cobaltstrike | 32e79c9f6953c1e9cbc3a89c6f8fdbd96af59403ddff5d376eb3a9a11af30e50

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9521afafbc8c536831db6bcd79afe2c6.exe
Size

5.2MB
MD5

9521afafbc8c536831db6bcd79afe2c6
SHA1

19294f9b21891d480b60e33199650e10a5c9328f
SHA256

32e79c9f6953c1e9cbc3a89c6f8fdbd96af59403ddff5d376eb3a9a11af30e50
SHA512

cbe5099365384adb18e17da59dc1fe3c78a065e75ffce85c692e5b71cca428b9695c1efd1ba5155f80c81a2c3c0acbcbcb491bdff965d7489aed39c58c16cc54
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0012000000015ccc-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd0-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016de4-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016eb8-19.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017403-33.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019268-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019365-98.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019377-115.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019319-114.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001929a-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019275-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001926c-89.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-88.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019278-82.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f6-62.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019240-75.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000190e1-46.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d2-42.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001707c-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016edb-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 37 IoCs

miner

resource	yara_rule
behavioral1/memory/2732-112-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2796-123-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2548-127-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2984-126-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2692-117-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2488-116-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/1996-100-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2060-70-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2812-56-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2668-55-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2792-48-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/1972-17-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2488-128-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/3044-129-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2488-131-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2852-150-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1880-151-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/988-152-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/1252-149-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1676-147-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2600-144-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2648-142-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/1112-148-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/1960-146-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2488-153-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2060-220-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/1972-223-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/3044-224-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2732-226-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2792-230-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/1996-228-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2668-232-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2692-234-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2812-236-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2796-240-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2548-239-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2984-244-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2060	aDNHRBc.exe
1972	hdhFapB.exe
3044	XdEnobC.exe
1996	uCbSCva.exe
2732	yEMNFXX.exe
2792	BCSLjxR.exe
2668	WHSZksR.exe
2692	UWKhHDP.exe
2812	jrllnNu.exe
2796	MEYHWgO.exe
2548	CbeShJK.exe
2984	vzdKIdY.exe
2648	WyWvPiC.exe
2600	NqssMuu.exe
1960	EnLJpbc.exe
1112	ZlSUBgj.exe
1676	jFpxJFE.exe
1252	xBbcJBj.exe
2852	RUPFeZO.exe
988	oKpyops.exe
1880	pBxHEyx.exe

