cobaltstrike | 7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
Size

5.2MB
MD5

3e05a842ddfcf9113ab0d1b2fdecc7c8
SHA1

22b64c5520a1d286fe97e535291535aedea8ba98
SHA256

7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4
SHA512

4f3b4f1e66d3e42381d9662c35fcc45e8b08395434df9e10637bdaa749ec220d5ac8f94c4bb1b49987795b07566eb7a461f3f88e5bd4e1ca143388280107c204
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023564-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002356b-13.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023567-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002356c-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002356d-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002356f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002356e-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023572-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023571-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023573-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023570-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023568-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023576-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023575-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023578-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023579-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002357c-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002357b-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002357a-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023577-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002357d-143.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/2400-46-0x00007FF744690000-0x00007FF7449E1000-memory.dmp	xmrig
behavioral2/memory/4076-68-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp	xmrig
behavioral2/memory/4792-95-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp	xmrig
behavioral2/memory/2724-117-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp	xmrig
behavioral2/memory/4824-108-0x00007FF71D030000-0x00007FF71D381000-memory.dmp	xmrig
behavioral2/memory/2216-93-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	xmrig
behavioral2/memory/4628-84-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp	xmrig
behavioral2/memory/1008-81-0x00007FF672CA0000-0x00007FF672FF1000-memory.dmp	xmrig
behavioral2/memory/4500-78-0x00007FF67E520000-0x00007FF67E871000-memory.dmp	xmrig
behavioral2/memory/5012-77-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp	xmrig
behavioral2/memory/2128-138-0x00007FF794460000-0x00007FF7947B1000-memory.dmp	xmrig
behavioral2/memory/4640-141-0x00007FF791870000-0x00007FF791BC1000-memory.dmp	xmrig
behavioral2/memory/4868-140-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp	xmrig
behavioral2/memory/4644-139-0x00007FF680E40000-0x00007FF681191000-memory.dmp	xmrig
behavioral2/memory/3244-151-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp	xmrig
behavioral2/memory/1596-154-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	xmrig
behavioral2/memory/2352-155-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp	xmrig
behavioral2/memory/1864-153-0x00007FF670010000-0x00007FF670361000-memory.dmp	xmrig
behavioral2/memory/2884-152-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	xmrig
behavioral2/memory/2548-150-0x00007FF617250000-0x00007FF6175A1000-memory.dmp	xmrig
behavioral2/memory/1964-148-0x00007FF703580000-0x00007FF7038D1000-memory.dmp	xmrig
behavioral2/memory/4076-156-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp	xmrig
behavioral2/memory/4688-168-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp	xmrig
behavioral2/memory/5012-208-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp	xmrig
behavioral2/memory/4500-210-0x00007FF67E520000-0x00007FF67E871000-memory.dmp	xmrig
behavioral2/memory/4628-219-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp	xmrig
behavioral2/memory/4792-218-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp	xmrig
behavioral2/memory/2724-222-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp	xmrig
behavioral2/memory/4824-225-0x00007FF71D030000-0x00007FF71D381000-memory.dmp	xmrig
behavioral2/memory/2400-224-0x00007FF744690000-0x00007FF7449E1000-memory.dmp	xmrig
behavioral2/memory/2128-231-0x00007FF794460000-0x00007FF7947B1000-memory.dmp	xmrig
behavioral2/memory/4644-233-0x00007FF680E40000-0x00007FF681191000-memory.dmp	xmrig
behavioral2/memory/4868-230-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp	xmrig
behavioral2/memory/4640-227-0x00007FF791870000-0x00007FF791BC1000-memory.dmp	xmrig
behavioral2/memory/1008-245-0x00007FF672CA0000-0x00007FF672FF1000-memory.dmp	xmrig
behavioral2/memory/1964-247-0x00007FF703580000-0x00007FF7038D1000-memory.dmp	xmrig
behavioral2/memory/2216-249-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	xmrig
behavioral2/memory/2548-252-0x00007FF617250000-0x00007FF6175A1000-memory.dmp	xmrig
behavioral2/memory/3244-254-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp	xmrig
behavioral2/memory/2884-256-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	xmrig
behavioral2/memory/1864-258-0x00007FF670010000-0x00007FF670361000-memory.dmp	xmrig
