cobaltstrike | 99de3177122a9b0e28fda2a60cf71e499e14e759ffb9110bf836a2ef91193e8b

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
Size

5.2MB
MD5

bbc6d2a38b9270a5bf717a1f8ac1ede7
SHA1

b059695e582180f919f49bd01610121996c2c5b3
SHA256

99de3177122a9b0e28fda2a60cf71e499e14e759ffb9110bf836a2ef91193e8b
SHA512

c518695793e79c8e59e47d84cac525abc1e49553268462b61e20deab79872fc232615ae023ad5a90bf06fc77bcd4c324baeeadd127878c52c16062e3e4fc62cd
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0003000000022ab1-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023475-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-24.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023476-121.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-38.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1320-127-0x00007FF748970000-0x00007FF748CC1000-memory.dmp	xmrig
behavioral2/memory/3660-126-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	xmrig
behavioral2/memory/1460-125-0x00007FF7E4D20000-0x00007FF7E5071000-memory.dmp	xmrig
behavioral2/memory/4752-118-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	xmrig
behavioral2/memory/3892-117-0x00007FF7122E0000-0x00007FF712631000-memory.dmp	xmrig
behavioral2/memory/2596-112-0x00007FF6AE250000-0x00007FF6AE5A1000-memory.dmp	xmrig
behavioral2/memory/4840-81-0x00007FF705C30000-0x00007FF705F81000-memory.dmp	xmrig
behavioral2/memory/4956-20-0x00007FF724220000-0x00007FF724571000-memory.dmp	xmrig
behavioral2/memory/1476-128-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	xmrig
behavioral2/memory/3744-135-0x00007FF6433F0000-0x00007FF643741000-memory.dmp	xmrig
behavioral2/memory/440-132-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp	xmrig
behavioral2/memory/1476-129-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	xmrig
behavioral2/memory/2716-137-0x00007FF715B30000-0x00007FF715E81000-memory.dmp	xmrig
behavioral2/memory/920-140-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp	xmrig
behavioral2/memory/3156-138-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp	xmrig
behavioral2/memory/4072-136-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp	xmrig
behavioral2/memory/2044-134-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp	xmrig
behavioral2/memory/1720-133-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp	xmrig
behavioral2/memory/2396-139-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp	xmrig
behavioral2/memory/916-147-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp	xmrig
behavioral2/memory/4892-144-0x00007FF744450000-0x00007FF7447A1000-memory.dmp	xmrig
behavioral2/memory/2832-141-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp	xmrig
behavioral2/memory/4664-145-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	xmrig
behavioral2/memory/1476-152-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	xmrig
behavioral2/memory/4956-218-0x00007FF724220000-0x00007FF724571000-memory.dmp	xmrig
behavioral2/memory/2396-216-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp	xmrig
behavioral2/memory/440-220-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp	xmrig
behavioral2/memory/1720-222-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp	xmrig
behavioral2/memory/2044-224-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp	xmrig
behavioral2/memory/3744-226-0x00007FF6433F0000-0x00007FF643741000-memory.dmp	xmrig
behavioral2/memory/4072-228-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp	xmrig
behavioral2/memory/920-230-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp	xmrig
behavioral2/memory/2716-232-0x00007FF715B30000-0x00007FF715E81000-memory.dmp	xmrig
behavioral2/memory/3156-234-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp	xmrig
behavioral2/memory/4840-236-0x00007FF705C30000-0x00007FF705F81000-memory.dmp	xmrig
behavioral2/memory/2596-241-0x00007FF6AE250000-0x00007FF6AE5A1000-memory.dmp	xmrig
behavioral2/memory/4892-243-0x00007FF744450000-0x00007FF7447A1000-memory.dmp	xmrig
behavioral2/memory/4664-252-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	xmrig
behavioral2/memory/3660-259-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	xmrig
behavioral2/memory/1460-258-0x00007FF7E4D20000-0x00007FF7E5071000-memory.dmp	xmrig
behavioral2/memory/1320-256-0x00007FF748970000-0x00007FF748CC1000-memory.dmp	xmrig
behavioral2/memory/3892-253-0x00007FF7122E0000-0x00007FF712631000-memory.dmp	xmrig
behavioral2/memory/2832-250-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp	xmrig
behavioral2/memory/916-248-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp	xmrig
behavioral2/memory/4752-246-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2396	NCPjAjI.exe
4956	yPhqoxq.exe
440	QOZkUZN.exe
1720	HpWJECc.exe
2044	oKIfyaF.exe
3744	ESTOauI.exe
4072	UqikMJL.exe
920	SliXsms.exe
2716	NbwDISW.exe
3156	JTPZACA.exe
2832	IXCAJQk.exe
4840	WeMrkug.exe
2596	gyacYgJ.exe
4892	gyioOvO.exe
3892	kXHQYiv.exe
4664	OarLxoN.exe
916	TJEpcGG.exe
4752	ARuMbmW.exe
1320	ClpcQzY.exe
1460	iQaWezO.exe
3660	efprkRP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1476-0-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	upx
behavioral2/files/0x0003000000022ab1-4.dat	upx
behavioral2/files/0x0007000000023479-9.dat	upx
behavioral2/files/0x0008000000023475-11.dat	upx
behavioral2/files/0x000700000002347a-24.dat	upx
behavioral2/memory/440-25-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp	upx
behavioral2/memory/4072-36-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp	upx
behavioral2/files/0x000700000002347e-52.dat	upx
behavioral2/files/0x0007000000023481-59.dat	upx
behavioral2/files/0x000700000002347f-73.dat	upx
behavioral2/files/0x0007000000023486-84.dat	upx
behavioral2/files/0x0007000000023483-92.dat	upx
behavioral2/files/0x0007000000023487-113.dat	upx
behavioral2/files/0x0008000000023476-121.dat	upx
behavioral2/memory/1320-127-0x00007FF748970000-0x00007FF748CC1000-memory.dmp	upx
behavioral2/memory/3660-126-0x00007FF7814C0000-0x00007FF781811000-memory.dmp	upx
behavioral2/memory/1460-125-0x00007FF7E4D20000-0x00007FF7E5071000-memory.dmp	upx
behavioral2/files/0x000700000002348a-123.dat	upx
behavioral2/files/0x0007000000023489-119.dat	upx
behavioral2/memory/4752-118-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp	upx
behavioral2/memory/3892-117-0x00007FF7122E0000-0x00007FF712631000-memory.dmp	upx
behavioral2/files/0x0007000000023488-115.dat	upx
behavioral2/memory/2596-112-0x00007FF6AE250000-0x00007FF6AE5A1000-memory.dmp	upx
behavioral2/memory/2832-111-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp	upx
behavioral2/files/0x0007000000023485-105.dat	upx
behavioral2/memory/916-103-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp	upx
behavioral2/files/0x0007000000023484-94.dat	upx
behavioral2/memory/4664-89-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	upx
behavioral2/memory/4892-88-0x00007FF744450000-0x00007FF7447A1000-memory.dmp	upx
behavioral2/memory/4840-81-0x00007FF705C30000-0x00007FF705F81000-memory.dmp	upx
behavioral2/memory/3156-71-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp	upx
behavioral2/memory/2716-69-0x00007FF715B30000-0x00007FF715E81000-memory.dmp	upx
behavioral2/files/0x0007000000023482-64.dat	upx
behavioral2/files/0x0007000000023480-62.dat	upx
behavioral2/memory/920-56-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp	upx
behavioral2/files/0x000700000002347d-47.dat	upx
behavioral2/files/0x000700000002347c-41.dat	upx