Loads dropped DLL 21 IoCs

pid	Process
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe
2488	9521afafbc8c536831db6bcd79afe2c6.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/files/0x0012000000015ccc-6.dat	upx
behavioral1/files/0x0008000000016dd0-12.dat	upx
behavioral1/files/0x0008000000016de4-11.dat	upx
behavioral1/files/0x0007000000016eb8-19.dat	upx
behavioral1/files/0x0007000000017403-33.dat	upx
behavioral1/files/0x0005000000019268-71.dat	upx
behavioral1/files/0x0005000000019365-98.dat	upx
behavioral1/memory/2732-112-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2796-123-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2548-127-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2984-126-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2692-117-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/files/0x0005000000019377-115.dat	upx
behavioral1/files/0x0005000000019319-114.dat	upx
behavioral1/files/0x000500000001929a-110.dat	upx
behavioral1/files/0x0005000000019275-106.dat	upx
behavioral1/files/0x000500000001926c-89.dat	upx
behavioral1/files/0x0005000000019259-88.dat	upx
behavioral1/files/0x0005000000019217-87.dat	upx
behavioral1/memory/1996-100-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/files/0x0005000000019278-82.dat	upx
behavioral1/memory/2060-70-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/files/0x00050000000191f6-62.dat	upx
behavioral1/files/0x0005000000019240-75.dat	upx
behavioral1/memory/2812-56-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2668-55-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/2792-48-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/files/0x00080000000190e1-46.dat	upx
behavioral1/files/0x00050000000191d2-42.dat	upx
behavioral1/files/0x000700000001707c-29.dat	upx
behavioral1/files/0x0007000000016edb-28.dat	upx
behavioral1/memory/3044-22-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/1972-17-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2488-128-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/3044-129-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2488-131-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2852-150-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/1880-151-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/988-152-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/1252-149-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1676-147-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2600-144-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/2648-142-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/1112-148-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/1960-146-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2488-153-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2060-220-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/memory/1972-223-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/3044-224-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2732-226-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2792-230-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/1996-228-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2668-232-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/2692-234-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2812-236-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2796-240-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2548-239-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2984-244-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hdhFapB.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\CbeShJK.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\vzdKIdY.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\RUPFeZO.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\pBxHEyx.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\EnLJpbc.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\XdEnobC.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\uCbSCva.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\yEMNFXX.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\WHSZksR.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\MEYHWgO.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\jrllnNu.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\NqssMuu.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\ZlSUBgj.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\xBbcJBj.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\oKpyops.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\aDNHRBc.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\BCSLjxR.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\UWKhHDP.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\WyWvPiC.exe	9521afafbc8c536831db6bcd79afe2c6.exe
File created	C:\Windows\System\jFpxJFE.exe	9521afafbc8c536831db6bcd79afe2c6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2488	9521afafbc8c536831db6bcd79afe2c6.exe