behavioral2/memory/1596-261-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	xmrig
behavioral2/memory/2352-262-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp	xmrig
behavioral2/memory/4688-265-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5012	QdSneIb.exe
4500	yOxYmsT.exe
4628	ndDhquI.exe
4792	RIVqAIT.exe
4824	CpcYQHI.exe
2724	iVvkmGl.exe
2400	OZpzCSc.exe
4644	KfgcakY.exe
2128	EYGGNQO.exe
4868	JxCAcof.exe
4640	ADBzwbS.exe
1008	ovBusSZ.exe
1964	VgacKLT.exe
2216	GNZPAlp.exe
2548	ILpAjQV.exe
3244	rnhTnFt.exe
2884	cQSweQQ.exe
1864	YzayKNe.exe
1596	MKTpJdm.exe
2352	btCgvdk.exe
4688	DisiVRI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4076-0-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp	upx
behavioral2/files/0x0009000000023564-5.dat	upx
behavioral2/memory/5012-6-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp	upx
behavioral2/files/0x000700000002356b-13.dat	upx
behavioral2/files/0x0008000000023567-16.dat	upx
behavioral2/files/0x000700000002356c-27.dat	upx
behavioral2/files/0x000700000002356d-29.dat	upx
behavioral2/memory/4628-24-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp	upx
behavioral2/memory/4500-15-0x00007FF67E520000-0x00007FF67E871000-memory.dmp	upx
behavioral2/files/0x000700000002356f-41.dat	upx
behavioral2/files/0x000700000002356e-49.dat	upx
behavioral2/files/0x0007000000023572-53.dat	upx
behavioral2/files/0x0007000000023571-59.dat	upx
behavioral2/files/0x0007000000023573-66.dat	upx
behavioral2/memory/4640-63-0x00007FF791870000-0x00007FF791BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023570-61.dat	upx
behavioral2/memory/4868-58-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp	upx
behavioral2/memory/2128-55-0x00007FF794460000-0x00007FF7947B1000-memory.dmp	upx
behavioral2/memory/4644-54-0x00007FF680E40000-0x00007FF681191000-memory.dmp	upx
behavioral2/memory/2400-46-0x00007FF744690000-0x00007FF7449E1000-memory.dmp	upx
behavioral2/memory/2724-43-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp	upx
behavioral2/memory/4824-35-0x00007FF71D030000-0x00007FF71D381000-memory.dmp	upx
behavioral2/memory/4792-28-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp	upx
behavioral2/memory/4076-68-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp	upx
behavioral2/files/0x0008000000023568-72.dat	upx
behavioral2/files/0x0007000000023576-83.dat	upx
behavioral2/files/0x0007000000023575-86.dat	upx
behavioral2/memory/1964-92-0x00007FF703580000-0x00007FF7038D1000-memory.dmp	upx
behavioral2/memory/4792-95-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp	upx
behavioral2/files/0x0007000000023578-99.dat	upx
behavioral2/files/0x0007000000023579-102.dat	upx
behavioral2/memory/2724-117-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp	upx
behavioral2/memory/1864-120-0x00007FF670010000-0x00007FF670361000-memory.dmp	upx
behavioral2/files/0x000700000002357c-126.dat	upx
behavioral2/files/0x000700000002357b-125.dat	upx
behavioral2/files/0x000700000002357a-123.dat	upx
behavioral2/memory/2352-119-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp	upx
behavioral2/memory/1596-118-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/memory/2884-116-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	upx
behavioral2/memory/3244-109-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp	upx
behavioral2/memory/4824-108-0x00007FF71D030000-0x00007FF71D381000-memory.dmp	upx
behavioral2/memory/2548-98-0x00007FF617250000-0x00007FF6175A1000-memory.dmp	upx
behavioral2/memory/2216-93-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp	upx
behavioral2/files/0x0007000000023577-94.dat	upx
behavioral2/memory/4628-84-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp	upx
behavioral2/memory/1008-81-0x00007FF672CA0000-0x00007FF672FF1000-memory.dmp	upx
behavioral2/memory/4500-78-0x00007FF67E520000-0x00007FF67E871000-memory.dmp	upx
behavioral2/memory/5012-77-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp	upx
behavioral2/memory/2128-138-0x00007FF794460000-0x00007FF7947B1000-memory.dmp	upx
behavioral2/memory/4640-141-0x00007FF791870000-0x00007FF791BC1000-memory.dmp	upx
behavioral2/memory/4868-140-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp	upx
behavioral2/memory/4644-139-0x00007FF680E40000-0x00007FF681191000-memory.dmp	upx
behavioral2/files/0x000700000002357d-143.dat	upx
behavioral2/memory/4688-146-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp	upx
behavioral2/memory/3244-151-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp	upx
behavioral2/memory/1596-154-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/memory/2352-155-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp	upx
behavioral2/memory/1864-153-0x00007FF670010000-0x00007FF670361000-memory.dmp	upx
behavioral2/memory/2884-152-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp	upx
behavioral2/memory/2548-150-0x00007FF617250000-0x00007FF6175A1000-memory.dmp	upx
behavioral2/memory/1964-148-0x00007FF703580000-0x00007FF7038D1000-memory.dmp	upx
behavioral2/memory/4076-156-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp	upx
behavioral2/memory/4688-168-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp	upx
