cobaltstrike | 925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
Size

5.2MB
MD5

9242f298b0877d8187f24b0c1b70b837
SHA1

8604aa7c3a07e0ba71edcc0a7b48bdef3922f5e9
SHA256

925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1
SHA512

5dbce0df256f29d5659a1cb6afe5c307f08fa06b4cceb89e9f8c18dbb2f9ecb23031e45a60096906d28408802da8af3b6f202ae3f497785649e13fc35ac4cdeb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibf56utgpPFotBER/mQ32lUj

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c84-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-61.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c89-50.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022aaa-114.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023b44-128.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023b46-135.dat	cobalt_reflective_dll
behavioral2/files/0x000900000001e438-121.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001da0e-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3208-87-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp	xmrig
behavioral2/memory/4560-74-0x00007FF752590000-0x00007FF7528E1000-memory.dmp	xmrig
behavioral2/memory/2964-60-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp	xmrig
behavioral2/memory/3096-96-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	xmrig
behavioral2/memory/4020-57-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	xmrig
behavioral2/memory/1216-101-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp	xmrig
behavioral2/memory/3224-133-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp	xmrig
behavioral2/memory/228-131-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp	xmrig
behavioral2/memory/940-110-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp	xmrig
behavioral2/memory/4020-137-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	xmrig
behavioral2/memory/1324-140-0x00007FF771010000-0x00007FF771361000-memory.dmp	xmrig
behavioral2/memory/3660-139-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp	xmrig
behavioral2/memory/3540-147-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp	xmrig
behavioral2/memory/2792-146-0x00007FF665850000-0x00007FF665BA1000-memory.dmp	xmrig
behavioral2/memory/1068-154-0x00007FF684D40000-0x00007FF685091000-memory.dmp	xmrig
behavioral2/memory/4380-152-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp	xmrig
behavioral2/memory/4600-156-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp	xmrig
behavioral2/memory/2132-158-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp	xmrig
behavioral2/memory/1140-157-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp	xmrig
behavioral2/memory/208-162-0x00007FF7501C0000-0x00007FF750511000-memory.dmp	xmrig
behavioral2/memory/1088-165-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp	xmrig
behavioral2/memory/1368-163-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp	xmrig
behavioral2/memory/1188-164-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp	xmrig
behavioral2/memory/4020-166-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	xmrig
behavioral2/memory/2964-218-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp	xmrig
behavioral2/memory/4560-220-0x00007FF752590000-0x00007FF7528E1000-memory.dmp	xmrig
behavioral2/memory/3208-222-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp	xmrig
behavioral2/memory/3096-224-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	xmrig
behavioral2/memory/1216-226-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp	xmrig
behavioral2/memory/940-228-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp	xmrig
behavioral2/memory/228-239-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp	xmrig
behavioral2/memory/3224-241-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp	xmrig
behavioral2/memory/3660-243-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp	xmrig
behavioral2/memory/1324-245-0x00007FF771010000-0x00007FF771361000-memory.dmp	xmrig
behavioral2/memory/4380-247-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp	xmrig
behavioral2/memory/2792-249-0x00007FF665850000-0x00007FF665BA1000-memory.dmp	xmrig
behavioral2/memory/1068-251-0x00007FF684D40000-0x00007FF685091000-memory.dmp	xmrig
behavioral2/memory/4600-255-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp	xmrig
behavioral2/memory/3540-254-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp	xmrig
behavioral2/memory/1140-263-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp	xmrig
behavioral2/memory/2132-265-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp	xmrig
behavioral2/memory/1088-267-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp	xmrig
behavioral2/memory/208-269-0x00007FF7501C0000-0x00007FF750511000-memory.dmp	xmrig
behavioral2/memory/1368-271-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp	xmrig
behavioral2/memory/1188-273-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2964	zkwzGBi.exe
4560	wfikiwZ.exe
3208	eGzSSCy.exe
3096	LmSFZsF.exe
1216	GiiJnQo.exe
940	YZxTbNW.exe
228	wseWCqh.exe
3224	FycrEdB.exe
3660	srDibjU.exe
1324	iJaTIHr.exe
4380	TDTYWYz.exe
2792	gsUAwLI.exe
1068	WyRdFKq.exe
3540	JkCmQDJ.exe
4600	CnyXuoz.exe
1140	tVXqcqW.exe
2132	wyWflDF.exe
1088	zfJBuJF.exe
208	nkkTjRk.exe
1368	UmsJKEb.exe
1188	oTLDvuu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4020-0-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	upx
behavioral2/files/0x0009000000023c84-4.dat	upx
behavioral2/memory/2964-8-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-10.dat	upx
behavioral2/files/0x0007000000023c8d-19.dat	upx
behavioral2/files/0x0007000000023c8e-27.dat	upx
behavioral2/files/0x0007000000023c8f-29.dat	upx
behavioral2/files/0x0007000000023c90-36.dat	upx
behavioral2/memory/940-35-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp	upx
behavioral2/memory/1216-30-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp	upx
behavioral2/memory/3096-24-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	upx
behavioral2/memory/3208-16-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp	upx
behavioral2/memory/4560-12-0x00007FF752590000-0x00007FF7528E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-41.dat	upx
behavioral2/memory/228-44-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp	upx
behavioral2/files/0x0007000000023c94-56.dat	upx
behavioral2/memory/3660-58-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-70.dat	upx
behavioral2/files/0x0007000000023c95-68.dat	upx
behavioral2/files/0x0007000000023c97-77.dat	upx
behavioral2/files/0x0007000000023c98-92.dat	upx
behavioral2/files/0x0007000000023c99-94.dat	upx
behavioral2/memory/4600-89-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp	upx
behavioral2/memory/1068-88-0x00007FF684D40000-0x00007FF685091000-memory.dmp	upx
behavioral2/memory/3208-87-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp	upx
behavioral2/memory/3540-86-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp	upx
behavioral2/memory/2792-82-0x00007FF665850000-0x00007FF665BA1000-memory.dmp	upx
behavioral2/memory/4380-76-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp	upx
behavioral2/memory/4560-74-0x00007FF752590000-0x00007FF7528E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-61.dat	upx
behavioral2/memory/2964-60-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp	upx
behavioral2/memory/1324-59-0x00007FF771010000-0x00007FF771361000-memory.dmp	upx
behavioral2/memory/3096-96-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	upx