Token: SeLockMemoryPrivilege	2488	9521afafbc8c536831db6bcd79afe2c6.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2060	2488	9521afafbc8c536831db6bcd79afe2c6.exe	32
PID 2488 wrote to memory of 2060	2488	9521afafbc8c536831db6bcd79afe2c6.exe	32
PID 2488 wrote to memory of 2060	2488	9521afafbc8c536831db6bcd79afe2c6.exe	32
PID 2488 wrote to memory of 1972	2488	9521afafbc8c536831db6bcd79afe2c6.exe	33
PID 2488 wrote to memory of 1972	2488	9521afafbc8c536831db6bcd79afe2c6.exe	33
PID 2488 wrote to memory of 1972	2488	9521afafbc8c536831db6bcd79afe2c6.exe	33
PID 2488 wrote to memory of 3044	2488	9521afafbc8c536831db6bcd79afe2c6.exe	34
PID 2488 wrote to memory of 3044	2488	9521afafbc8c536831db6bcd79afe2c6.exe	34
PID 2488 wrote to memory of 3044	2488	9521afafbc8c536831db6bcd79afe2c6.exe	34
PID 2488 wrote to memory of 1996	2488	9521afafbc8c536831db6bcd79afe2c6.exe	35
PID 2488 wrote to memory of 1996	2488	9521afafbc8c536831db6bcd79afe2c6.exe	35
PID 2488 wrote to memory of 1996	2488	9521afafbc8c536831db6bcd79afe2c6.exe	35
PID 2488 wrote to memory of 2732	2488	9521afafbc8c536831db6bcd79afe2c6.exe	36
PID 2488 wrote to memory of 2732	2488	9521afafbc8c536831db6bcd79afe2c6.exe	36
PID 2488 wrote to memory of 2732	2488	9521afafbc8c536831db6bcd79afe2c6.exe	36
PID 2488 wrote to memory of 2792	2488	9521afafbc8c536831db6bcd79afe2c6.exe	37
PID 2488 wrote to memory of 2792	2488	9521afafbc8c536831db6bcd79afe2c6.exe	37
PID 2488 wrote to memory of 2792	2488	9521afafbc8c536831db6bcd79afe2c6.exe	37
PID 2488 wrote to memory of 2692	2488	9521afafbc8c536831db6bcd79afe2c6.exe	38
PID 2488 wrote to memory of 2692	2488	9521afafbc8c536831db6bcd79afe2c6.exe	38
PID 2488 wrote to memory of 2692	2488	9521afafbc8c536831db6bcd79afe2c6.exe	38
PID 2488 wrote to memory of 2668	2488	9521afafbc8c536831db6bcd79afe2c6.exe	39
PID 2488 wrote to memory of 2668	2488	9521afafbc8c536831db6bcd79afe2c6.exe	39
PID 2488 wrote to memory of 2668	2488	9521afafbc8c536831db6bcd79afe2c6.exe	39
PID 2488 wrote to memory of 2812	2488	9521afafbc8c536831db6bcd79afe2c6.exe	40
PID 2488 wrote to memory of 2812	2488	9521afafbc8c536831db6bcd79afe2c6.exe	40
PID 2488 wrote to memory of 2812	2488	9521afafbc8c536831db6bcd79afe2c6.exe	40
PID 2488 wrote to memory of 2796	2488	9521afafbc8c536831db6bcd79afe2c6.exe	41
PID 2488 wrote to memory of 2796	2488	9521afafbc8c536831db6bcd79afe2c6.exe	41
PID 2488 wrote to memory of 2796	2488	9521afafbc8c536831db6bcd79afe2c6.exe	41
PID 2488 wrote to memory of 2648	2488	9521afafbc8c536831db6bcd79afe2c6.exe	42
PID 2488 wrote to memory of 2648	2488	9521afafbc8c536831db6bcd79afe2c6.exe	42
PID 2488 wrote to memory of 2648	2488	9521afafbc8c536831db6bcd79afe2c6.exe	42
PID 2488 wrote to memory of 2548	2488	9521afafbc8c536831db6bcd79afe2c6.exe	43
PID 2488 wrote to memory of 2548	2488	9521afafbc8c536831db6bcd79afe2c6.exe	43
PID 2488 wrote to memory of 2548	2488	9521afafbc8c536831db6bcd79afe2c6.exe	43
PID 2488 wrote to memory of 2600	2488	9521afafbc8c536831db6bcd79afe2c6.exe	44
PID 2488 wrote to memory of 2600	2488	9521afafbc8c536831db6bcd79afe2c6.exe	44
PID 2488 wrote to memory of 2600	2488	9521afafbc8c536831db6bcd79afe2c6.exe	44
PID 2488 wrote to memory of 2984	2488	9521afafbc8c536831db6bcd79afe2c6.exe	45
PID 2488 wrote to memory of 2984	2488	9521afafbc8c536831db6bcd79afe2c6.exe	45
PID 2488 wrote to memory of 2984	2488	9521afafbc8c536831db6bcd79afe2c6.exe	45
PID 2488 wrote to memory of 1960	2488	9521afafbc8c536831db6bcd79afe2c6.exe	46
PID 2488 wrote to memory of 1960	2488	9521afafbc8c536831db6bcd79afe2c6.exe	46
PID 2488 wrote to memory of 1960	2488	9521afafbc8c536831db6bcd79afe2c6.exe	46
PID 2488 wrote to memory of 1676	2488	9521afafbc8c536831db6bcd79afe2c6.exe	47
PID 2488 wrote to memory of 1676	2488	9521afafbc8c536831db6bcd79afe2c6.exe	47
PID 2488 wrote to memory of 1676	2488	9521afafbc8c536831db6bcd79afe2c6.exe	47
PID 2488 wrote to memory of 1112	2488	9521afafbc8c536831db6bcd79afe2c6.exe	48
PID 2488 wrote to memory of 1112	2488	9521afafbc8c536831db6bcd79afe2c6.exe	48
PID 2488 wrote to memory of 1112	2488	9521afafbc8c536831db6bcd79afe2c6.exe	48
PID 2488 wrote to memory of 1252	2488	9521afafbc8c536831db6bcd79afe2c6.exe	49
PID 2488 wrote to memory of 1252	2488	9521afafbc8c536831db6bcd79afe2c6.exe	49
PID 2488 wrote to memory of 1252	2488	9521afafbc8c536831db6bcd79afe2c6.exe	49
PID 2488 wrote to memory of 2852	2488	9521afafbc8c536831db6bcd79afe2c6.exe	50
PID 2488 wrote to memory of 2852	2488	9521afafbc8c536831db6bcd79afe2c6.exe	50
PID 2488 wrote to memory of 2852	2488	9521afafbc8c536831db6bcd79afe2c6.exe	50
PID 2488 wrote to memory of 1880	2488	9521afafbc8c536831db6bcd79afe2c6.exe	51
PID 2488 wrote to memory of 1880	2488	9521afafbc8c536831db6bcd79afe2c6.exe	51
PID 2488 wrote to memory of 1880	2488	9521afafbc8c536831db6bcd79afe2c6.exe	51
PID 2488 wrote to memory of 988	2488	9521afafbc8c536831db6bcd79afe2c6.exe	52
PID 2488 wrote to memory of 988	2488	9521afafbc8c536831db6bcd79afe2c6.exe	52
PID 2488 wrote to memory of 988	2488	9521afafbc8c536831db6bcd79afe2c6.exe	52

