cobaltstrike | 9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
Size

5.2MB
MD5

fdaf05cc57378a304476792c6a48e0a0
SHA1

830b85b75f09fbdb7350bd377d67a6911331675c
SHA256

9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8
SHA512

7313ab3fa2981ae7fb09b543ef0227a08ff97ca3b7fdc5100f442fe727a83b33b082053a5aaae25b2fc55c7f7eb5695e8c38d43e85f94723412d932bfedd91ad
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibj56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233f2-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-14.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023449-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-20.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3844-115-0x00007FF65A300000-0x00007FF65A651000-memory.dmp	xmrig
behavioral2/memory/1920-90-0x00007FF6378A0000-0x00007FF637BF1000-memory.dmp	xmrig
behavioral2/memory/1032-88-0x00007FF65C3D0000-0x00007FF65C721000-memory.dmp	xmrig
behavioral2/memory/652-83-0x00007FF75D6D0000-0x00007FF75DA21000-memory.dmp	xmrig
behavioral2/memory/2568-67-0x00007FF659CB0000-0x00007FF65A001000-memory.dmp	xmrig
behavioral2/memory/1076-132-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp	xmrig
behavioral2/memory/4052-133-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp	xmrig
behavioral2/memory/4228-135-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	xmrig
behavioral2/memory/1168-131-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp	xmrig
behavioral2/memory/4604-136-0x00007FF637C30000-0x00007FF637F81000-memory.dmp	xmrig
behavioral2/memory/4136-134-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp	xmrig
behavioral2/memory/4056-130-0x00007FF6111B0000-0x00007FF611501000-memory.dmp	xmrig
behavioral2/memory/2020-129-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp	xmrig
behavioral2/memory/4228-128-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	xmrig
behavioral2/memory/4956-140-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp	xmrig
behavioral2/memory/4780-146-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	xmrig
behavioral2/memory/4068-150-0x00007FF628590000-0x00007FF6288E1000-memory.dmp	xmrig
behavioral2/memory/2508-149-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp	xmrig
behavioral2/memory/1292-148-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp	xmrig
behavioral2/memory/2612-143-0x00007FF7432D0000-0x00007FF743621000-memory.dmp	xmrig
behavioral2/memory/1452-147-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp	xmrig
behavioral2/memory/4008-144-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp	xmrig
behavioral2/memory/2684-137-0x00007FF695980000-0x00007FF695CD1000-memory.dmp	xmrig
behavioral2/memory/4228-151-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	xmrig
behavioral2/memory/2020-213-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp	xmrig
behavioral2/memory/4056-215-0x00007FF6111B0000-0x00007FF611501000-memory.dmp	xmrig
behavioral2/memory/1168-217-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp	xmrig
behavioral2/memory/1076-222-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp	xmrig
behavioral2/memory/2568-220-0x00007FF659CB0000-0x00007FF65A001000-memory.dmp	xmrig
behavioral2/memory/4052-223-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp	xmrig
behavioral2/memory/4136-227-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp	xmrig
behavioral2/memory/652-229-0x00007FF75D6D0000-0x00007FF75DA21000-memory.dmp	xmrig
behavioral2/memory/4956-238-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp	xmrig
behavioral2/memory/1032-240-0x00007FF65C3D0000-0x00007FF65C721000-memory.dmp	xmrig
behavioral2/memory/2684-236-0x00007FF695980000-0x00007FF695CD1000-memory.dmp	xmrig
behavioral2/memory/4604-228-0x00007FF637C30000-0x00007FF637F81000-memory.dmp	xmrig
behavioral2/memory/3844-250-0x00007FF65A300000-0x00007FF65A651000-memory.dmp	xmrig
behavioral2/memory/2612-251-0x00007FF7432D0000-0x00007FF743621000-memory.dmp	xmrig
behavioral2/memory/4780-252-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	xmrig
behavioral2/memory/2508-256-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp	xmrig
behavioral2/memory/1292-254-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp	xmrig
behavioral2/memory/4008-248-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp	xmrig
behavioral2/memory/1452-244-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp	xmrig
behavioral2/memory/1920-243-0x00007FF6378A0000-0x00007FF637BF1000-memory.dmp	xmrig
behavioral2/memory/4068-259-0x00007FF628590000-0x00007FF6288E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2020	eLEoQVS.exe
4056	TiSFHBI.exe
1168	dwCIdha.exe
1076	ixSPPWb.exe
4052	uSiDACo.exe
4136	DBMxHqb.exe
4604	XJHuKiE.exe
2684	tGiZZgK.exe
2568	kcgpCeS.exe
652	uFanfhR.exe
4956	FgRFpnT.exe
1032	JEwhDHS.exe
1920	MYGZcFB.exe
2612	yzqNHoe.exe
4008	GZiHptR.exe
3844	fbeGqDI.exe
4780	XLicwAd.exe
1452	PoRJqJE.exe
1292	whBusBX.exe
2508	gupSynl.exe
4068	DbDHqBK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4228-0-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	upx
behavioral2/files/0x00090000000233f2-5.dat	upx
behavioral2/memory/2020-10-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp	upx
behavioral2/files/0x000700000002344d-14.dat	upx
behavioral2/files/0x000700000002344e-23.dat	upx
behavioral2/files/0x000700000002344f-26.dat	upx
behavioral2/files/0x0007000000023452-42.dat	upx
behavioral2/files/0x0007000000023451-52.dat	upx
behavioral2/files/0x0007000000023455-54.dat	upx
behavioral2/files/0x0007000000023450-59.dat	upx
behavioral2/files/0x0007000000023454-70.dat	upx
behavioral2/memory/2612-76-0x00007FF7432D0000-0x00007FF743621000-memory.dmp	upx
behavioral2/files/0x0007000000023457-86.dat	upx
behavioral2/files/0x0007000000023458-93.dat	upx
behavioral2/files/0x0007000000023459-104.dat	upx
behavioral2/files/0x0008000000023449-113.dat	upx
behavioral2/files/0x000700000002345d-120.dat	upx
behavioral2/memory/1452-122-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp	upx
behavioral2/files/0x000700000002345c-118.dat	upx
behavioral2/files/0x000700000002345b-116.dat	upx
behavioral2/memory/3844-115-0x00007FF65A300000-0x00007FF65A651000-memory.dmp	upx
behavioral2/files/0x000700000002345a-111.dat	upx
behavioral2/memory/2508-110-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp	upx
behavioral2/memory/1292-109-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp	upx
behavioral2/memory/4780-108-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	upx
behavioral2/memory/4008-102-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp	upx
behavioral2/memory/1920-90-0x00007FF6378A0000-0x00007FF637BF1000-memory.dmp	upx
behavioral2/memory/1032-88-0x00007FF65C3D0000-0x00007FF65C721000-memory.dmp	upx
behavioral2/memory/652-83-0x00007FF75D6D0000-0x00007FF75DA21000-memory.dmp	upx
behavioral2/files/0x0007000000023456-80.dat	upx
behavioral2/memory/4956-73-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp	upx
behavioral2/memory/2568-67-0x00007FF659CB0000-0x00007FF65A001000-memory.dmp	upx
behavioral2/memory/2684-58-0x00007FF695980000-0x00007FF695CD1000-memory.dmp	upx
behavioral2/memory/4136-55-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp	upx
behavioral2/memory/4604-49-0x00007FF637C30000-0x00007FF637F81000-memory.dmp	upx
behavioral2/files/0x0007000000023453-47.dat	upx
behavioral2/memory/4052-37-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp	upx