behavioral2/files/0x000700000002347b-38.dat	upx
behavioral2/memory/2044-34-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp	upx
behavioral2/memory/3744-31-0x00007FF6433F0000-0x00007FF643741000-memory.dmp	upx
behavioral2/memory/1720-30-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp	upx
behavioral2/memory/4956-20-0x00007FF724220000-0x00007FF724571000-memory.dmp	upx
behavioral2/memory/2396-6-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp	upx
behavioral2/memory/1476-128-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	upx
behavioral2/memory/3744-135-0x00007FF6433F0000-0x00007FF643741000-memory.dmp	upx
behavioral2/memory/440-132-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp	upx
behavioral2/memory/1476-129-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	upx
behavioral2/memory/2716-137-0x00007FF715B30000-0x00007FF715E81000-memory.dmp	upx
behavioral2/memory/920-140-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp	upx
behavioral2/memory/3156-138-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp	upx
behavioral2/memory/4072-136-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp	upx
behavioral2/memory/2044-134-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp	upx
behavioral2/memory/1720-133-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp	upx
behavioral2/memory/2396-139-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp	upx
behavioral2/memory/916-147-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp	upx
behavioral2/memory/4892-144-0x00007FF744450000-0x00007FF7447A1000-memory.dmp	upx
behavioral2/memory/2832-141-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp	upx
behavioral2/memory/4664-145-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp	upx
behavioral2/memory/1476-152-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp	upx
behavioral2/memory/4956-218-0x00007FF724220000-0x00007FF724571000-memory.dmp	upx
behavioral2/memory/2396-216-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp	upx
behavioral2/memory/440-220-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp	upx
behavioral2/memory/1720-222-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp	upx
behavioral2/memory/2044-224-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WeMrkug.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\gyacYgJ.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\UqikMJL.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\NbwDISW.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\JTPZACA.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\gyioOvO.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\TJEpcGG.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\ARuMbmW.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\NCPjAjI.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\QOZkUZN.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\OarLxoN.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\kXHQYiv.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\ESTOauI.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\IXCAJQk.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\oKIfyaF.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\SliXsms.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\iQaWezO.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\ClpcQzY.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\efprkRP.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\yPhqoxq.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
File created	C:\Windows\System\HpWJECc.exe	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
Token: SeLockMemoryPrivilege	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2396	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	86
PID 1476 wrote to memory of 2396	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	86
PID 1476 wrote to memory of 4956	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	87
PID 1476 wrote to memory of 4956	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	87
PID 1476 wrote to memory of 440	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	88
PID 1476 wrote to memory of 440	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	88
PID 1476 wrote to memory of 1720	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	89
PID 1476 wrote to memory of 1720	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	89
PID 1476 wrote to memory of 2044	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	90
PID 1476 wrote to memory of 2044	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	90
PID 1476 wrote to memory of 3744	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	91
PID 1476 wrote to memory of 3744	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	91
PID 1476 wrote to memory of 4072	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	92
PID 1476 wrote to memory of 4072	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	92
PID 1476 wrote to memory of 2716	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	93
PID 1476 wrote to memory of 2716	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	93
PID 1476 wrote to memory of 3156	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	94
PID 1476 wrote to memory of 3156	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	94
PID 1476 wrote to memory of 920	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	95
PID 1476 wrote to memory of 920	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	95
PID 1476 wrote to memory of 2832	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	96
PID 1476 wrote to memory of 2832	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	96
PID 1476 wrote to memory of 4840	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	97
PID 1476 wrote to memory of 4840	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	97
PID 1476 wrote to memory of 2596	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	98
PID 1476 wrote to memory of 2596	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	98
PID 1476 wrote to memory of 4892	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	99
PID 1476 wrote to memory of 4892	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	99
PID 1476 wrote to memory of 4664	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	100
PID 1476 wrote to memory of 4664	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	100
PID 1476 wrote to memory of 3892	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	101
PID 1476 wrote to memory of 3892	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	101
PID 1476 wrote to memory of 916	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	102
PID 1476 wrote to memory of 916	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	102
PID 1476 wrote to memory of 1460	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	103
PID 1476 wrote to memory of 1460	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	103
PID 1476 wrote to memory of 4752	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	104
PID 1476 wrote to memory of 4752	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	104
PID 1476 wrote to memory of 1320	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	105
PID 1476 wrote to memory of 1320	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	105
PID 1476 wrote to memory of 3660	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	106
PID 1476 wrote to memory of 3660	1476	bbc6d2a38b9270a5bf717a1f8ac1ede7.exe	106