behavioral2/memory/4020-57-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	upx
behavioral2/memory/3224-52-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp	upx
behavioral2/files/0x0008000000023c89-50.dat	upx
behavioral2/memory/1216-101-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp	upx
behavioral2/memory/1140-104-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp	upx
behavioral2/files/0x0004000000022aaa-114.dat	upx
behavioral2/memory/2132-118-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp	upx
behavioral2/files/0x000e000000023b44-128.dat	upx
behavioral2/memory/1188-134-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp	upx
behavioral2/files/0x000d000000023b46-135.dat	upx
behavioral2/memory/3224-133-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp	upx
behavioral2/memory/228-131-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp	upx
behavioral2/memory/1368-130-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp	upx
behavioral2/memory/208-127-0x00007FF7501C0000-0x00007FF750511000-memory.dmp	upx
behavioral2/memory/1088-124-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp	upx
behavioral2/files/0x000900000001e438-121.dat	upx
behavioral2/files/0x000600000001da0e-115.dat	upx
behavioral2/memory/940-110-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-107.dat	upx
behavioral2/memory/4020-137-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp	upx
behavioral2/memory/1324-140-0x00007FF771010000-0x00007FF771361000-memory.dmp	upx
behavioral2/memory/3660-139-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp	upx
behavioral2/memory/3540-147-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp	upx
behavioral2/memory/2792-146-0x00007FF665850000-0x00007FF665BA1000-memory.dmp	upx
behavioral2/memory/1068-154-0x00007FF684D40000-0x00007FF685091000-memory.dmp	upx
behavioral2/memory/4380-152-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp	upx
behavioral2/memory/4600-156-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp	upx
behavioral2/memory/2132-158-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp	upx
behavioral2/memory/1140-157-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp	upx
behavioral2/memory/208-162-0x00007FF7501C0000-0x00007FF750511000-memory.dmp	upx
behavioral2/memory/1088-165-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eGzSSCy.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\LmSFZsF.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\YZxTbNW.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\wseWCqh.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\FycrEdB.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\TDTYWYz.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\CnyXuoz.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\nkkTjRk.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\zkwzGBi.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\srDibjU.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\gsUAwLI.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\wyWflDF.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\GiiJnQo.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\JkCmQDJ.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\zfJBuJF.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\oTLDvuu.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\wfikiwZ.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\iJaTIHr.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\WyRdFKq.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\tVXqcqW.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
File created	C:\Windows\System\UmsJKEb.exe	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
Token: SeLockMemoryPrivilege	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2964	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	85
PID 4020 wrote to memory of 2964	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	85
PID 4020 wrote to memory of 4560	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	86
PID 4020 wrote to memory of 4560	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	86
PID 4020 wrote to memory of 3208	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	87
PID 4020 wrote to memory of 3208	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	87
PID 4020 wrote to memory of 3096	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	88
PID 4020 wrote to memory of 3096	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	88
PID 4020 wrote to memory of 1216	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	89
PID 4020 wrote to memory of 1216	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	89
PID 4020 wrote to memory of 940	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	90
PID 4020 wrote to memory of 940	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	90
PID 4020 wrote to memory of 228	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	91
PID 4020 wrote to memory of 228	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	91
PID 4020 wrote to memory of 3224	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	92
PID 4020 wrote to memory of 3224	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	92
PID 4020 wrote to memory of 3660	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	93
PID 4020 wrote to memory of 3660	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	93
PID 4020 wrote to memory of 1324	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	94
PID 4020 wrote to memory of 1324	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	94
PID 4020 wrote to memory of 4380	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	95
PID 4020 wrote to memory of 4380	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	95
PID 4020 wrote to memory of 2792	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	96
PID 4020 wrote to memory of 2792	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	96
PID 4020 wrote to memory of 1068	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	98
PID 4020 wrote to memory of 1068	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	98
PID 4020 wrote to memory of 3540	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	99
PID 4020 wrote to memory of 3540	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	99
PID 4020 wrote to memory of 4600	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	100
PID 4020 wrote to memory of 4600	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	100
PID 4020 wrote to memory of 1140	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	103
PID 4020 wrote to memory of 1140	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	103
PID 4020 wrote to memory of 2132	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	104
PID 4020 wrote to memory of 2132	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	104
PID 4020 wrote to memory of 1088	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	105
PID 4020 wrote to memory of 1088	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	105
PID 4020 wrote to memory of 208	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	106
PID 4020 wrote to memory of 208	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	106
PID 4020 wrote to memory of 1368	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	107
PID 4020 wrote to memory of 1368	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	107
PID 4020 wrote to memory of 1188	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	108
PID 4020 wrote to memory of 1188	4020	925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe	108