behavioral2/memory/5012-208-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iVvkmGl.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\JxCAcof.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\ovBusSZ.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\ILpAjQV.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\cQSweQQ.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\YzayKNe.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\DisiVRI.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\MKTpJdm.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\QdSneIb.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\yOxYmsT.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\ndDhquI.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\RIVqAIT.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\OZpzCSc.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\EYGGNQO.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\GNZPAlp.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\KfgcakY.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\CpcYQHI.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\ADBzwbS.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\VgacKLT.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\rnhTnFt.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
File created	C:\Windows\System\btCgvdk.exe	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
Token: SeLockMemoryPrivilege	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 5012	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	92
PID 4076 wrote to memory of 5012	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	92
PID 4076 wrote to memory of 4500	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	93
PID 4076 wrote to memory of 4500	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	93
PID 4076 wrote to memory of 4628	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	94
PID 4076 wrote to memory of 4628	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	94
PID 4076 wrote to memory of 4824	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	95
PID 4076 wrote to memory of 4824	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	95
PID 4076 wrote to memory of 4792	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	96
PID 4076 wrote to memory of 4792	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	96
PID 4076 wrote to memory of 2724	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	97
PID 4076 wrote to memory of 2724	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	97
PID 4076 wrote to memory of 2400	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	98
PID 4076 wrote to memory of 2400	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	98
PID 4076 wrote to memory of 2128	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	99
PID 4076 wrote to memory of 2128	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	99
PID 4076 wrote to memory of 4644	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	100
PID 4076 wrote to memory of 4644	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	100
PID 4076 wrote to memory of 4868	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	101
PID 4076 wrote to memory of 4868	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	101
PID 4076 wrote to memory of 4640	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	102
PID 4076 wrote to memory of 4640	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	102
PID 4076 wrote to memory of 1008	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	104
PID 4076 wrote to memory of 1008	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	104
PID 4076 wrote to memory of 1964	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	105
PID 4076 wrote to memory of 1964	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	105
PID 4076 wrote to memory of 2216	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	106
PID 4076 wrote to memory of 2216	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	106
PID 4076 wrote to memory of 2548	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	107
PID 4076 wrote to memory of 2548	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	107
PID 4076 wrote to memory of 3244	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	108
PID 4076 wrote to memory of 3244	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	108
PID 4076 wrote to memory of 2884	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	109
PID 4076 wrote to memory of 2884	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	109
PID 4076 wrote to memory of 1864	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	110
PID 4076 wrote to memory of 1864	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	110
PID 4076 wrote to memory of 1596	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	111
PID 4076 wrote to memory of 1596	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	111
PID 4076 wrote to memory of 2352	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	112
PID 4076 wrote to memory of 2352	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	112
PID 4076 wrote to memory of 4688	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	113
PID 4076 wrote to memory of 4688	4076	7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe	113