C:\Users\Admin\AppData\Local\Temp\bbc6d2a38b9270a5bf717a1f8ac1ede7.exe
"C:\Users\Admin\AppData\Local\Temp\bbc6d2a38b9270a5bf717a1f8ac1ede7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\System\NCPjAjI.exe
  C:\Windows\System\NCPjAjI.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\yPhqoxq.exe
  C:\Windows\System\yPhqoxq.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\QOZkUZN.exe
  C:\Windows\System\QOZkUZN.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\HpWJECc.exe
  C:\Windows\System\HpWJECc.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\oKIfyaF.exe
  C:\Windows\System\oKIfyaF.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\ESTOauI.exe
  C:\Windows\System\ESTOauI.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\UqikMJL.exe
  C:\Windows\System\UqikMJL.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\NbwDISW.exe
  C:\Windows\System\NbwDISW.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\JTPZACA.exe
  C:\Windows\System\JTPZACA.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\SliXsms.exe
  C:\Windows\System\SliXsms.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\IXCAJQk.exe
  C:\Windows\System\IXCAJQk.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\WeMrkug.exe
  C:\Windows\System\WeMrkug.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\gyacYgJ.exe
  C:\Windows\System\gyacYgJ.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\gyioOvO.exe
  C:\Windows\System\gyioOvO.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\OarLxoN.exe
  C:\Windows\System\OarLxoN.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\kXHQYiv.exe
  C:\Windows\System\kXHQYiv.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\TJEpcGG.exe
  C:\Windows\System\TJEpcGG.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\iQaWezO.exe
  C:\Windows\System\iQaWezO.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\ARuMbmW.exe
  C:\Windows\System\ARuMbmW.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\ClpcQzY.exe
  C:\Windows\System\ClpcQzY.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\efprkRP.exe
  C:\Windows\System\efprkRP.exe
  2⤵
  - Executes dropped EXE
  PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ARuMbmW.exe