C:\Users\Admin\AppData\Local\Temp\925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe
"C:\Users\Admin\AppData\Local\Temp\925c0800d4a0337693d90fe11c96655c8629434ee6b5136863040263531062a1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\System\zkwzGBi.exe
  C:\Windows\System\zkwzGBi.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\wfikiwZ.exe
  C:\Windows\System\wfikiwZ.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\eGzSSCy.exe
  C:\Windows\System\eGzSSCy.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\LmSFZsF.exe
  C:\Windows\System\LmSFZsF.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\GiiJnQo.exe
  C:\Windows\System\GiiJnQo.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\YZxTbNW.exe
  C:\Windows\System\YZxTbNW.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\wseWCqh.exe
  C:\Windows\System\wseWCqh.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\FycrEdB.exe
  C:\Windows\System\FycrEdB.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\srDibjU.exe
  C:\Windows\System\srDibjU.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\iJaTIHr.exe
  C:\Windows\System\iJaTIHr.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\TDTYWYz.exe
  C:\Windows\System\TDTYWYz.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\gsUAwLI.exe
  C:\Windows\System\gsUAwLI.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\WyRdFKq.exe
  C:\Windows\System\WyRdFKq.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\JkCmQDJ.exe
  C:\Windows\System\JkCmQDJ.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\CnyXuoz.exe
  C:\Windows\System\CnyXuoz.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\tVXqcqW.exe
  C:\Windows\System\tVXqcqW.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\wyWflDF.exe
  C:\Windows\System\wyWflDF.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\zfJBuJF.exe
  C:\Windows\System\zfJBuJF.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\nkkTjRk.exe
  C:\Windows\System\nkkTjRk.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\UmsJKEb.exe
  C:\Windows\System\UmsJKEb.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\oTLDvuu.exe
  C:\Windows\System\oTLDvuu.exe
  2⤵
  - Executes dropped EXE
  PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CnyXuoz.exe