C:\Users\Admin\AppData\Local\Temp\7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe
"C:\Users\Admin\AppData\Local\Temp\7e63146cf5cafd8edad8b1c3152ecbee0359f9143972a243b98ce60fb66a77d4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\System\QdSneIb.exe
  C:\Windows\System\QdSneIb.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\yOxYmsT.exe
  C:\Windows\System\yOxYmsT.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\ndDhquI.exe
  C:\Windows\System\ndDhquI.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\CpcYQHI.exe
  C:\Windows\System\CpcYQHI.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\RIVqAIT.exe
  C:\Windows\System\RIVqAIT.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\iVvkmGl.exe
  C:\Windows\System\iVvkmGl.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\OZpzCSc.exe
  C:\Windows\System\OZpzCSc.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\EYGGNQO.exe
  C:\Windows\System\EYGGNQO.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\KfgcakY.exe
  C:\Windows\System\KfgcakY.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\JxCAcof.exe
  C:\Windows\System\JxCAcof.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\ADBzwbS.exe
  C:\Windows\System\ADBzwbS.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\ovBusSZ.exe
  C:\Windows\System\ovBusSZ.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\VgacKLT.exe
  C:\Windows\System\VgacKLT.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\GNZPAlp.exe
  C:\Windows\System\GNZPAlp.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\ILpAjQV.exe
  C:\Windows\System\ILpAjQV.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\rnhTnFt.exe
  C:\Windows\System\rnhTnFt.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\cQSweQQ.exe
  C:\Windows\System\cQSweQQ.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\YzayKNe.exe
  C:\Windows\System\YzayKNe.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\MKTpJdm.exe
  C:\Windows\System\MKTpJdm.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\btCgvdk.exe
  C:\Windows\System\btCgvdk.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\DisiVRI.exe
  C:\Windows\System\DisiVRI.exe
  2⤵
  - Executes dropped EXE
  PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:4988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADBzwbS.exe