Filesize
5.2MB

MD5
e8b5426194771115355ca71ca539558d

SHA1
7aa0af921ef06a8b543ae9fb96cbc1d0bc9bafae

SHA256
41f4b6508bee66990f1d0324ca0334b352d13183835e4b0288f8c7a758dc9120

SHA512
d7a983f8f15ad4a9ba86081cad07a71aefef39ff4b840dddf7ab4d35ef2b29868c95df7e66c110c71715d5c63c1847473274d5f9dfb1543f61932e4948637138

Download Submit
C:\Windows\System\ClpcQzY.exe

Filesize
5.2MB

MD5
eac6fc0fc176483b1ebb7736ecfeaac3

SHA1
23c7a426ba85d84f7558764ab95df7d9195f9a43

SHA256
cb7e75c7edf4c1924693db43f3d7d59c4f10ddb2b2359a7d9a52d21c35d8ab2e

SHA512
5b37b476d12e76b5203443c896fb4d6557bc153654f7c16b95c158f024afb94c074b0614633d41370a72087e6ba5958367cc8e62a294bd43ed6c59f4169d5ed7

Download Submit
C:\Windows\System\ESTOauI.exe

Filesize
5.2MB

MD5
f0215edbe53cae537ac974c4bd31af52

SHA1
8e67249c2fb6d9f3ecbe3231704d51e69b575e91

SHA256
e705259c88753fbdee758ab0adaa4736487069c3ad8cdb2ebcf1fadcd5dd5eca

SHA512
0d08984fc52abc03fc9b39762a338045acd1e918ac5c4ca288b389286761fcda8568ebdc04216acec8ca0e2a7c4c6b6e6cd330dec5461bc74814c25e427f14e5