Filesize
5.2MB

MD5
bc1dcb6596d84280fedab65071fd7e33

SHA1
80a956091a8be7d65759aa513489f3f9fd06e17b

SHA256
ca4a805aff0554b8f3d7e7e49bd584ff508eae53bc1fb274ff18f7237e987bc8

SHA512
ddddd4e6e679c1f49f3d17657c9acc6ebfaee116101b296e00225e59ac7dfd237ec3525d729c8c004623972638ea23bd50b3ace5fa543af3398ce0c206f6a6c6

Download Submit
C:\Windows\System\FycrEdB.exe

Filesize
5.2MB

MD5
806d515d5d4f9a4224768a82b79b2933

SHA1
eaca288e376cd2c49220d26e08e9dcb3848b3447

SHA256
0e5d26d40561db390d814d56ac9bdcc728999bbc463f5224a56feeaf262f39c8

SHA512
7fff1fb2301aeab9008182067ca4a61bb759f7f2db0210a0426d40b9522fe42d738b6e87edbfd8325a8cb739becfc556e9ac3634776a3889af6fe0c9b1e531a5

Download Submit
C:\Windows\System\GiiJnQo.exe

Filesize
5.2MB

MD5
abaebb0ebe0ce8721af1e1cc4f7d8739

SHA1
cd0cb83706873f6e1ee33bbb409039920a686bd8

SHA256
552d8961c37723af39c965c111e2e469f788d970b50273d6d9008f0182169333

SHA512
b3e7957d54accd37d8fce330f28415a1de96159f197bc63b805d865c1af1c9b1388f63001cfb991080da641da10cbf32e0cec23f81d389d684404b8d3494f26d

Download Submit
C:\Windows\System\JkCmQDJ.exe

Filesize
5.2MB

MD5
ae5a77b6b21246908fc2abdaa238dacf

SHA1
a71e6fe1b29c7d71c97d6016e795d3ddc623ffd6

SHA256
323ba584e2efcbb5dccb2269ee3693193ac08a9bebad54c111a4cabe06ef11d1

SHA512
bdabe11ce598508fedd06facd9879d61a2df389b7e46e0ccb0b5831410911405cc9bbd1bc121c19cf155735599a08ccf44c5d840488514db3921e8fd1fd29a8a

Download Submit
C:\Windows\System\LmSFZsF.exe

Filesize
5.2MB

MD5
1336a405e3cc25a027c0214526c8a64e

SHA1
6c0cd143e7a1d726b5eb00f5d6ef905d44ca1944

SHA256
1b26b3ca2e671b792617646c1dcb942347fc90c2aa2e96fb60765af94afdf3b5

SHA512
4fbd290f5edaa318bf1e0b44c7ea5e461bd4229a6c891e0186f21a64922ea3ac4a8ad31100978a2250126f67ae8a591978ad0034a61a6da5e0d14d84ce4427ad

Download Submit
C:\Windows\System\TDTYWYz.exe

Filesize
5.2MB

MD5
f29a7758c7d58408ef644e64a8105a4c

SHA1
8f9c84482438d31a2ccba73eeade6c9c57201886

SHA256
bbe9adb0a2b38392c0c67561b42024511067cbbea51cdca5a289d7fe54eb8fb6

SHA512
21a028314689af1a5b49d7649686923b97cfebdfabed6f864ce4df5b5c74b10583a51e4170ba8c28a786779c08f987e0152303193c9dfb3b00819ff0f629b153

Download Submit
C:\Windows\System\UmsJKEb.exe

Filesize
5.2MB

MD5
c0915484f7103b0b22d14fe6b58b5ce1

SHA1
b530a5933d0019392c442b95bd2f762e00737d0d

SHA256
08e484ff1b0457dc7f9592278c60529f413eceff2927a62bc7ba8ab1aa5d4cde

SHA512
25ac1c53582a9a0192c131f061863f969499201d9e62d49e14f17ef5715ad6b547b85eaad187171e84793800838eaeda04325b01a6fc1ba850296c0932af0537

