cobaltstrike | 4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085

Analysis

max time kernel
113s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
Size

5.2MB
MD5

63ee7c224c23ae801f265044a6caccd0
SHA1

0efad28934e32c007e914773eac99417a6b637c9
SHA256

4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085
SHA512

2fa2efd4a67d1e4241d00707f9420597db5290b022f83bae8533d92f8bed8ea3862e4fadf8b8fba8dbf90504f82719a322a1a6f87b507a9bead63ff0f01ade68
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002346f-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-65.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234cf-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-130.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/5084-86-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	xmrig
behavioral2/memory/4464-80-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp	xmrig
behavioral2/memory/2488-75-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	xmrig
behavioral2/memory/408-72-0x00007FF79E750000-0x00007FF79EAA1000-memory.dmp	xmrig
behavioral2/memory/2908-93-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	xmrig
behavioral2/memory/2156-94-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp	xmrig
behavioral2/memory/1400-106-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp	xmrig
behavioral2/memory/4984-113-0x00007FF662830000-0x00007FF662B81000-memory.dmp	xmrig
behavioral2/memory/3880-126-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp	xmrig
behavioral2/memory/2308-121-0x00007FF74A130000-0x00007FF74A481000-memory.dmp	xmrig
behavioral2/memory/4324-120-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp	xmrig
behavioral2/memory/4016-135-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp	xmrig
behavioral2/memory/1872-134-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp	xmrig
behavioral2/memory/1644-132-0x00007FF73A620000-0x00007FF73A971000-memory.dmp	xmrig
behavioral2/memory/1788-133-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp	xmrig
behavioral2/memory/4796-137-0x00007FF704230000-0x00007FF704581000-memory.dmp	xmrig
behavioral2/memory/4612-136-0x00007FF7C1AE0000-0x00007FF7C1E31000-memory.dmp	xmrig
behavioral2/memory/2908-138-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	xmrig
behavioral2/memory/4464-142-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp	xmrig
behavioral2/memory/4692-154-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp	xmrig
behavioral2/memory/4012-153-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp	xmrig
behavioral2/memory/2524-157-0x00007FF6040B0000-0x00007FF604401000-memory.dmp	xmrig
behavioral2/memory/3436-158-0x00007FF744780000-0x00007FF744AD1000-memory.dmp	xmrig
behavioral2/memory/756-159-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp	xmrig
behavioral2/memory/3880-160-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp	xmrig
behavioral2/memory/2908-166-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	xmrig
behavioral2/memory/2156-215-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp	xmrig
behavioral2/memory/1400-217-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp	xmrig
behavioral2/memory/4984-232-0x00007FF662830000-0x00007FF662B81000-memory.dmp	xmrig
behavioral2/memory/4324-234-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp	xmrig
behavioral2/memory/1644-236-0x00007FF73A620000-0x00007FF73A971000-memory.dmp	xmrig
behavioral2/memory/2308-240-0x00007FF74A130000-0x00007FF74A481000-memory.dmp	xmrig
behavioral2/memory/408-239-0x00007FF79E750000-0x00007FF79EAA1000-memory.dmp	xmrig
behavioral2/memory/2488-248-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	xmrig
behavioral2/memory/1872-244-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp	xmrig
behavioral2/memory/4016-243-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp	xmrig
behavioral2/memory/1788-246-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp	xmrig
behavioral2/memory/4464-252-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp	xmrig
behavioral2/memory/5084-251-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	xmrig
behavioral2/memory/4012-254-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp	xmrig
behavioral2/memory/4692-256-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp	xmrig
behavioral2/memory/2524-263-0x00007FF6040B0000-0x00007FF604401000-memory.dmp	xmrig
behavioral2/memory/3436-265-0x00007FF744780000-0x00007FF744AD1000-memory.dmp	xmrig
behavioral2/memory/756-267-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp	xmrig
behavioral2/memory/3880-269-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp	xmrig
behavioral2/memory/4612-271-0x00007FF7C1AE0000-0x00007FF7C1E31000-memory.dmp	xmrig
behavioral2/memory/4796-273-0x00007FF704230000-0x00007FF704581000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2156	XaBQetz.exe
1400	cWcfpoe.exe
4984	wbNaXOa.exe
4324	WbRfkGV.exe
1644	gozBxXl.exe
2308	FQmEUpl.exe
1788	yHIjQXK.exe
408	yeCNQtB.exe
1872	fOQcWFk.exe
2488	BRydYeJ.exe
4016	lgltOdT.exe
4464	DGeRnCf.exe
5084	wpFAVQC.exe
4692	hTPQjIP.exe
4012	YhAZHYy.exe
2524	xylGXcc.exe
3436	kDPucrt.exe
756	ACmaQZj.exe
3880	JmsNpvP.exe
4612	ICRpQez.exe
4796	AkLFbQh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2908-0-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	upx
behavioral2/files/0x000900000002346f-4.dat	upx
behavioral2/memory/2156-6-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-9.dat	upx
behavioral2/files/0x00070000000234d2-10.dat	upx
behavioral2/memory/1400-12-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-23.dat	upx
behavioral2/memory/4984-19-0x00007FF662830000-0x00007FF662B81000-memory.dmp	upx
behavioral2/memory/4324-26-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-46.dat	upx
behavioral2/files/0x00070000000234d6-56.dat	upx
behavioral2/files/0x00070000000234d9-62.dat	upx
behavioral2/files/0x00070000000234da-70.dat	upx
behavioral2/files/0x00070000000234db-73.dat	upx
behavioral2/files/0x00070000000234dc-82.dat	upx
behavioral2/files/0x00070000000234dd-89.dat	upx
behavioral2/files/0x00070000000234de-90.dat	upx
behavioral2/memory/4692-88-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp	upx
behavioral2/memory/4012-87-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp	upx
behavioral2/memory/5084-86-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp	upx
behavioral2/memory/4464-80-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp	upx
behavioral2/memory/2488-75-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	upx
behavioral2/memory/408-72-0x00007FF79E750000-0x00007FF79EAA1000-memory.dmp	upx
behavioral2/memory/4016-68-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-65.dat	upx
behavioral2/memory/1872-61-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp	upx
behavioral2/memory/1788-54-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp	upx
behavioral2/files/0x00080000000234cf-44.dat	upx
behavioral2/memory/2308-42-0x00007FF74A130000-0x00007FF74A481000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-39.dat	upx
behavioral2/memory/1644-35-0x00007FF73A620000-0x00007FF73A971000-memory.dmp	upx
behavioral2/memory/2908-93-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	upx
behavioral2/memory/2156-94-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp	upx
behavioral2/files/0x00070000000234df-97.dat	upx
behavioral2/files/0x00070000000234e1-101.dat	upx