C:\Users\Admin\AppData\Local\Temp\9521afafbc8c536831db6bcd79afe2c6.exe
"C:\Users\Admin\AppData\Local\Temp\9521afafbc8c536831db6bcd79afe2c6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\System\aDNHRBc.exe
  C:\Windows\System\aDNHRBc.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\hdhFapB.exe
  C:\Windows\System\hdhFapB.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\XdEnobC.exe
  C:\Windows\System\XdEnobC.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\uCbSCva.exe
  C:\Windows\System\uCbSCva.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\yEMNFXX.exe
  C:\Windows\System\yEMNFXX.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\BCSLjxR.exe
  C:\Windows\System\BCSLjxR.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\UWKhHDP.exe
  C:\Windows\System\UWKhHDP.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\WHSZksR.exe
  C:\Windows\System\WHSZksR.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\jrllnNu.exe
  C:\Windows\System\jrllnNu.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\MEYHWgO.exe
  C:\Windows\System\MEYHWgO.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\WyWvPiC.exe
  C:\Windows\System\WyWvPiC.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\CbeShJK.exe
  C:\Windows\System\CbeShJK.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\NqssMuu.exe
  C:\Windows\System\NqssMuu.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\vzdKIdY.exe
  C:\Windows\System\vzdKIdY.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\EnLJpbc.exe
  C:\Windows\System\EnLJpbc.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\jFpxJFE.exe
  C:\Windows\System\jFpxJFE.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\ZlSUBgj.exe
  C:\Windows\System\ZlSUBgj.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\xBbcJBj.exe
  C:\Windows\System\xBbcJBj.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\RUPFeZO.exe
  C:\Windows\System\RUPFeZO.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\pBxHEyx.exe
  C:\Windows\System\pBxHEyx.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\oKpyops.exe
  C:\Windows\System\oKpyops.exe
  2⤵
  - Executes dropped EXE
  PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CbeShJK.exe