behavioral2/memory/1076-36-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp	upx
behavioral2/files/0x000700000002344c-20.dat	upx
behavioral2/memory/1168-18-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp	upx
behavioral2/memory/4056-15-0x00007FF6111B0000-0x00007FF611501000-memory.dmp	upx
behavioral2/files/0x000700000002345e-124.dat	upx
behavioral2/memory/4068-127-0x00007FF628590000-0x00007FF6288E1000-memory.dmp	upx
behavioral2/memory/1076-132-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp	upx
behavioral2/memory/4052-133-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp	upx
behavioral2/memory/4228-135-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	upx
behavioral2/memory/1168-131-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp	upx
behavioral2/memory/4604-136-0x00007FF637C30000-0x00007FF637F81000-memory.dmp	upx
behavioral2/memory/4136-134-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp	upx
behavioral2/memory/4056-130-0x00007FF6111B0000-0x00007FF611501000-memory.dmp	upx
behavioral2/memory/2020-129-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp	upx
behavioral2/memory/4228-128-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	upx
behavioral2/memory/4956-140-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp	upx
behavioral2/memory/4780-146-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp	upx
behavioral2/memory/4068-150-0x00007FF628590000-0x00007FF6288E1000-memory.dmp	upx
behavioral2/memory/2508-149-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp	upx
behavioral2/memory/1292-148-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp	upx
behavioral2/memory/2612-143-0x00007FF7432D0000-0x00007FF743621000-memory.dmp	upx
behavioral2/memory/1452-147-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp	upx
behavioral2/memory/4008-144-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp	upx
behavioral2/memory/2684-137-0x00007FF695980000-0x00007FF695CD1000-memory.dmp	upx
behavioral2/memory/4228-151-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp	upx
behavioral2/memory/2020-213-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp	upx
behavioral2/memory/4056-215-0x00007FF6111B0000-0x00007FF611501000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kcgpCeS.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\XLicwAd.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\whBusBX.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\gupSynl.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\dwCIdha.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\DBMxHqb.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\uFanfhR.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\MYGZcFB.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\yzqNHoe.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\GZiHptR.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\PoRJqJE.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\DbDHqBK.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\uSiDACo.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\JEwhDHS.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\fbeGqDI.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\eLEoQVS.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\ixSPPWb.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\XJHuKiE.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\tGiZZgK.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\FgRFpnT.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
File created	C:\Windows\System\TiSFHBI.exe	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
Token: SeLockMemoryPrivilege	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2020	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	83
PID 4228 wrote to memory of 2020	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	83
PID 4228 wrote to memory of 4056	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	84
PID 4228 wrote to memory of 4056	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	84
PID 4228 wrote to memory of 1168	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	85
PID 4228 wrote to memory of 1168	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	85
PID 4228 wrote to memory of 1076	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	86
PID 4228 wrote to memory of 1076	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	86
PID 4228 wrote to memory of 4052	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	87
PID 4228 wrote to memory of 4052	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	87
PID 4228 wrote to memory of 4136	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	88
PID 4228 wrote to memory of 4136	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	88
PID 4228 wrote to memory of 4604	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	89
PID 4228 wrote to memory of 4604	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	89
PID 4228 wrote to memory of 2684	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	90
PID 4228 wrote to memory of 2684	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	90
PID 4228 wrote to memory of 2568	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	91
PID 4228 wrote to memory of 2568	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	91
PID 4228 wrote to memory of 652	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	92
PID 4228 wrote to memory of 652	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	92
PID 4228 wrote to memory of 4956	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	93
PID 4228 wrote to memory of 4956	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	93
PID 4228 wrote to memory of 1032	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	94
PID 4228 wrote to memory of 1032	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	94
PID 4228 wrote to memory of 1920	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	95
PID 4228 wrote to memory of 1920	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	95
PID 4228 wrote to memory of 2612	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	96
PID 4228 wrote to memory of 2612	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	96
PID 4228 wrote to memory of 4008	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	97
PID 4228 wrote to memory of 4008	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	97
PID 4228 wrote to memory of 3844	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	98
PID 4228 wrote to memory of 3844	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	98
PID 4228 wrote to memory of 4780	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	99
PID 4228 wrote to memory of 4780	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	99
PID 4228 wrote to memory of 1452	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	100
PID 4228 wrote to memory of 1452	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	100
PID 4228 wrote to memory of 1292	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	101
PID 4228 wrote to memory of 1292	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	101
PID 4228 wrote to memory of 2508	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	102
PID 4228 wrote to memory of 2508	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	102
PID 4228 wrote to memory of 4068	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	103
PID 4228 wrote to memory of 4068	4228	9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe	103