behavioral2/memory/1400-106-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-115.dat	upx
behavioral2/memory/4984-113-0x00007FF662830000-0x00007FF662B81000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-116.dat	upx
behavioral2/memory/3880-126-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp	upx
behavioral2/files/0x00070000000234e5-130.dat	upx
behavioral2/files/0x00070000000234e4-128.dat	upx
behavioral2/memory/2308-121-0x00007FF74A130000-0x00007FF74A481000-memory.dmp	upx
behavioral2/memory/4324-120-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp	upx
behavioral2/memory/756-114-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp	upx
behavioral2/memory/3436-110-0x00007FF744780000-0x00007FF744AD1000-memory.dmp	upx
behavioral2/memory/2524-100-0x00007FF6040B0000-0x00007FF604401000-memory.dmp	upx
behavioral2/memory/4016-135-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp	upx
behavioral2/memory/1872-134-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp	upx
behavioral2/memory/1644-132-0x00007FF73A620000-0x00007FF73A971000-memory.dmp	upx
behavioral2/memory/1788-133-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp	upx
behavioral2/memory/4796-137-0x00007FF704230000-0x00007FF704581000-memory.dmp	upx
behavioral2/memory/4612-136-0x00007FF7C1AE0000-0x00007FF7C1E31000-memory.dmp	upx
behavioral2/memory/2908-138-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	upx
behavioral2/memory/4464-142-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp	upx
behavioral2/memory/4692-154-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp	upx
behavioral2/memory/4012-153-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp	upx
behavioral2/memory/2524-157-0x00007FF6040B0000-0x00007FF604401000-memory.dmp	upx
behavioral2/memory/3436-158-0x00007FF744780000-0x00007FF744AD1000-memory.dmp	upx
behavioral2/memory/756-159-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp	upx
behavioral2/memory/3880-160-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp	upx
behavioral2/memory/2908-166-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp	upx
behavioral2/memory/2156-215-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp	upx
behavioral2/memory/1400-217-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kDPucrt.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\JmsNpvP.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\ICRpQez.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\yeCNQtB.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\lgltOdT.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\gozBxXl.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\fOQcWFk.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\XaBQetz.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\WbRfkGV.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\FQmEUpl.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\yHIjQXK.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\BRydYeJ.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\wpFAVQC.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\hTPQjIP.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\cWcfpoe.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\wbNaXOa.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\xylGXcc.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\ACmaQZj.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\AkLFbQh.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\DGeRnCf.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
File created	C:\Windows\System\YhAZHYy.exe	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
Token: SeLockMemoryPrivilege	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2156	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	83
PID 2908 wrote to memory of 2156	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	83
PID 2908 wrote to memory of 1400	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	84
PID 2908 wrote to memory of 1400	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	84
PID 2908 wrote to memory of 4984	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	85
PID 2908 wrote to memory of 4984	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	85
PID 2908 wrote to memory of 4324	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	86
PID 2908 wrote to memory of 4324	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	86
PID 2908 wrote to memory of 1644	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	87
PID 2908 wrote to memory of 1644	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	87
PID 2908 wrote to memory of 2308	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	88
PID 2908 wrote to memory of 2308	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	88
PID 2908 wrote to memory of 1788	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	89
PID 2908 wrote to memory of 1788	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	89
PID 2908 wrote to memory of 408	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	90
PID 2908 wrote to memory of 408	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	90
PID 2908 wrote to memory of 1872	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	91
PID 2908 wrote to memory of 1872	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	91
PID 2908 wrote to memory of 2488	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	92
PID 2908 wrote to memory of 2488	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	92
PID 2908 wrote to memory of 4016	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	93
PID 2908 wrote to memory of 4016	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	93
PID 2908 wrote to memory of 4464	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	94
PID 2908 wrote to memory of 4464	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	94
PID 2908 wrote to memory of 5084	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	95
PID 2908 wrote to memory of 5084	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	95
PID 2908 wrote to memory of 4692	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	96
PID 2908 wrote to memory of 4692	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	96
PID 2908 wrote to memory of 4012	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	97
PID 2908 wrote to memory of 4012	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	97
PID 2908 wrote to memory of 2524	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	98
PID 2908 wrote to memory of 2524	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	98
PID 2908 wrote to memory of 3436	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	99
PID 2908 wrote to memory of 3436	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	99
PID 2908 wrote to memory of 756	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	100
PID 2908 wrote to memory of 756	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	100
PID 2908 wrote to memory of 3880	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	101
PID 2908 wrote to memory of 3880	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	101
PID 2908 wrote to memory of 4612	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	102
PID 2908 wrote to memory of 4612	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	102
PID 2908 wrote to memory of 4796	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	103
PID 2908 wrote to memory of 4796	2908	4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe	103

