memory/3568-96-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp

Filesize
3.3MB

Download
memory/3568-235-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp

Filesize
3.3MB

Download
memory/3568-45-0x00007FF6B60E0000-0x00007FF6B6431000-memory.dmp

Filesize
3.3MB

Download
memory/3616-122-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp

Filesize
3.3MB

Download
memory/3616-159-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp

Filesize
3.3MB

Download
memory/3616-265-0x00007FF6D24C0000-0x00007FF6D2811000-memory.dmp

Filesize
3.3MB

Download
memory/4164-149-0x00007FF6F7500000-0x00007FF6F7851000-memory.dmp

Filesize
3.3MB

Download
memory/4164-271-0x00007FF6F7500000-0x00007FF6F7851000-memory.dmp

Filesize
3.3MB

Download
memory/4440-110-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/4440-237-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/4440-61-0x00007FF6D4710000-0x00007FF6D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/4444-10-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-79-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-221-0x00007FF6AEE80000-0x00007FF6AF1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-92-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp

Filesize
3.3MB

Download
memory/4648-255-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp

Filesize
3.3MB

Download
memory/4648-151-0x00007FF7C7420000-0x00007FF7C7771000-memory.dmp

Filesize
3.3MB

Download
memory/4652-80-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-223-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4652-16-0x00007FF750B50000-0x00007FF750EA1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-33-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-227-0x00007FF7A5380000-0x00007FF7A56D1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-263-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-160-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-111-0x00007FF7966A0000-0x00007FF7969F1000-memory.dmp

Filesize
3.3MB

Download