Download Submit
C:\Windows\System\WyRdFKq.exe

Filesize
5.2MB

MD5
679ec3285fe81c3678a639e859892263

SHA1
6f9afc6fbce32305b1964b925736f7610f03aab0

SHA256
d55890f03fc6fc27356d18a7e1a821fcc34b12fdc633f570b4ddd83a52fb98b4

SHA512
4e9074409022aab8b7581cffa4293496b5a3b0302df815e6eb418432771b929e0d274c5186a73a66c3ff051c0f61ac5c126f210249466075097c5002586e1505

Download Submit
C:\Windows\System\YZxTbNW.exe

Filesize
5.2MB

MD5
b96bbe8d9b754a01c6d76e4eefb14d29

SHA1
dc6c8f28b9f04348ebd5623c71c767dd95439776

SHA256
7a07b5276442c34db174e811dc35f8301c2f943f746959ca82322073a5922219

SHA512
fbb96f4b1796bf0d32e38069e436e8b71f4a55bfc544bc2ec442179d90b2241ce4d3239bc811bb74bbf0d3903a1484bfb083e8c5c1d684c637c53e6147b44f9e

Download Submit
C:\Windows\System\eGzSSCy.exe

Filesize
5.2MB

MD5
7f440d014591e5c17d1c8e474308af47

SHA1
3aa3d55e262bdf8ba70f23e81070ed72384d7ca0

SHA256
f095a5a84df17a607a5d47dccb29924d6ce942cc53e871e197040cdcadd26403

SHA512
a014ea44b308759a1b8d2f634dc57b8f7e9fc385e950ecb5618265bbb450180d79a92d1911e87f497d1410d7e3e29af919f4a1b12d6ddca299fd4ded7dea8204

Download Submit
C:\Windows\System\gsUAwLI.exe

Filesize
5.2MB

MD5
02d352fa437148a970391636afe3a74f

SHA1
3fd750e98b991b34b318aca8979df1e719cd40fb

SHA256
903a48a2ddc0d85f6ee430a7f1930060b090539990de967830ba1fb929a3d137

SHA512
b180419fa2b2b7e32c683ce9164ed00214cadc9917a0094ee231cecf85747f425ded681582f1bf0a3dab1cc31d7e646b8b92554b0acd8f3ed51695650b414af7

Download Submit
C:\Windows\System\iJaTIHr.exe

Filesize
5.2MB

MD5
7a30f5c6b7e900c29d602de66a4bba5d

SHA1
3c1f241d2d81b343ccab29f555f3af0eddca2a1f

SHA256
a312efed99da933ad3d44c553c11f69fe90d5e98b59d44439c37434b00938e31

SHA512
a3a148a22a5fcbc026e34e50d89fcb4694b4ac9f818412bf8407300eeaa46eab70cda5d37cbfb6ac53f0934976ba081a872ae5c5b0f8c9e7499a866430f58423

Download Submit
C:\Windows\System\nkkTjRk.exe

Filesize
5.2MB

MD5
e5f481d9e41e5169998af83d26bad487

SHA1
b94aed69d66b4def38724cb1efd2ffd9d9d0f5b6

SHA256
86edc5b93df16939fb016f7f95e4e8d811a8d5fc40f6a016120c79d2d6f50ac0

SHA512
b3fa7eb2087b281cfbacffc1c6fcda88824578881154d9f73974c6ad59401d1afb9b8086aa5332de01e073a8109840d9f5bd79e6e415e90226196093f369badf

Download Submit
C:\Windows\System\oTLDvuu.exe

Filesize
5.2MB

MD5
500d8bb7151311e4a5e7cd0290b945ad

SHA1
3b52451b12b81b6566aba81d9b0d4978d53385c8

SHA256
203efbcad86b3b9cb0afa415dc58a4f420d2ad5186020c449de0f319854ad72f

SHA512
7aaf399bdbdadfeae876a441f82ced6e810fc2e3fc9f2224e77f7d96d9fe289113dcf45299a595725a86d12453cbb996e78b00fb945b02bcd560a0ec69306a9e

Download Submit
C:\Windows\System\srDibjU.exe

Filesize
5.2MB

MD5
bbc7909150c541b78a26106ab5daecb0

SHA1
8a537473b6a9528e84189d57464bb8a799349960

SHA256
85b675bcbf40726badc0c0bf8488539ac693f5b5072089f382e4b0764756fe8a

SHA512
d9855f0ee7f2b486d2881748a5f34d840394e081a1e28debbcf5713f0decec073bfd3370cd71c9fa0303c23224d39ed4add4cd27426e1536cf62596ff4112441