Filesize
5.2MB

MD5
bcb818a8fc7c46040406509956408864

SHA1
19f3b33dd4366ee925e66dbd6a6a3d119ed66811

SHA256
9367eb69fade612fdaa8652cdf9e875a4c3989379b3850eec6e6f1bbedcab126

SHA512
df76acddc574b9944f903eef9fd1a8b08b42e51133138aa746be6f1683c7648e185d8c25c22cbbd353c5b8fcfb80ec1660f0a2352c4622ed4913bb6e422a7f47

Download Submit
C:\Windows\system\EnLJpbc.exe

Filesize
5.2MB

MD5
2b776de7e6dffd10216fce73f000899a

SHA1
af3642a51d34d9f4e56a0ee60852e5ffd2b837ea

SHA256
915db500ae61a5cef1220ef84469b30c31111de807f090d2e66f1bb85de2818f

SHA512
81f672e046be106a435badb97db67d619366d9c6ef07ec207393d081f4aa8c6d927cd311930d0bef2afae23aae1e19aadfd1a6892bc9c0a516af19a091e11205

Download Submit
C:\Windows\system\MEYHWgO.exe

Filesize
5.2MB

MD5
1dc57e69d68ad3446af5b3996400fbc5

SHA1
9a55fbec1404fcf1ba9ffd8ad0aa0425123e6ff9

SHA256
d777a49087bc7a5248e774c52e26f5d1df090a238980c3bbaa6d06dcbf2969a5

SHA512
b5dee95ac512a67300cf73e6e315c8d01cc7800dd9d9c3c85f5da0c08e91b5c6f084ab2955e62f31b6ec97e69cade6cdf400198685eb1e000e7f30c1b55a5826

Download Submit
C:\Windows\system\NqssMuu.exe

Filesize
5.2MB

MD5
517d4a64914153e6f4e4f2e41a6729e0

SHA1
c90a71e7c95f8712a82b85ffacb3089f90b21f03

SHA256
561e8f68a01cef9144b8ec4b3c4498dcf8239d84beef84cff537694c9c435efc

SHA512
516124128d8f177e841098c07a2869273184a7d51aec9927065f6e779c1889da9b7ce6b3d5fd8022b9c0677ceb061d21a6745dbe9a50abb1ce735e661d4cdd9d

Download Submit
C:\Windows\system\RUPFeZO.exe

Filesize
5.2MB

MD5
c6ecd9fcafb7e767317f6abab447c057

SHA1
e6c441846fd0cb4bb30aa56766ea1dee87567564

SHA256
d5fc87e65171d9ca124211e48e52971be44fdbe5dd224fc62630498d4e2ba431

SHA512
768587fcfb3a693802b9f757aadabe0b6d99bbbedcbf50f38efc7d88ed09685a775e255ca1394b24133d6e5c935594f8a4b817d8ca4a8686c39d77f64e05c5b7

Download Submit
C:\Windows\system\WHSZksR.exe

Filesize
5.2MB

MD5
31c1f530386bff065936672fce60e9e2

SHA1
a88a18f65bcff0fb1a3b1ced9e6ec387b8679d50

SHA256
ad14b9dd47b10b47552dd434d3e7ae3a1b30494df61ce3ace8367557147a3121

SHA512
bf26ca9bffd1ac28c741fa1cd228a0931fa63b0e4f1bd432f8cf2392d01beccea8d99a7d39e0890246458477f1b5531e94d95d8fdc6c5efeb674b01fbb2aaf40

Download Submit
C:\Windows\system\WyWvPiC.exe

Filesize
5.2MB

MD5
f31dcf1db83b3f8bd4b1043637f434fc

SHA1
172bc11caac79ba4dbc297113245982a9f75ab71

SHA256
946a52cc5cb5fb0ea77cc8bac24693d5d18ad281562f8aafd169325f311b220e

SHA512
8bf4fbf4da50399db1888b31d96b2ac1198c92d9aaa4fa3adebd9a933a679f24e583baafbc376215b19548d085a20a0f9c6a03db8b03d081895ece0d02e014e4

Download Submit
C:\Windows\system\XdEnobC.exe

Filesize
5.2MB

MD5
333e428cbe3344a92e9a476857936042

SHA1
2207a66e58e6f09397100e1c7a75871c47357a2a

SHA256
7bd0c9b61d65e7046dcc1490ea7791fbbe14f27d31c6f6db2eaf2e91d7fe28c5

SHA512
16c543c733bd15ffdbbfa9094c5e38e5c687e6d0d57c293279c200e8a0dd4d703553b8de14f5611869ce25a1a8d00a2c9e9f314a111ab932abb873a0a93fdb35

Download Submit
C:\Windows\system\aDNHRBc.exe

Filesize
5.2MB

MD5
9b94ef067179fdd3159a7cb0b7bf62e0

SHA1
210dc5a17a94f37f5551611de3ae57d8d7f6b84c

SHA256
5d80c770a191190f2e05d2cacbcd8bf5943080c501404257b4f5dc63a0ee79aa

SHA512
1b02e90953615d8abead190b85487f593f37f79acb6bab401c59f027d12df2afbf7e29c40bdf60d9135bd020aee339a4ef4a577df94b57ddbdec5d082b37ed1a