Download Submit
C:\Windows\System\HpWJECc.exe

Filesize
5.2MB

MD5
e348dd456f7a79ebf2da2c1eabaefa06

SHA1
9534e68529e2eb24070dac3cd6520faf84bf0a28

SHA256
cff4982cdeb68785c253ebee64fb8ff5d1a8aa915ce8208a48885848c577cf9d

SHA512
5ee4427b8515ae50c9afedcfb01a843ff3eac618e2ac0a2e55e9da66085756cf8e6b5971868e69d00cc5311cfa47b071dcd3429da37b79507e0c8dcf3b84d409

Download Submit
C:\Windows\System\IXCAJQk.exe

Filesize
5.2MB

MD5
ddc2b1abef0a3de23e8e72b06b968ccd

SHA1
faf75ac6b1e286a0e85a46ebee92c599465cf8ce

SHA256
b105fd61eac637538479fbc4f429ff81e391e2c517582d5ec7058f95b7e3dcb4

SHA512
3044ca7f14325ba2688c4f4583f48f340b3c00fde8a12af372c8aaa45f971838d31bd0454b5dc520ff9d0673c9ccfb9883d23e7b494f399886ef003937409ff4

Download Submit
C:\Windows\System\JTPZACA.exe

Filesize
5.2MB

MD5
9441a179ec2991012c0ccfb5ca26018c

SHA1
6b532e698f5d280d8beeccf7c51d0fca65af2c36

SHA256
fab372425f7ff8ef8149c1560000cdfb6ae51ab7efd6e22c083ace3ae680f0c6

SHA512
b531b6ee50b13e9e3cbf359ded8d579d972239c9ce1bee0636e355cf99629522f03f0db3900c8e2f0d1436d791b29fdf0fe94e9e083f190078ec98761d67dbfc

Download Submit
C:\Windows\System\NCPjAjI.exe

Filesize
5.2MB

MD5
c57e130c1b2eafea790473b618e4d159

SHA1
4ad5f1fb1f68faf83c07a74601c53d1b052d5ac1

SHA256
6e9a4475f0bd34a761999aeba961cbc595065233fd77d532595788d2469d36d3

SHA512
eb2a51cbfb0c0d9e252c86a205e05fb84ec2b29332546aaf9115fbd00c2a87a70ae1feff24c34ca9116d7cb21fa1a50db2fcf5fecd25c6f9ef0ea4814ea93966

Download Submit
C:\Windows\System\NbwDISW.exe

Filesize
5.2MB

MD5
d5e8c00440fe22bab2b69fc312ac249f

SHA1
24c81d1e3163015e2f96dd37b185a0a99a2b890a

SHA256
b435b6ea498897e171d9db16b0bc757386bc746bb333bca3ba9644db346b51d3

SHA512
a0b9d7bd690395e0b6a6a37303e28c1a16dec0a9da86c0fa25c88ea980f57f80d0a69a64349173e2f01ad1816134a8e644edfe31da2b446cdad2096a106518ec

Download Submit
C:\Windows\System\OarLxoN.exe

Filesize
5.2MB

MD5
a6111ea6cff7da6f02e0a8722d2e6c92

SHA1
f1ac39902c4807f0b895c40f9e13e902c7ea742d

SHA256
82c08bfad9d9bb045fec38561a2c3c46628fb7aa5adde6e8aa4d80f4eab8a300

SHA512
f494c55f086c8a594cfe6e3571533cd38817487159db4c8474cc5e071148d7b5b843702bed0ccf8898a28e702f06a50b8fc532aeb6c686b03f72dc00c16aa3ff

Download Submit
C:\Windows\System\QOZkUZN.exe

Filesize
5.2MB

MD5
c9131bafec2cf1b8c89cc8a2c5aaa1f3

SHA1
bba36a2398fa1661fa6babe3ac78e83a039f07ff

SHA256
72f0041d4be3131f1b9b7bb6a0b23d176b860d2c2858ba241897da6ec4b5e02b

SHA512
2cd6a7068bc8f351e94c55e3a4f85b96e95c24f22f6e0ad9e8a9d0ae1bf18ddae40fb0d856b44da729d110c90c71124db104dd3a910e1277b6d963656fc6265c