Download Submit
C:\Windows\System\tVXqcqW.exe

Filesize
5.2MB

MD5
df13b6f7bd5b0b93cdc476a470179ebc

SHA1
9d4d7b1d2b4bd1107a6c6d861a7fedd405b347a5

SHA256
e99033dc21b4c548e2e0149c3f646f8b7c139b1a84d1656cbf140a4ffe65501e

SHA512
19b78f1b3b3b1a5e14a969a8bc9288aef8ad46f4643175a75f49c90183424c7e4722283c9ec2f364f9a6b5eb5f8c52bdab9f7cd74f15ca5ffb48c21cfdf42ea4

Download Submit
C:\Windows\System\wfikiwZ.exe

Filesize
5.2MB

MD5
fcd5efa5275aa6d5b524d9a5359beb27

SHA1
f0fc1617443b988164c903df40becb99296a74e5

SHA256
802cd5775d9a54dc69347468b26b1afb6caa6cb503dbac55d31c3bd1ae1e3877

SHA512
0ba7b0f533667f7e6d9eca080fd4fdfa5e6ab48d31a197745d69c193fa4d1336c8465f81a8f48cab247f931d3ac18d76a48f75b2bf25f405a87a7d75af0db93e

Download Submit
C:\Windows\System\wseWCqh.exe

Filesize
5.2MB

MD5
5356c7ab555fc2bc1035a0fa4ab48630

SHA1
efb18f35374b1aaa07eb2e97d3288c0a652dc07f

SHA256
114e78c7ddb011138ea7b944a2a0d6fdc058d4bcfac607384983b1e4853007fb

SHA512
9fbae64de8cbb9c16d84cdf601700acb3e9b26bfe2e1095e4112bf1f2301899d42783b0480b4952e32e32d90869c6b6a99490da1ddb77d8a50d8d9675cad3010

Download Submit
C:\Windows\System\wyWflDF.exe

Filesize
5.2MB

MD5
96374a09c0f7041eb2f8310985f9f85d

SHA1
5b72880c3ed0e425357ba6e80597649b17c4117f

SHA256
5ff24c505b41aa402f573ac00524faee7f4b1bbbb7a4794f19af6b1714782e66

SHA512
42f374769c3d36a3e1f69d2e9ac7e284b141d4dfcf48a47e8cd3f7be4b7ee2db7027a8dc6973db8e3d00cf84f831bb1529ccb99953c6a811909b5a6596025061

Download Submit
C:\Windows\System\zfJBuJF.exe

Filesize
5.2MB

MD5
7080631cad97858715552a7c2b877163

SHA1
79ba391c8526b0447fbaedaf901ca799e10f98a8

SHA256
a9d69368eb797811851462cd522d2e67c2edd628e52aefa2e18fee744cd8201e

SHA512
2852a21fa4bd5b0760535a865065f89165d6c21daa9ae7ed5b6a857a64075cde8038e7fc61368471c011ea8d1c5c67de75e032d88d5d9c6b3fe27775674fefd2

Download Submit
C:\Windows\System\zkwzGBi.exe

Filesize
5.2MB

MD5
2999f695ffca60a056250c1c9253f5fe

SHA1
1ac963c7065918f6af79edbe90e156fe862c5ff7

SHA256
aa4694aacf61f63364cc6d4a890e94cc2dd5427488ffcf09328696aed3c4cc75

SHA512
7b0fa19a961681105134127a2fd41d42a2cbdd741e00536ac4e995a666c9436fb13faccb7c45cceb89e28fbc329764a42f896b66f586ee4abae1f14327d3f6ad

Download Submit
memory/208-127-0x00007FF7501C0000-0x00007FF750511000-memory.dmp

Filesize
3.3MB

Download
memory/208-162-0x00007FF7501C0000-0x00007FF750511000-memory.dmp

Filesize
3.3MB

Download
memory/208-269-0x00007FF7501C0000-0x00007FF750511000-memory.dmp

Filesize
3.3MB

Download
memory/228-131-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp

Filesize
3.3MB

Download
memory/228-44-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp

Filesize
3.3MB

Download
memory/228-239-0x00007FF6CF5E0000-0x00007FF6CF931000-memory.dmp

Filesize
3.3MB

Download
memory/940-228-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp

Filesize
3.3MB

Download
memory/940-110-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp

Filesize
3.3MB

Download
memory/940-35-0x00007FF6B8A50000-0x00007FF6B8DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-251-0x00007FF684D40000-0x00007FF685091000-memory.dmp