C:\Users\Admin\AppData\Local\Temp\9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe
"C:\Users\Admin\AppData\Local\Temp\9c1a72af49e9dd1e8a11d4ef308ca87dec053a20dc268448c369981cb203b4d8N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\System\eLEoQVS.exe
  C:\Windows\System\eLEoQVS.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\TiSFHBI.exe
  C:\Windows\System\TiSFHBI.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\dwCIdha.exe
  C:\Windows\System\dwCIdha.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\ixSPPWb.exe
  C:\Windows\System\ixSPPWb.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\uSiDACo.exe
  C:\Windows\System\uSiDACo.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\DBMxHqb.exe
  C:\Windows\System\DBMxHqb.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\XJHuKiE.exe
  C:\Windows\System\XJHuKiE.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\tGiZZgK.exe
  C:\Windows\System\tGiZZgK.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\kcgpCeS.exe
  C:\Windows\System\kcgpCeS.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\uFanfhR.exe
  C:\Windows\System\uFanfhR.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\FgRFpnT.exe
  C:\Windows\System\FgRFpnT.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\JEwhDHS.exe
  C:\Windows\System\JEwhDHS.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\MYGZcFB.exe
  C:\Windows\System\MYGZcFB.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\yzqNHoe.exe
  C:\Windows\System\yzqNHoe.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\GZiHptR.exe
  C:\Windows\System\GZiHptR.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\fbeGqDI.exe
  C:\Windows\System\fbeGqDI.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\XLicwAd.exe
  C:\Windows\System\XLicwAd.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\PoRJqJE.exe
  C:\Windows\System\PoRJqJE.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\whBusBX.exe
  C:\Windows\System\whBusBX.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\gupSynl.exe
  C:\Windows\System\gupSynl.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\DbDHqBK.exe
  C:\Windows\System\DbDHqBK.exe
  2⤵
  - Executes dropped EXE
  PID:4068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DBMxHqb.exe