Download Submit
C:\Windows\system\hdhFapB.exe

Filesize
5.2MB

MD5
aa84e3793f9558d1cf8d4b3ab9e21bd8

SHA1
8d795b807b8054e144c46b11778febb50e372db2

SHA256
4c68c76cdd422a967191795cd1b0b50cd03ad765b593ed0c5930f02092e2a8b5

SHA512
b8eb86e6f5603e69d2d10dc7e2f0a949f70ce55b7238dc852d179f1c37d98311829c75780c52b785accf407ad4cc3d4f51841d00cc591eecd796ecd085e02713

Download Submit
C:\Windows\system\jFpxJFE.exe

Filesize
5.2MB

MD5
595bd721de34236160ef71fca94dbfb8

SHA1
f57cc0b5524a0242ef10f0f8ef5aa1311559be1e

SHA256
a407c66999ab068090eee52a01cb150235f4e37f0885bba1dc9e940f7a8c40d4

SHA512
772f3fa28235282d6cd98516c745af574187fc309ed75865fa02577ea175ab80f4e7b0dca61c0550e56a2153889ccdca50fd1d6570133eba258db7962f12dd94

Download Submit
C:\Windows\system\oKpyops.exe

Filesize
5.2MB

MD5
2990e82d98ffd3f089c80e676cc98a61

SHA1
5570ae282edc175e8e36e17a3a730f2e39957181

SHA256
b204821098ff514e4a58e88b1b993b0ce98baac8304eb2579a1e6ee466c1ed0f

SHA512
b954d06242370191510220236fc42c338f57c289fa2f89a347c59b8b9afbab6b5778d918ae65596887e9cd9d61a55e773de8e1e84dfdf31b75ee83e7f1821848

Download Submit
C:\Windows\system\xBbcJBj.exe

Filesize
5.2MB

MD5
3484cfaa8a8d0fd6cb1e6e472b1c4ea2

SHA1
d3231090ea11109a9c98ac3e47431750b613d429

SHA256
dd613d224bad1acf8f4a1da89c8a0c16f9322574db0ac6fe1d22f88338b2c011

SHA512
6e32f9342db2194f6e80e2f870666576ada96bfa0f534d6e712ea0028f9adacec2c82d876500e91e291d8ce4800736c4838b410d59fd8692fcf61fe99da76200

Download Submit
C:\Windows\system\yEMNFXX.exe

Filesize
5.2MB

MD5
95c1fcbf242d94a8833c5de28e494ed8

SHA1
375568ac75143ed3c9bdcb5a339c963f580b1378

SHA256
6f94ef87febc0e230372d9cb1b17b900e36beb18a8c99a0a589cec20ef7b0280

SHA512
08b4b3291ab31f0943cf481e068453fe1a84264cdebc66710f63705b46535982d895113c08c9734aa8f1dfef6017569d9530c100184e3deb582e085046a51bbe

Download Submit
\Windows\system\BCSLjxR.exe

Filesize
5.2MB

MD5
d2013f597b76359de7b229c0b44bbc03

SHA1
28c8b99912d1f02c05491b56b7ddd2bdcc669f94

SHA256
1f738b3edc4b3c14254be5e99731236daf7ddc4a2a0c6911dcda91f8c0985752

SHA512
fa52538d8343f4719a30fbd1e807b4e400e12cf774f8180b36a53c38774c5751338533fd614360303413d2291447b45e84da0dcb78cd5a70a488fe67a7dd1e5e