Filesize
3.3MB

Download
memory/1068-88-0x00007FF684D40000-0x00007FF685091000-memory.dmp

Filesize
3.3MB

Download
memory/1068-154-0x00007FF684D40000-0x00007FF685091000-memory.dmp

Filesize
3.3MB

Download
memory/1088-165-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp

Filesize
3.3MB

Download
memory/1088-267-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp

Filesize
3.3MB

Download
memory/1088-124-0x00007FF60F1F0000-0x00007FF60F541000-memory.dmp

Filesize
3.3MB

Download
memory/1140-157-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp

Filesize
3.3MB

Download
memory/1140-263-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp

Filesize
3.3MB

Download
memory/1140-104-0x00007FF768BE0000-0x00007FF768F31000-memory.dmp

Filesize
3.3MB

Download
memory/1188-134-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp

Filesize
3.3MB

Download
memory/1188-164-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp

Filesize
3.3MB

Download
memory/1188-273-0x00007FF6A62B0000-0x00007FF6A6601000-memory.dmp

Filesize
3.3MB

Download
memory/1216-226-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-101-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-30-0x00007FF7F0890000-0x00007FF7F0BE1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-59-0x00007FF771010000-0x00007FF771361000-memory.dmp

Filesize
3.3MB

Download
memory/1324-140-0x00007FF771010000-0x00007FF771361000-memory.dmp

Filesize
3.3MB

Download
memory/1324-245-0x00007FF771010000-0x00007FF771361000-memory.dmp

Filesize
3.3MB

Download
memory/1368-163-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp

Filesize
3.3MB

Download
memory/1368-271-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp

Filesize
3.3MB

Download
memory/1368-130-0x00007FF70ECD0000-0x00007FF70F021000-memory.dmp

Filesize
3.3MB

Download
memory/2132-118-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp

Filesize
3.3MB

Download
memory/2132-265-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp

Filesize
3.3MB

Download
memory/2132-158-0x00007FF626AB0000-0x00007FF626E01000-memory.dmp

Filesize
3.3MB

Download
memory/2792-146-0x00007FF665850000-0x00007FF665BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-249-0x00007FF665850000-0x00007FF665BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-82-0x00007FF665850000-0x00007FF665BA1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-60-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-218-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-8-0x00007FF7708A0000-0x00007FF770BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-224-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-96-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-24-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-222-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp

Filesize
3.3MB

Download
memory/3208-16-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp

Filesize
3.3MB

Download
memory/3208-87-0x00007FF6E6010000-0x00007FF6E6361000-memory.dmp

Filesize
3.3MB

Download
memory/3224-52-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-241-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3224-133-0x00007FF670B70000-0x00007FF670EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3540-254-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/3540-147-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/3540-86-0x00007FF7D4710000-0x00007FF7D4A61000-memory.dmp

Filesize
3.3MB

Download
memory/3660-139-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp

Filesize
3.3MB

Download
memory/3660-58-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp

Filesize
3.3MB

Download
memory/3660-243-0x00007FF6BC600000-0x00007FF6BC951000-memory.dmp

Filesize
3.3MB

Download
memory/4020-166-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-57-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-1-0x000002BED3BA0000-0x000002BED3BB0000-memory.dmp

Filesize
64KB

Download
memory/4020-137-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-0-0x00007FF7BA290000-0x00007FF7BA5E1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-247-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp

Filesize
3.3MB

Download
memory/4380-76-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp

Filesize
3.3MB

Download
memory/4380-152-0x00007FF6E2FF0000-0x00007FF6E3341000-memory.dmp

Filesize
3.3MB

Download
memory/4560-220-0x00007FF752590000-0x00007FF7528E1000-memory.dmp

Filesize
3.3MB

Download
memory/4560-12-0x00007FF752590000-0x00007FF7528E1000-memory.dmp

Filesize
3.3MB

Download
memory/4560-74-0x00007FF752590000-0x00007FF7528E1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-255-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-89-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-156-0x00007FF7EE750000-0x00007FF7EEAA1000-memory.dmp

Filesize
3.3MB

Download