Filesize
5.2MB

MD5
3a4eb400c4bd3ec453b32011a7747a5a

SHA1
fe6bd60279f9ca488995ee34c74797654289eada

SHA256
2dc838ce97edfa12eb34d65a885bed2cee71dfeee10c6f0455b954b6e2a0bb2b

SHA512
78ece17bfe7388e3c63fbec7a02d7ac94f973113d54951467d52e6b63c1a2a62ec700d22e7ea29bbc55cda220e1339a97b6ea1d8647df2b299802dbdfec0e0ec

Download Submit
C:\Windows\System\DbDHqBK.exe

Filesize
5.2MB

MD5
84ca8e78b738701831e1381bedd72b92

SHA1
abc38bf2ba4041631a3e803a593d914b072329d1

SHA256
5cc703b38f345e82b575cf484a29dd85ae4c79693b78cd813a38f21decdd5901

SHA512
a94fd4a3e964a7599f177afd68e5b8f3924ee89d0d6ce67dc86adf35c01cb334706ee7fa4167b2472c52381a347fd5d171c6b103d8082e1e427dc56c8856be3b

Download Submit
C:\Windows\System\FgRFpnT.exe

Filesize
5.2MB

MD5
908abf063e4d29026dfeb73d27b7e9c8

SHA1
09a87e07368905747562161f2d0003e04649528c

SHA256
3fed20ed6c587d72f8220d9ad3600350d1a6acab2e55c40710103176caf29402

SHA512
6a2b4d993e4fd7c0876daa394e604b5101f1495f647a14d58be7a4266dcac50755603c44748325069a251e40b544b16fee34a2c09750c82a0aee82432ab022df

Download Submit
C:\Windows\System\GZiHptR.exe

Filesize
5.2MB

MD5
79056656ddd5b8059acfb2d269988e47

SHA1
efbff4867c8f460d9854d2db7816d8c43f0fe343

SHA256
2eb614ecf51a0b97611b4409986470d8a340f129bbaef400cc7b8f1b84ff05e8

SHA512
b7deaebbfd6858c675a61b70e51aa2bd239810a71224e17232e548f51498c440d31e98c0b150105e8e078ed89c64f18267864a3209834933922be288fecc45fc

Download Submit
C:\Windows\System\JEwhDHS.exe

Filesize
5.2MB

MD5
d74bf49571eea73c73d191ca7fec6fa8

SHA1
acb76729c5bc6dee17f10b91c3ac238cddd79773

SHA256
b48615b405119eac75498d68b4a2d2f63ce00d9c70e7ecf904198d2966581a0e

SHA512
9120d9cbfb97e863f8feda456e189d8e78dcbd15491e1dd1befc7c5a124448f89244a9a85bbcb3d3a4a71f345fc2979898a392f99711b1e7048dcbcb4aa627d1

Download Submit
C:\Windows\System\MYGZcFB.exe

Filesize
5.2MB

MD5
bd9c06c3587afa02eb1eb7eaec6dfdd8

SHA1
d7ea8d36e3513c74230ddf6baacac3da19e0f708

SHA256
0d847a387fd71dfd72a14e63aa785810e0b6c939eae7a7db0c22feb75e1b6e4c

SHA512
c8c66024a88e6247f493211afd9ac8bd860325a5567301e32985712c198d57c7606a014ba5c4fdb6242242c0dc70d45681b7c4e18728a52aa38e34a9fc95c143

Download Submit
C:\Windows\System\PoRJqJE.exe

Filesize
5.2MB

MD5
92ea9077abdf6ca131ce575d9bb0e566

SHA1
dba358b6382e065b0d10f58f962fa9a71930a1b7

SHA256
6106a3e1f835522200e8411f7488c055610f6ff31949e748d5437765754d1278

SHA512
95a84f6ab80db465de69ee59d0c2887f7c4b5ccb1f335f9af83126660ca713ddc740966691cabc0c8848968c1f23d0bf087e732f78f3c29f05e3eab142a2d993