Filesize
5.2MB

MD5
218e318c33e739a9116043f5d6dca5fd

SHA1
01453a6dea62e3236ba5090fb814b360939d3680

SHA256
d9f99372d44681d90fc89ba51b3566dbb1258a1e5afc09c7e2cd76f02a0f1170

SHA512
74ad40415c0f257c58e94b1eac4cac9aa1073badabc667d706423cb5065cf6f876c6d8f08b417e3ae2efd351af59f6ab36f922d1cc5bbf6074e261b74dd439f7

Download Submit
C:\Windows\System\CpcYQHI.exe

Filesize
5.2MB

MD5
7ac8155528a36bb8e00f873f34c436c7

SHA1
d26b1979511d4b213961f82a4f1748f4bce672fa

SHA256
749d64fe111b4f105ab240be40b564a2fdb5b65abe6163fcc43756c9260ad791

SHA512
84784eef5dbe5e92e626538f60c29ac5cde39faba5813bebbc0fbae134fee23a8cc2958b7103e8da9c4b76f8decafd6d28c063fe5a26bb5207ac94aaa24ee870

Download Submit
C:\Windows\System\DisiVRI.exe

Filesize
5.2MB

MD5
fb80883b091f8e4747903c018e589d7b

SHA1
75acc094681ddf197b2df69a6d7f3e4067535ff0

SHA256
f81091fd079451a6474d8fae2520fdeb839816d7a174bff2109dc56e0efd21a9

SHA512
7c31d7e468e5b1856011d8e38a1592db2ad992af2e3e81349372700df657c03459aa0ddc6040b61be976fd0de72cec61985f07b851528375eea0bb3550cc1c90

Download Submit
C:\Windows\System\EYGGNQO.exe

Filesize
5.2MB

MD5
d3dbdfe6730db2e01ee0066e801d1a74

SHA1
285486666526c94de76cbea46505703ab92b635b

SHA256
c0f5ca1009099be47c89c39118a9d611ce95c42e363686c99fffa17fba6a93ac

SHA512
d9216e864e2f0157904f1bd686e08f45bc8566f330eb695e50ebb02a837ac97cf5eb33a4f7ee8bd9affb748431d06de2a951da4a6ae6c30b7e0b41f2a50d29e8

Download Submit
C:\Windows\System\GNZPAlp.exe

Filesize
5.2MB

MD5
cc968985d523ff5ca57a591b1c319204

SHA1
ed86467ea1f6eca55fc243d47b3bc38047c1356d

SHA256
d15711fabbebefb988ab1ced8609a9558aed2497bad6cd9a9d68d2b0941f4d13

SHA512
a2b8743b653ef9a0fb4130d67b493c0eb8894cf3cdcd41c0eb83eb185d31077685496768fe15be2ac6d3405bde02692697ae3baf1ff88584a029d8132b0ad2c5

Download Submit
C:\Windows\System\ILpAjQV.exe

Filesize
5.2MB

MD5
c54dad8f5931a497b3350eb9e8182739

SHA1
f8699f114632e3b01d5e50dbbfdbde65f44aab8a

SHA256
4fb638cb684bddbfc8266697fad557e30900638d418b960a5b9bfefbe559df8d

SHA512
5eb0b8dc6de98570df41c5d67031614143355d427653332a02460fe74ef16131cb29c4333b66b8ad5f930f72d92a6249506bb11716ccc28f6e76c02a154b0415

Download Submit
C:\Windows\System\JxCAcof.exe

Filesize
5.2MB

MD5
f1faa6d5d710deea1c0c92346a014012

SHA1
5d46e0a3b87561bf3ffb1c276b8711496d555992

SHA256
9bb74610c946b095f6f9b6020f10008caf35e3cf2368da4e73ace3eb5c9142ac

SHA512
04abb9b45742e69caf88e0e07c3a5a2b73ae94a5079c3d0c83b83e3b2b648f32645e94dd605c10dc4b64cde78d4873a05c2ee69be315d444f63b2a6978517b46

Download Submit
C:\Windows\System\KfgcakY.exe

Filesize
5.2MB

MD5
8fce45dc0b11778f98b46024a887420e

SHA1
562d1b2c213cafcff63b41ade2d81a8a6a74a251

SHA256
55a8e52db7b807b7198da6fe6bbce519bffdb5b53fee708c42f30ad78979c8c7

SHA512
6d4405bc2f3227fe7a3ea6521160b96f24f25e36e5f52a62a48731d20378a7b9615f95e57f8c7ffd380c2aaac420c251ebeaa2514fe8e66c445898a165f940b2

Download Submit
C:\Windows\System\MKTpJdm.exe

Filesize
5.2MB

MD5
9f278cacafe04d8100ed3ea8aff6432d

SHA1
533e79cd48e9da175dfebc368c9e15db3b00c1b8

SHA256
7dab8acc87eeba6177ef7afc9c92240b7c198811912a82a6d4613d69d67e894f

SHA512
a374078049c6a79e6da62662d35408dc48aa3ed5fb16d5ca90d584e1c5d2836389bc82d0b27d6310787fd1f875cc173e0f93487d7d3f76ff47428a173ab180ae