Download Submit
C:\Windows\System\SliXsms.exe

Filesize
5.2MB

MD5
d7ad09d1543f59fb86cb29da2068f0b5

SHA1
d2eecfcfe5ad9f0bb886a3ad5e5e395a1009ddb1

SHA256
a0a1ba6f312ce53b97235f7edab021ffdc0d5b48a5d3b2520495515caac7acb5

SHA512
6379ab05cc8a9e6b7ccf15cc428abeb3b9b399be84c8ed1498aa69d55b7b84bdf5f5405e9b2c061d340f6b31587671c0184df5c805f3f4b3bc55de1aee7cd728

Download Submit
C:\Windows\System\TJEpcGG.exe

Filesize
5.2MB

MD5
e20d27477ec02426219ccb07fdf2513b

SHA1
0c352800a48add6912f23b71ee27dc448bf56ed9

SHA256
272bedb3171b675846790b812205e385fba422889648caa451c7c587dd692749

SHA512
78e687e072990465c1317498260bca6df5e52da0cfc3aeb98aac44be972ac73f7f0530604a356845395fd9da33453f8069099a976eaf0454d4faf9e79340ed1e

Download Submit
C:\Windows\System\UqikMJL.exe

Filesize
5.2MB

MD5
36bf759273d3f46e2974c8084ed4334b

SHA1
16bb9985978d73566837f92c60dcd31529013526

SHA256
d87536ab24eeb6fe99931f42ca039f1376d11fa4f1c27c379d2dc636d22cc3d2

SHA512
f72da4589ece5a47c380d2620ad77cdd0bbd7f6650dd77c9b40a0c2fd72b343a273301409484f43b3dfb9196b6d4250f32b07a909e5d304cfcd6c1fa2ba78c0b

Download Submit
C:\Windows\System\WeMrkug.exe

Filesize
5.2MB

MD5
1e631eeedbe5654f7281471c532ccf65

SHA1
48078f73d92a4ecd490648384bc5cf9e4dd2b781

SHA256
f50e4f940e477d65ce48e4d531ec57d79e2d7f64953e13029b673c2f24f2f2a8

SHA512
2f1cb50343888442f2eda94407f4147e6fcd9f092c48ab79fd914bfc07d78d3b84526806557d2027bd598e51caa5ce57e525d8a5b6ac23f573b3769c8b5cc6e9

Download Submit
C:\Windows\System\efprkRP.exe

Filesize
5.2MB

MD5
ba52ff01eb088201ac2f753b8f50b610

SHA1
b367cb3ad41357a11c8678bb4975bc45a08252ca

SHA256
3aa2208862b01d02ab81ca8e57dfd6aba2b3df03fcca81014a8913f7e089dc21

SHA512
1d43a482868b1d9ebb9e9bec537b7ce5c3b6fcdf08fd4de6c7c943fa31aad2090c0dad6767dfb7c01b78e1e53811eaef88c2df7069d2ae65c4e96810f58643a5

Download Submit
C:\Windows\System\gyacYgJ.exe

Filesize
5.2MB

MD5
156534dd7caea9631da4508f4a3ab86b

SHA1
68df870c4b255973755a6baaebb1de29c3423b56

SHA256
ef2bcf56666cdd54058029775a8ecaa278d9642e192b33ae8ca3f7b385fb3b92

SHA512
505ac03312f4f76527a34d01c107eec9942fc6f3aea3bd3b56abb8e941c9058ffeed373045c17eaef272ec4cb43c62eafbec2d83dd5510e6f9fd18a842beabe6