Download Submit
C:\Windows\System\TiSFHBI.exe

Filesize
5.2MB

MD5
c7afef836f53a044c7b9249123707add

SHA1
82e1662e0ec27b4b8f393cb462c204224db4a9f2

SHA256
76a8eaeb101d438e2d595450d5f46b8795b84b57e975409f3eb16ce559e6dfb5

SHA512
d4a0426e69936214eedd0497edea96c364e0d24763f82a2ed48a22a655283a6d8f8c51a3755a4d2f4c4d6200cc19b5e356707c2b5d318441400747af5927d58f

Download Submit
C:\Windows\System\XJHuKiE.exe

Filesize
5.2MB

MD5
f6545e9cb569efb3b1baf173eaab5e64

SHA1
bcb88731924db54c1fb3b5e56f8e25c331eb6537

SHA256
3714a5e8461917d1245f0c2ac14ca5423aad685f5e127fe12caa5822f72a48c9

SHA512
fd0889b9b2919c3840dcb936f40ef5dd807d8f4355b86273640045a4a3bd3a683e69f8316ff2b5a463f3f00b9c4e5e75728b9782bb7e0929a87af7354fff5394

Download Submit
C:\Windows\System\XLicwAd.exe

Filesize
5.2MB

MD5
32ef670089fe8a87e67f5e465a9fa471

SHA1
16b1b3a8003b54442a7dbcceb12cf8274047c584

SHA256
0b991bc52b221fcc901a8d02c80b47bea15db6fe73c7647ed303f9e04b9ce704

SHA512
82d1109b4c6b64c2af6cac90b965bc02803abba2db2f8917384fca7b575dff20478b613836a74269640643c87db079fc2ff2fe558f2a8d11bb013bc35b31de37

Download Submit
C:\Windows\System\dwCIdha.exe

Filesize
5.2MB

MD5
729c7d5e3dde7a1c3c2122eaef2fceb7

SHA1
89fd79875c96629f9c8ed084d982d146b4a16f1f

SHA256
7fc297d5ad032e900a5f6eb07e77f375b52059019b162d8c15d5e5779eba8477

SHA512
b62655db4afd5896584a624f76bf82cfbcbe374bee76f0485e9260f02b9157fd44b2e9d33e76c5e6e3ac519f446b5a1853bb1424dd879294052aaee0ddb11bfa

Download Submit
C:\Windows\System\eLEoQVS.exe

Filesize
5.2MB

MD5
5b29ea7036612274a55c5032f47db135

SHA1
d0c5587c2c0955115f14ecd7d1294cfe1ceb673a

SHA256
7531f59aa2ee6984ca58b69c5cbd486292fed800f432c8fac59403aa5f3068ee

SHA512
5b4ac40b18f8376b6d0a571054a6eabb1a054263d4d66b48099dff0e457fbca0e0885348ad9ee06ed46fcc8faf137de89fbc9f9876e4369272f1eccf45edd289

Download Submit
C:\Windows\System\fbeGqDI.exe

Filesize
5.2MB

MD5
5ecc728cde0547dad7703d0f8323eef0

SHA1
ced9d9b69755bf35d1b41dc30d857b8458baf94a

SHA256
607bf24834f39bf8eda9f20c261f119c06b0837ef958499799b8a13f461a50ed

SHA512
3a0d06d2398d6d703c136839f8526abb5295ac81ad84fa2711e7abf9b8116bef5c1362fac4c5cde7bb96a96e254afc4074dc6fca024dd79b54f65d3dd75e2bb9

Download Submit
C:\Windows\System\gupSynl.exe

Filesize
5.2MB

MD5
faffa3efa16710493914a1fd92c454f6

SHA1
e5e561505bfd3957893a3a9cec141fb45f2eff2f

SHA256
b5e912ae7bd08c1764930cfa2756fa9bcf5dc07294467c7305172d8d1390c8c3

SHA512
e0b04054ebaeaf271d21718876e29eb79562c0ae918ec652d78f3d96ff69c018f7f843c594b64fc228b1d51cd602bf4cbeff02274ccc5dd557c49e151d8205b4