Download Submit
C:\Windows\System\OZpzCSc.exe

Filesize
5.2MB

MD5
3436b490ce5d73b0ddb8410eb09222be

SHA1
c3edc56bd3677c7425e156d577401a359b05f0c6

SHA256
d22654c05a9243685ef871e99e182b7324ae89b238193dc030c9c79647139a37

SHA512
5fccb901182bd55ba4216876afdd7bd4410977ea8146689247c8e4d20ff1c47a610477ac14e972a39c86ab7e9f4afe1a739fcb51a0af3b13abcaedaaacd76b80

Download Submit
C:\Windows\System\QdSneIb.exe

Filesize
5.2MB

MD5
cbe1ea1524502afa04555b00d3b90417

SHA1
45b36fdeeb8b071b5e34ae336ef940b04a7a4d62

SHA256
d73efeeff89a41e38cad05d0c355e32baef05c2f0cac1b034fa2b0c3586c5f07

SHA512
e814bbd30527fe481261bfa80c5417934c9fbddcd2021caf5f213d7714c4fa79fa8191e467db06afe83657dc4b00acfb908ef9086a05345e2cb9f9c1b13cea9e

Download Submit
C:\Windows\System\RIVqAIT.exe

Filesize
5.2MB

MD5
a64a72b8ddb9f7058d4152edc6d00621

SHA1
b234b29573257e8d272ceceb2a94d46ce114a793

SHA256
1db7f3b83c7648b790010b5f18139b36086977695b5ba525696ffcd990b49fab

SHA512
3d9a9452a00ac7a28169f2796f735deb06f9e8b2e1b7c6eb937c788ddba584f601711c81529d3c1c7ae0245e60ebe19eef00577ad2fd919e80b61d752f199f60

Download Submit
C:\Windows\System\VgacKLT.exe

Filesize
5.2MB

MD5
5d2faace828d71b4d5d17b694ecf1326

SHA1
833d6212b5a85289ced20acbbc49a9cead37f35b

SHA256
8ff047110a62d5b886f90d8c95269d221bdf4b9fb9e69655fff96397946614d9

SHA512
33a176a4b0d958f87b2b430e553e04049abb9c1a80af88f2f43b8f2888eb19511dcb86c20b0020ebad00d39ab10ad089dc71c28820475bc31fbbd5f5b3327b5c

Download Submit
C:\Windows\System\YzayKNe.exe

Filesize
5.2MB

MD5
9c97aebf0789b37e4d48e720889f9d43

SHA1
8edddfd361103d2e7fff43dec458c28b694f94c6

SHA256
702e4d6a45e0d7b103d49fae0efa8e187c793f3bce692ca3ff515d8d1e3ace54

SHA512
572a47e0214c0a18b6a912721a471978b68557dd00e2d2a6a3a799460fa5bdea86ad9cc3e23459cc79822e1c7b757a7c69de984f4b14ed2178b9fde83a3993e0

Download Submit
C:\Windows\System\btCgvdk.exe

Filesize
5.2MB

MD5
80ece3ac2af57be6cef7b954b93ca0e9

SHA1
37a6a602174fa111fc9fb22bf9aea7678d2b845e

SHA256
d3aa8cfc488d002ecd049c955fab91de6a3ae58e4ca35e20160c701697088291

SHA512
79a5cc40937697ae6120401f6d337bbd7a9ec95bd555ac50ca9f0b4519660ef5c931489664a977241f80cfe17bd7f55b8612e12e4be51e70d22a27f760b14aca

Download Submit
C:\Windows\System\cQSweQQ.exe

Filesize
5.2MB

MD5
f78d9537a69071ed0a9be1bc748f157b

SHA1
00dfbb8fef9ff96fc3e51186619e8f2ec80bb6fa

SHA256
6b5d473a702d18153e6c6e57a93d8abb14193090b998e454bb4193f8ab6df399

SHA512
c3e21ad1754f9c8df67063801e67dc2b3c5a3f35172bcba7c3233451809a1467f59c946536c770c8113499a99243b2c79b68772d43a3985c3c11a74d023514f9