C:\Users\Admin\AppData\Local\Temp\4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe
"C:\Users\Admin\AppData\Local\Temp\4df1b78d2f9b7881fbbf70e54b38301a1664f09d6d5fe9942ac8ae76fb0b5085N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System\XaBQetz.exe
  C:\Windows\System\XaBQetz.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\cWcfpoe.exe
  C:\Windows\System\cWcfpoe.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\wbNaXOa.exe
  C:\Windows\System\wbNaXOa.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\WbRfkGV.exe
  C:\Windows\System\WbRfkGV.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\gozBxXl.exe
  C:\Windows\System\gozBxXl.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\FQmEUpl.exe
  C:\Windows\System\FQmEUpl.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\yHIjQXK.exe
  C:\Windows\System\yHIjQXK.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\yeCNQtB.exe
  C:\Windows\System\yeCNQtB.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\fOQcWFk.exe
  C:\Windows\System\fOQcWFk.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\BRydYeJ.exe
  C:\Windows\System\BRydYeJ.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\lgltOdT.exe
  C:\Windows\System\lgltOdT.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\DGeRnCf.exe
  C:\Windows\System\DGeRnCf.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\wpFAVQC.exe
  C:\Windows\System\wpFAVQC.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\hTPQjIP.exe
  C:\Windows\System\hTPQjIP.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\YhAZHYy.exe
  C:\Windows\System\YhAZHYy.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\xylGXcc.exe
  C:\Windows\System\xylGXcc.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\kDPucrt.exe
  C:\Windows\System\kDPucrt.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\ACmaQZj.exe
  C:\Windows\System\ACmaQZj.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\JmsNpvP.exe
  C:\Windows\System\JmsNpvP.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\ICRpQez.exe
  C:\Windows\System\ICRpQez.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\AkLFbQh.exe
  C:\Windows\System\AkLFbQh.exe
  2⤵
  - Executes dropped EXE
  PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ACmaQZj.exe