Download Submit
C:\Windows\System\gyioOvO.exe

Filesize
5.2MB

MD5
6da71d97da3aa6b746eceb9f95cd219d

SHA1
3f26a5a51dfdb1cb3ff20a6ceebdc46c9a27d133

SHA256
18125308ad4bc2be31511c26036c0192c078b488d8ff5201807d04150425e380

SHA512
0ff3623d26a4290f975146377a6c2575d183782d86716964f90d515ddac4a2d129f1e173276be1a94079a3d542f9eb368ccaf3a348fb4e3481443bea38088b33

Download Submit
C:\Windows\System\iQaWezO.exe

Filesize
5.2MB

MD5
1692d2930524584d1eff37f0bf4c9f75

SHA1
e0b34814e775522376927f1360f22318f0df3786

SHA256
93491fa35aebcdb55e3558e8ba974d1f6f999f1420c2fcb7ac0f8e78607551ce

SHA512
c66d6f0fa75e4a75a3148ab0a8c0d9a22db23470c1bd50ded407fafec2fdb6b56cc48e26680ce3702b3398c8997d24c587c00ef5f219c527ac0d506317ed61a4

Download Submit
C:\Windows\System\kXHQYiv.exe

Filesize
5.2MB

MD5
48b988cdceb7fac333d113fa429db354

SHA1
b505a1d83bfd5856639ce4e45199a959d5596957

SHA256
bfe489724ab81219628b7f381ebae98a7e2f88bce164d9dbd4d79acfb53dfcb4

SHA512
acbef336a1154034b7c7f9038b6cf1f8976f78081ed1aa6cc71f9408a8dba8d0d1910dc4f02f38e15a0f5a17aa585a39e4b3d37fbfeff24ea4e5dc6681cee509

Download Submit
C:\Windows\System\oKIfyaF.exe

Filesize
5.2MB

MD5
8bf350d71b787885a0a7dbcbd2926f5c

SHA1
67aca8f2813bd1bba5f64be3cf75534921b56faf

SHA256
f445399d33289cff76b37b022895382e1a6bfe3fdfa439c3ba376f56cfa17061

SHA512
f6b7ef5177920d1b19a1cf4dc6ef4c4c279fcdfcef1fddd51eebf1ddf0a4aee1a09b8870fcd75a76c83136d130fdc4adecf9e199989201a8713d5e24f8c23884

Download Submit
C:\Windows\System\yPhqoxq.exe

Filesize
5.2MB

MD5
12b181ac8025b8fb4d2e275561daf68a

SHA1
ee7d159002dfcb4feefb7887e3045ff19e8a5e5b

SHA256
f0b281aff513affe60f6670f0e74aa9f62b19d47a1cf67161d15c6aaef71a876

SHA512
1d4ffcc2359e0cd0cea440bb529cffd7fe5a19a1ea67d0e4d28d39d911635a97af807722c3e317ee2cd801fcd4c95dcb4a383f3e1330f71ce5f9b995d735d08a

Download Submit
memory/440-132-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp

Filesize
3.3MB

Download
memory/440-25-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp

Filesize
3.3MB

Download
memory/440-220-0x00007FF6F7010000-0x00007FF6F7361000-memory.dmp

Filesize
3.3MB

Download
memory/916-147-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp

Filesize
3.3MB

Download
memory/916-248-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp

Filesize
3.3MB

Download
memory/916-103-0x00007FF7F8070000-0x00007FF7F83C1000-memory.dmp

Filesize
3.3MB

Download
memory/920-230-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp

Filesize
3.3MB

Download
memory/920-140-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp

Filesize
3.3MB

Download
memory/920-56-0x00007FF6E0AC0000-0x00007FF6E0E11000-memory.dmp

Filesize
3.3MB

Download
memory/1320-256-0x00007FF748970000-0x00007FF748CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-127-0x00007FF748970000-0x00007FF748CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-258-0x00007FF7E4D20000-0x00007FF7E5071000-memory.dmp