Download Submit
C:\Windows\System\iVvkmGl.exe

Filesize
5.2MB

MD5
f9c34aca8aa8036fe3d810fc89b3b963

SHA1
66994c3a75bee814fcd3bfc439e2830577a0f14e

SHA256
d2f583dc4da5cc621795cd46ec17b281d693def844fc8d6de899129c24e994a2

SHA512
1b81a84f37272ab9ca1554fe9c3cc7ff24f7d2312c547e1b330c33ad09d376b0a3133a162105352dacc020ce3520bafa585017103a027adc361530a9c21d2850

Download Submit
C:\Windows\System\ndDhquI.exe

Filesize
5.2MB

MD5
97a4e50dc7ad04bc1b53ca7b419cc62d

SHA1
a64ed3fadcb607bfd9d1b1ada419e7948b20d5d1

SHA256
3ca41db72217ba4c6ab17722aea1e2f3b46f939d9646f91faefcb5ddd92de19e

SHA512
2b928d9bc0d8578de08ec3a5600a1b92f7e4d3ce6a14cfc4b93e803f3d1a55d459f692df0c0097fa73e9abe3cefc165c5c4f8fa8a7e8523f91f7a71129409605

Download Submit
C:\Windows\System\ovBusSZ.exe

Filesize
5.2MB

MD5
0c146d7f37a77b80e214b3cdaf5d0a4e

SHA1
a89ca41cf406d5f69adcab1171d64aff0d7fb3fc

SHA256
de6349bcf99daf1118e24acaecf1c9c59b7fba7dc3a2f8bf478262cbfb223332

SHA512
f470797e3c86ce1899d0934d5dddbc236d08527c0316fa5450cd0013502acf0fda869741bcf327f5ea43484a0b97cb2fb41e468a974695dfcffda5856faed663

Download Submit
C:\Windows\System\rnhTnFt.exe

Filesize
5.2MB

MD5
b95af6f3363810f2e85d62fab42533c2

SHA1
ba826f5bcea8d6b3d0325f52d90feeca70512a04

SHA256
06135048e93801d537a13d9aae6b745e952461ce86c6a247f2c1e711b927fa1c

SHA512
d74f37c0c0f275c1f99805e79de7304226e235598ca645f03e87187b60040ebd0b2669fac07b664e43feee8735c9eb983c277ddb0dcab43c6d0924d4c6e43b79

Download Submit
C:\Windows\System\yOxYmsT.exe

Filesize
5.2MB

MD5
4b1e10ecaffb1d404420873fa4c401df

SHA1
0bf77295a08326be1c2836d0698f06af9e713c46

SHA256
4968f1883906fc349d2143a054d4d715b4fc96e3a059c57a1bd4332eef590933

SHA512
1bde51d6d3b22c06b3c8fc1986be41808bc4d663b305a791b72611f265e71c2d478ddefa75265c28fcabc86bcd1773c554c45f21f752276b93ce999560c9e213

Download Submit
memory/1008-245-0x00007FF672CA0000-0x00007FF672FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-81-0x00007FF672CA0000-0x00007FF672FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-118-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-261-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-154-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-120-0x00007FF670010000-0x00007FF670361000-memory.dmp

Filesize
3.3MB

Download
memory/1864-153-0x00007FF670010000-0x00007FF670361000-memory.dmp

Filesize
3.3MB

Download
memory/1864-258-0x00007FF670010000-0x00007FF670361000-memory.dmp

Filesize
3.3MB

Download
memory/1964-247-0x00007FF703580000-0x00007FF7038D1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-148-0x00007FF703580000-0x00007FF7038D1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-92-0x00007FF703580000-0x00007FF7038D1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-231-0x00007FF794460000-0x00007FF7947B1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-55-0x00007FF794460000-0x00007FF7947B1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-138-0x00007FF794460000-0x00007FF7947B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-93-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp

Filesize
3.3MB

Download
memory/2216-249-0x00007FF72E720000-0x00007FF72EA71000-memory.dmp

Filesize
3.3MB

Download
memory/2352-262-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-155-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-119-0x00007FF7A65A0000-0x00007FF7A68F1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-224-0x00007FF744690000-0x00007FF7449E1000-memory.dmp

Filesize
3.3MB

Download
memory/2400-46-0x00007FF744690000-0x00007FF7449E1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-252-0x00007FF617250000-0x00007FF6175A1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-98-0x00007FF617250000-0x00007FF6175A1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-150-0x00007FF617250000-0x00007FF6175A1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-43-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp

Filesize
3.3MB

Download
memory/2724-222-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp

Filesize
3.3MB

Download
memory/2724-117-0x00007FF66ACD0000-0x00007FF66B021000-memory.dmp

Filesize
3.3MB

Download
memory/2884-116-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp

Filesize
3.3MB

Download
memory/2884-152-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp

Filesize
3.3MB

Download
memory/2884-256-0x00007FF61CCB0000-0x00007FF61D001000-memory.dmp

Filesize
3.3MB

Download
memory/3244-151-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-109-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/3244-254-0x00007FF79FC90000-0x00007FF79FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4076-0-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp

Filesize
3.3MB

Download
memory/4076-156-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp

Filesize
3.3MB

Download
memory/4076-1-0x0000028313B70000-0x0000028313B80000-memory.dmp

Filesize
64KB

Download
memory/4076-68-0x00007FF6D22F0000-0x00007FF6D2641000-memory.dmp

Filesize
3.3MB

Download
memory/4500-210-0x00007FF67E520000-0x00007FF67E871000-memory.dmp

Filesize
3.3MB

Download
memory/4500-15-0x00007FF67E520000-0x00007FF67E871000-memory.dmp

Filesize
3.3MB

Download
memory/4500-78-0x00007FF67E520000-0x00007FF67E871000-memory.dmp

Filesize
3.3MB

Download
memory/4628-24-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-219-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-84-0x00007FF7D1690000-0x00007FF7D19E1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-227-0x00007FF791870000-0x00007FF791BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-141-0x00007FF791870000-0x00007FF791BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-63-0x00007FF791870000-0x00007FF791BC1000-memory.dmp

Filesize
3.3MB

Download
memory/4644-54-0x00007FF680E40000-0x00007FF681191000-memory.dmp

Filesize
3.3MB

Download
memory/4644-139-0x00007FF680E40000-0x00007FF681191000-memory.dmp

Filesize
3.3MB

Download
memory/4644-233-0x00007FF680E40000-0x00007FF681191000-memory.dmp

Filesize
3.3MB

Download
memory/4688-146-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-168-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-265-0x00007FF6D8C70000-0x00007FF6D8FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-218-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp

Filesize
3.3MB

Download
memory/4792-28-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp

Filesize
3.3MB

Download
memory/4792-95-0x00007FF71EDD0000-0x00007FF71F121000-memory.dmp

Filesize
3.3MB

Download
memory/4824-35-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

Filesize
3.3MB

Download
memory/4824-225-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

Filesize
3.3MB

Download
memory/4824-108-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

Filesize
3.3MB

Download
memory/4868-230-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp

Filesize
3.3MB

Download
memory/4868-58-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp

Filesize
3.3MB

Download
memory/4868-140-0x00007FF6A7AB0000-0x00007FF6A7E01000-memory.dmp

Filesize
3.3MB

Download
memory/5012-208-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-6-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-77-0x00007FF76D650000-0x00007FF76D9A1000-memory.dmp

Filesize
3.3MB

Download