Filesize
5.2MB

MD5
3181f052a6b75b59388c2ed7ba79ae26

SHA1
3f443545d182c25e129d1ec1c94fa21d68298027

SHA256
fc0963f0d74e7fe2c98f34ead29f013e63c02def2e322c49fa73ab4ad450fbf8

SHA512
d4c4dc60584acfbcf830fe4f75f5fc2da1a8575931009c94e8195121f84b167f31607ee138d63012faa4a084e59aff57b0d6a3154dbe932e922ed4178f19fb27

Download Submit
C:\Windows\System\AkLFbQh.exe

Filesize
5.2MB

MD5
1f9915e2aba8dbaba608b486a9312b09

SHA1
bfe2ce04b88a915bb4769201ec1ef8f3a04027ac

SHA256
135a920e9ea61013a75dc07738588fb2af241e12e5b1e7e1edc97378939924e9

SHA512
9186f8ff243661b7ed4d395f22dea7a5b20e89f80c4cc8db49dc6c8a9e0db99538ce53a749d1567925fb4882db2deaeab2730a36f2e3bfe8f6f4f2b6975f8614

Download Submit
C:\Windows\System\BRydYeJ.exe

Filesize
5.2MB

MD5
2762d0c332e323fbdfc0bf22da94d01a

SHA1
5d77ce80ddc1ea7b4ba9a58aae1e4d41788c8188

SHA256
3422394043a5f598bc9a09d2b2802afd91cd875d62e5a84ee67fd0814e1d9191

SHA512
27a2b3f1c205a6c6d1e604dc82315ed42a59f5cda13ebd481ed293eea32331357f66ff9fb3c07fad16574c4f8c80850b04a4f6e28d1c65aad35008df617f810c

Download Submit
C:\Windows\System\DGeRnCf.exe

Filesize
5.2MB

MD5
9f8568ae64f8f0dd6e4120145b8f41c4

SHA1
d661d7c0ab2e3a391773ec5b3af4f12ade953e2b

SHA256
52e507f6c54a41eb34d4d19ad5955ab0c70ce3ed9249dcde00140512a986a9c8

SHA512
72b3f53376e5efe425b6fce9f1fec37ec778b9ab438250a0fa7c69766fada1bd3b404b7d95f076e95ed828d175a8346d16f75803fc4b04f6bd3333d4cafe986c

Download Submit
C:\Windows\System\FQmEUpl.exe

Filesize
5.2MB

MD5
f69646b0865bca8bccb6a14aea48e1e6

SHA1
bbb742f9493d08bb6d96e0920eb0319250312945

SHA256
b25c8ca495e39295a3ff6e9d1f99d06f0483075631583211c7b3ca3d7915c5fd

SHA512
f3dfcdaa7d541fff7229e6c67ee1ead40b117ba25683d7aa20319d8b381acf9bbbf362fe0d3fd136647d91e03f0c492f8f576c3555b323983445d04970c38f32

Download Submit
C:\Windows\System\ICRpQez.exe

Filesize
5.2MB

MD5
1453f099abdd1c7db1483437293b85f1

SHA1
d446b9f82a3a9b840d9938d9a562a5f882d1266b

SHA256
c1887cdc65206c26822ce818f48573a0464b14ff11354ee7344f7d3e02f512c5

SHA512
736c501346c47624f3b7eec7920bd8e65d86c376e6ccdba353b0147511187e90158e0b4d47a4271dcce0f9f5ac7f45d9c7fb650bb91b4069c64cda9974a24b08

Download Submit
C:\Windows\System\JmsNpvP.exe

Filesize
5.2MB

MD5
f1310e8b31cdd8e01807c33b37533340

SHA1
b0fc446023a9fae0f178dfa2da09006681f786e8

SHA256
25ff3a6d354e965ee6cc59655531e7b67c47de47a52336d0269a201c27b2b213

SHA512
6a6fdb324dd77fb427a5c77bddff4745a750c2db663663d51ec1e63fa04a3a28669f57ac18f6cc928fd83cce108b7cb5c14bb4acc2f85619bb3ca929f11e30f6