Filesize
3.3MB

Download
memory/1460-125-0x00007FF7E4D20000-0x00007FF7E5071000-memory.dmp

Filesize
3.3MB

Download
memory/1476-0-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp

Filesize
3.3MB

Download
memory/1476-152-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp

Filesize
3.3MB

Download
memory/1476-128-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp

Filesize
3.3MB

Download
memory/1476-129-0x00007FF6B9310000-0x00007FF6B9661000-memory.dmp

Filesize
3.3MB

Download
memory/1476-1-0x000002D933100000-0x000002D933110000-memory.dmp

Filesize
64KB

Download
memory/1720-133-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp

Filesize
3.3MB

Download
memory/1720-30-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp

Filesize
3.3MB

Download
memory/1720-222-0x00007FF7BB300000-0x00007FF7BB651000-memory.dmp

Filesize
3.3MB

Download
memory/2044-134-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-34-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-224-0x00007FF63BF70000-0x00007FF63C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-216-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp

Filesize
3.3MB

Download
memory/2396-6-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp

Filesize
3.3MB

Download
memory/2396-139-0x00007FF7F1FC0000-0x00007FF7F2311000-memory.dmp

Filesize
3.3MB

Download
memory/2596-112-0x00007FF6AE250000-0x00007FF6AE5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-241-0x00007FF6AE250000-0x00007FF6AE5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-69-0x00007FF715B30000-0x00007FF715E81000-memory.dmp

Filesize
3.3MB

Download
memory/2716-137-0x00007FF715B30000-0x00007FF715E81000-memory.dmp

Filesize
3.3MB

Download
memory/2716-232-0x00007FF715B30000-0x00007FF715E81000-memory.dmp

Filesize
3.3MB

Download
memory/2832-250-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-111-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-141-0x00007FF61A080000-0x00007FF61A3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3156-234-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp

Filesize
3.3MB

Download
memory/3156-71-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp

Filesize
3.3MB

Download
memory/3156-138-0x00007FF6A31E0000-0x00007FF6A3531000-memory.dmp

Filesize
3.3MB

Download
memory/3660-126-0x00007FF7814C0000-0x00007FF781811000-memory.dmp

Filesize
3.3MB

Download
memory/3660-259-0x00007FF7814C0000-0x00007FF781811000-memory.dmp

Filesize
3.3MB

Download
memory/3744-135-0x00007FF6433F0000-0x00007FF643741000-memory.dmp

Filesize
3.3MB

Download
memory/3744-31-0x00007FF6433F0000-0x00007FF643741000-memory.dmp

Filesize
3.3MB

Download
memory/3744-226-0x00007FF6433F0000-0x00007FF643741000-memory.dmp

Filesize
3.3MB

Download
memory/3892-253-0x00007FF7122E0000-0x00007FF712631000-memory.dmp

Filesize
3.3MB

Download
memory/3892-117-0x00007FF7122E0000-0x00007FF712631000-memory.dmp

Filesize
3.3MB

Download
memory/4072-136-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp

Filesize
3.3MB

Download
memory/4072-228-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp

Filesize
3.3MB

Download
memory/4072-36-0x00007FF7A9D20000-0x00007FF7AA071000-memory.dmp

Filesize
3.3MB

Download
memory/4664-89-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-252-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-145-0x00007FF66BC80000-0x00007FF66BFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-118-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-246-0x00007FF690B80000-0x00007FF690ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-236-0x00007FF705C30000-0x00007FF705F81000-memory.dmp

Filesize
3.3MB

Download
memory/4840-81-0x00007FF705C30000-0x00007FF705F81000-memory.dmp

Filesize
3.3MB

Download
memory/4892-88-0x00007FF744450000-0x00007FF7447A1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-243-0x00007FF744450000-0x00007FF7447A1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-144-0x00007FF744450000-0x00007FF7447A1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-218-0x00007FF724220000-0x00007FF724571000-memory.dmp

Filesize
3.3MB

Download
memory/4956-20-0x00007FF724220000-0x00007FF724571000-memory.dmp

Filesize
3.3MB

Download