Download Submit
\Windows\system\UWKhHDP.exe

Filesize
5.2MB

MD5
dc1f857eea2874563ca9458c70bfd8ec

SHA1
8852e6fdf101a2e6abc9b3911c15b8031ee28669

SHA256
c7f9c57846ec07fcea78939cf711ce642ff506445876ffbbdf159f5059c2ddb9

SHA512
48c68bdc341236074c2aebd5c91b68ab81651abb05c4e49c977fd5914d23e91d08ed21b490d7d295094866e1823f1355cc424d828a3c38558663eb81b23b2684

Download Submit
\Windows\system\ZlSUBgj.exe

Filesize
5.2MB

MD5
8917e5f6f08f33dd1ad9237536f2ec8c

SHA1
f2981e09374fb7258058d8db3f91e4a7b384683e

SHA256
f8a10f0ad39df136b51f4d4106f32a3e265f12985317f5ee1f9f9d51c55d022e

SHA512
03193ba27cdcbf191bf5d80504b608570e22923824bda9031f5f410fbd2d4e10be59d43832ab2f64ea21e69012eb8f520b2f8ac2c7d6ee874606a185855936d0

Download Submit
\Windows\system\jrllnNu.exe

Filesize
5.2MB

MD5
2b6dae2ea753410b01732e036ddaa1d8

SHA1
afa069c6ba7a4e5cdf9461f7e5be6162585f8557

SHA256
b7ddec2a4428a14e6302bd92c4680f9bcc1413a8684d8dd7655c09c8480dd59e

SHA512
28c9d695ae1851b5ba4e9bcc9ff6368a74bc5a376a3eab4613f8c1d3d8d2ff7284ef8f0aa7e5368362aba7297b3636644c76806c34c7e278e6bac055024d6c13

Download Submit
\Windows\system\pBxHEyx.exe

Filesize
5.2MB

MD5
dc9396e984dd4ad16017414bc2d94e94

SHA1
b55114bc66618942777c0aae0fbfb5c95205eaf2

SHA256
d00a7f5b336f01c2e88a00b3a8c3ee7da47c7b706692db693652fcc029109d6c

SHA512
671f2af5604a8a196c56ebdb62f28a4f2de2a640a8d81e3d21477f1c371a6a42f30be63388165d64a4256e50b45a60a6971f99aca2241e0152f01ef5a3f51587

Download Submit
\Windows\system\uCbSCva.exe

Filesize
5.2MB

MD5
ad01ade3040ad58033bb3f8b4e941924

SHA1
f0e23602f28b57acd7392cf0f051c885d97d915a

SHA256
545ffbf108e94d5cb5820581cd8c1d6c363450ee25f384db42f4d4906da6fcd1

SHA512
9f60b62dc3fadc4c336f27b389957db8f25f9de8ae3eb1532060b82a669e4d66b3692b3f072efeffbcce6c429726165f0a400d4756ab9365fd4aadff206be455

Download Submit
\Windows\system\vzdKIdY.exe

Filesize
5.2MB

MD5
f80a0be563bc1f565697d1c41e349d2b

SHA1
941c5cf97ab77f88dcb861a923070d0bbd8d849a

SHA256
725ca8b6d839ab4b62e75ceded1fc5d7f0ffeccbf8e4ff9058a81645a1831211

SHA512
56c305b9437a7a50ac3c78c45b3d3d8fa6955aed618a62dda52e0a18eac36cdcd90d1c6f2f5fe522103787a6995f53bbd993e6e833a40763740e9642051cfbe7

Download Submit
memory/988-152-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1112-148-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/1252-149-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/1676-147-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-151-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/1960-146-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/1972-223-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-17-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-228-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/1996-100-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2060-220-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2060-70-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-0-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-122-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2488-52-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-49-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2488-153-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-116-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-124-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2488-125-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-93-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2488-41-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2488-7-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2488-128-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2488-130-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2488-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2488-131-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2548-127-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2548-239-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2600-144-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2648-142-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2668-232-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-55-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-234-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2692-117-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2732-226-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2732-112-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2792-230-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2792-48-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2796-123-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2796-240-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2812-56-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-236-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-150-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2984-126-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-244-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-224-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-22-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-129-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download