Download Submit
C:\Windows\System\WbRfkGV.exe

Filesize
5.2MB

MD5
b4c1e3f1e1fcd871783ef0c74dee9436

SHA1
196f37b0dbf0b4ae9f31ca2e61786171bb272b85

SHA256
709feb5e05626b0ecc9472ed66e5e865d725a873c2e066f8e61289be3be85a51

SHA512
dcacd90de7290f180fb23d8e5c715c81738c2c9f8d3b7786726949c16c73befc80004c11821044cc488e34df87ceac88679d65007add38419f3d193294a1cbb5

Download Submit
C:\Windows\System\XaBQetz.exe

Filesize
5.2MB

MD5
e1e61d45c4738f30c16442cc234d90de

SHA1
de5d250d480ea9ed76ed3faaf82e2a4b7dadcc63

SHA256
df6a75033a88d061a53bc1eb34c0f6e63064a959344b8f6a3a7daff14c26f283

SHA512
e2f4f3500102124e92c40a2a4f3f9cf7cc93faf086042c44176c01f3ed8a4091d2ed48a4faa96badf6dd800357398ec3ed546a0e1302c487ea1553b307c267f0

Download Submit
C:\Windows\System\YhAZHYy.exe

Filesize
5.2MB

MD5
ce65965bac57b4e3cd178bf4f0d9ff4a

SHA1
e65b48ec5b985e7058a35656f00f0d8e9df19eb4

SHA256
819e975d984456cb550be16911ca5d09e5cfb72bf1d0744bfaf5ba377ee21eb4

SHA512
c2a14c34461e0a6bce1c1d27de3b57c4297946190c89ed1f19e302b6f182015e862f301273ca8c9235c3edd39ed391902393d03ed24b8e7063f12caaace891fa

Download Submit
C:\Windows\System\cWcfpoe.exe

Filesize
5.2MB

MD5
2e721fe539afa51b0b805bc37a68839e

SHA1
eeebf8ecba33cf1a286d68877da99b61513b6ce9

SHA256
588e2b1ef18235d65b7285b6a109f00ed78334bc629faff09ba14d6dd71e97e6

SHA512
7ba9301f7916d9eed1867386810998aa02c9fcd9add49679d879e074aa4679ee49a33bf750a69c1a3ddfc82cc149fbc71a4a9dae283e2674b13f5bf212474fe9

Download Submit
C:\Windows\System\fOQcWFk.exe

Filesize
5.2MB

MD5
de101758190ee28008dd7607b1d5c442

SHA1
65457cfcc5438016788d1fe44941ffc5737c50f3

SHA256
ef01d48d5dd20ea2a42c661c877d9c9b17e2fc3ca39703a67ccb9f8a168e8164

SHA512
d482b7dd0637d49c37cf567b870f5b212121166b4cb6cbceb9a48180b6a82bd165221e5500b79b51e3c2e03313ad2e71d09ff0ae8e8eca1fa9a3a0afd5853db7

Download Submit
C:\Windows\System\gozBxXl.exe

Filesize
5.2MB

MD5
a5f3acd7a3330a0191e4c5dfa453d0f4

SHA1
5a73cc8666042bd965800e78c8d9298b44029286

SHA256
c01be0b0da2c60e59051b3fdd286d106165cd4294a1793b089ad503b94a7ffd8

SHA512
3a0263536118b95e8a57d5701115cbf13d877a5207d8b7fc01cd170bb3a439ad9e6a15ef6f9b45026fa9c31994d6e0a9398b6231686a5e12306e33be118c9ca1

Download Submit
C:\Windows\System\hTPQjIP.exe

Filesize
5.2MB

MD5
d9e5f5c4d7cea83156333335f5a2e13e

SHA1
bb84ac8b36d93e90d6fcdf994447ea1fcabb3a15

SHA256
effeb0862bd540e4fb6948c403a28793de002f2611053332248676d0a0dc285e

SHA512
bee7cffc899e6b74a1f7c91a6a288cd597d7790821cc52e04bc03a52ad5ae55559724f3d263c897097687bdbd10a341269e328896e338c7fb18ee97d736fe765

Download Submit
C:\Windows\System\kDPucrt.exe

Filesize
5.2MB

MD5
1ea576e206efd8d0af9bd76af0d8c8ef

SHA1
02d1ddbb4bf585d7c3051a3d488c3126e6f4793e

SHA256
38ca2a5c4cb1aa7069b720fd4f06c4f8523f36c6947c9d24f3b343cc9b4ed2e7

SHA512
a37abe64320fc2ad615460b23e1501ae3bab21137f8279d97748a4c2e3943c7bb1220161fe0590099b654f44441ba97a8be1f2a9a74c225c3bedda94bf018cae

Download Submit
C:\Windows\System\lgltOdT.exe

Filesize
5.2MB

MD5
79d84272ae8d14cb12e918476bdaad8a

SHA1
b9a09152c4097994a6fd1c540bb820b4e82425ac

SHA256
449968c6e609583a64b66f02663e02c3f64349351f5f790ed9c524a9225959ee

SHA512
752e3c018d46531decf6e66857a2a7e842780dc920ec627d06c0bb6273b04da21b84a5e441bcb30362dec58e4223a4fac77868ec729e23eb8270ff78fc84928a

Download Submit
C:\Windows\System\wbNaXOa.exe

Filesize
5.2MB

MD5
2a8bb04e42f3088044c2080aad8e4bd7

SHA1
efa2021a128e01ee27f1a3af055b5d801b970f96

SHA256
8cc6fed985f8b8c0f824a495386dc95463c6e6c77f95fb4e8517d1afa67bdbeb

SHA512
45a3f73f67a5fada338ee5cc5e14f366b9ec1c69b98e2223f5f8feb46e326dc3c561f32163c658bb96799ba78dcc93e30c11808895759e20630d7ae928d84cef

Download Submit
C:\Windows\System\wpFAVQC.exe

Filesize
5.2MB

MD5
a6b05fa96be23f37127dfacee90dd0b1

SHA1
fa2d1c39237218114afd27dcf22870032b86531a

SHA256
ebfb0194c71ebbea6b80cad5b412acbed06440ad8846549381c299b5339e555c

SHA512
cfad1c5502bf82fda5e597af69a7f9a8ab82cde96a10f0123ea34ce6d9b2555a6230ec6e33d8f16655ad2da19e44f551c06fea5300413f78f8d10193c6af5be5

Download Submit
C:\Windows\System\xylGXcc.exe

Filesize
5.2MB

MD5
f9edc0b987be48340edf1fcaa2f27091

SHA1
64d22d0b87376f8bc69dae8ee0ea1b9b16ef9a22

SHA256
059f897dd5bc3004d211f82c84016071a0cd46bc3f1b06d43cc46cb5254e1cc7

SHA512
b695d94419348f0471d410310f8d8a1f11bb10333343874f6fbc68399267b2d38ade54c9317ea12f40fed7facca7900f482a0bccaf1ed3145f03ffb00faf59e1

Download Submit
C:\Windows\System\yHIjQXK.exe

Filesize
5.2MB

MD5
a96725af7cb4158b45d804a6f039070d

SHA1
62ea14c0848ee023d0ff07b2513bae62dc00e16f

SHA256
7127df6ada2ff9d8f6a56718566add0058a344795c23721e231384e3e743daa4

SHA512
7f898253aa29a4e2556e85a50567c4898b1025ca2c504d7bc085314363d8ba3d320ba614c3ca6c685ff0cd925b0a449fce33f453a1eb2e14f927211ba1516de4

Download Submit
C:\Windows\System\yeCNQtB.exe

Filesize
5.2MB

MD5
195de24caff7d7b2c2a04edabd9184f1

SHA1
01d1258c764eb48271cdad94d251389edd9363e8

SHA256
fb9a256249f7c4f72c0b00acbb61d6e3bd63e09001bfbcbedc289502f88686f7

SHA512
3917a8d2d37ebc663f3787af32e89b8f2687e3fb95e421c16102b8394413fa3dbab2aa919277c51576feebf020bd301c16dc73ffef5ec61ffbb491e1a2e36a0f

Download Submit
memory/408-72-0x00007FF79E750000-0x00007FF79EAA1000-memory.dmp

Filesize
3.3MB

Download
memory/408-239-0x00007FF79E750000-0x00007FF79EAA1000-memory.dmp

Filesize
3.3MB

Download
memory/756-159-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/756-114-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/756-267-0x00007FF6F8800000-0x00007FF6F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/1400-217-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp

Filesize
3.3MB

Download
memory/1400-106-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp

Filesize
3.3MB

Download
memory/1400-12-0x00007FF6CB7F0000-0x00007FF6CBB41000-memory.dmp

Filesize
3.3MB

Download
memory/1644-236-0x00007FF73A620000-0x00007FF73A971000-memory.dmp

Filesize
3.3MB

Download
memory/1644-35-0x00007FF73A620000-0x00007FF73A971000-memory.dmp

Filesize
3.3MB

Download
memory/1644-132-0x00007FF73A620000-0x00007FF73A971000-memory.dmp

Filesize
3.3MB

Download
memory/1788-54-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-133-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-246-0x00007FF7F9670000-0x00007FF7F99C1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-61-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp

Filesize
3.3MB

Download
memory/1872-134-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp

Filesize
3.3MB

Download
memory/1872-244-0x00007FF6E2330000-0x00007FF6E2681000-memory.dmp

Filesize
3.3MB

Download
memory/2156-215-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp

Filesize
3.3MB

Download
memory/2156-94-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp

Filesize
3.3MB

Download
memory/2156-6-0x00007FF77BEF0000-0x00007FF77C241000-memory.dmp

Filesize
3.3MB

Download
memory/2308-42-0x00007FF74A130000-0x00007FF74A481000-memory.dmp

Filesize
3.3MB

Download
memory/2308-240-0x00007FF74A130000-0x00007FF74A481000-memory.dmp

Filesize
3.3MB

Download
memory/2308-121-0x00007FF74A130000-0x00007FF74A481000-memory.dmp

Filesize
3.3MB

Download
memory/2488-248-0x00007FF7404B0000-0x00007FF740801000-memory.dmp

Filesize
3.3MB

Download
memory/2488-75-0x00007FF7404B0000-0x00007FF740801000-memory.dmp

Filesize
3.3MB

Download
memory/2524-100-0x00007FF6040B0000-0x00007FF604401000-memory.dmp

Filesize
3.3MB

Download
memory/2524-263-0x00007FF6040B0000-0x00007FF604401000-memory.dmp

Filesize
3.3MB

Download
memory/2524-157-0x00007FF6040B0000-0x00007FF604401000-memory.dmp

Filesize
3.3MB

Download
memory/2908-93-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-1-0x00000206405B0000-0x00000206405C0000-memory.dmp

Filesize
64KB

Download
memory/2908-0-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-138-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp

Filesize
3.3MB

Download
memory/2908-166-0x00007FF7C2F70000-0x00007FF7C32C1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-265-0x00007FF744780000-0x00007FF744AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-110-0x00007FF744780000-0x00007FF744AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3436-158-0x00007FF744780000-0x00007FF744AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3880-160-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp

Filesize
3.3MB

Download
memory/3880-126-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp

Filesize
3.3MB

Download
memory/3880-269-0x00007FF667EA0000-0x00007FF6681F1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-254-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-153-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-87-0x00007FF6BEFA0000-0x00007FF6BF2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-68-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-135-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-243-0x00007FF7A6F90000-0x00007FF7A72E1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-234-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-26-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp

Filesize
3.3MB

Download
memory/4324-120-0x00007FF692D60000-0x00007FF6930B1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-80-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp

Filesize
3.3MB

Download
memory/4464-252-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp

Filesize
3.3MB

Download
memory/4464-142-0x00007FF6CCA40000-0x00007FF6CCD91000-memory.dmp

Filesize
3.3MB

Download
memory/4612-136-0x00007FF7C1AE0000-0x00007FF7C1E31000-memory.dmp

Filesize
3.3MB

Download
memory/4612-271-0x00007FF7C1AE0000-0x00007FF7C1E31000-memory.dmp

Filesize
3.3MB

Download
memory/4692-154-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-256-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-88-0x00007FF65E660000-0x00007FF65E9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-273-0x00007FF704230000-0x00007FF704581000-memory.dmp

Filesize
3.3MB

Download
memory/4796-137-0x00007FF704230000-0x00007FF704581000-memory.dmp

Filesize
3.3MB

Download
memory/4984-232-0x00007FF662830000-0x00007FF662B81000-memory.dmp

Filesize
3.3MB

Download
memory/4984-113-0x00007FF662830000-0x00007FF662B81000-memory.dmp

Filesize
3.3MB

Download
memory/4984-19-0x00007FF662830000-0x00007FF662B81000-memory.dmp

Filesize
3.3MB

Download
memory/5084-251-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-86-0x00007FF6F6A90000-0x00007FF6F6DE1000-memory.dmp

Filesize
3.3MB

Download