Download Submit
C:\Windows\System\ixSPPWb.exe

Filesize
5.2MB

MD5
287ee8e94ae40ad046052c833e2bf4a2

SHA1
e4a813e1c433edc67be1064f5db90af1ebf44b9d

SHA256
7c71e191612f57b5f22c915a5a6476bfb3e42fd05141192e3ce9ec27c5e19f04

SHA512
079e90683cbeb66efe2eb2df81c98949b23f4d0d95dcdaa432b657eb824bc7dd34deb7096f3cb9b4082807392c06f4d79469d22dca8d422275a6e1ded172d103

Download Submit
C:\Windows\System\kcgpCeS.exe

Filesize
5.2MB

MD5
4cf703909b35cbd22f4ab24eb08b9b38

SHA1
67fa881eee57541a145e3b12f133c38ed1642e7e

SHA256
412d8e062db9269a70622fcc1fb808ed4260064bbb9120258980b91923a3b637

SHA512
d73c0b4a4cfb0b9666537d96c81785862ad1c22252748c74d1d73e47b023ac9c302dd85ec39854feebb55c53c54e6d67e9b9c565c4a2d0767dc403f0497a5299

Download Submit
C:\Windows\System\tGiZZgK.exe

Filesize
5.2MB

MD5
f63b4873c438bd540e02208035e2bfdc

SHA1
24702ccd9bc972228651ac4f502d8a82d6f0d0f4

SHA256
74cfbd5f97299ab13cd2d1b7d8b89cc35be20c7761ad008833c865b55c76d263

SHA512
46d2b70fa9b90201116592a1bbf84b8c69fa5ae3ef57510758b2491c03e582171df7ee6a604d02ea85be874423577f9e00f2151e4cb7a4c12e917a6fb1869347

Download Submit
C:\Windows\System\uFanfhR.exe

Filesize
5.2MB

MD5
2aa076af419a299dabb9585c60911ec3

SHA1
f4783b8e4b13730eb8dac7811c450bd056cc2700

SHA256
3380b55d8a744f2e1b27178acbb6a2211fbf5c12bef0ed6b2b94f1437268efbd

SHA512
ca385c4f28b59f4c3926ff45c746e1cd07e6987d296bed4a9f57d4643729a73667b1c51211dae91d4120c094f7b57001a9c9151db6973d4d40d838ad5cd12e9b

Download Submit
C:\Windows\System\uSiDACo.exe

Filesize
5.2MB

MD5
ba44113fb21956d956ce5fd549e4a26f

SHA1
4fa3378ae8495def239370f2ce7f8d5efebc3638

SHA256
a53b81280f9deccd9235f19d8da12987209492092d3b792910eeb10cc857bc3c

SHA512
3d9d7529bffc8ea8fc3e717eb34d2c6ae7344869f5241747743cfde24a2e08d0adfb880a09dbc229fce836f99ee4d1d1d98fa77f33052e0bc2d01795b3e7f42d

Download Submit
C:\Windows\System\whBusBX.exe

Filesize
5.2MB

MD5
0918c88afea2bedaa9bdac7d53563455

SHA1
6479a660771b66faec4f907c991c3e733d6a38d9

SHA256
65b6bd418304a56d3ea17c526b889611db15aa039f8417901e8e590bc7192ce6

SHA512
3da01d1cd1f1f478f6e751e67d670e03dd4c9d9450bc6fd5045a6eca0f78cd41a44d829acb517a8c043f2037481cda8af7be4b2e62db6de50b5c87f41b5b6459

Download Submit
C:\Windows\System\yzqNHoe.exe

Filesize
5.2MB

MD5
a033803bcf00449614278771874cffef

SHA1
4632ec7e492f3989831f472679c5344939c87e06

SHA256
655c4fe8d7fdb366a8d910d4c21fea956b14e4648db7a96773f9bf5c7c7ce031

SHA512
8f3f824ed758984381576d967318a4468ca9eb7fac76a4d75b00c97c27e8a6a5235416a7a7b3ebf51083da9b41a6ed4b1856904a546c0615a96a5c070106297d

Download Submit
memory/652-83-0x00007FF75D6D0000-0x00007FF75DA21000-memory.dmp

Filesize
3.3MB

Download
memory/652-229-0x00007FF75D6D0000-0x00007FF75DA21000-memory.dmp

Filesize
3.3MB

Download
memory/1032-88-0x00007FF65C3D0000-0x00007FF65C721000-memory.dmp

Filesize
3.3MB

Download
memory/1032-240-0x00007FF65C3D0000-0x00007FF65C721000-memory.dmp

Filesize
3.3MB

Download
memory/1076-222-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-132-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-36-0x00007FF7B4870000-0x00007FF7B4BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-18-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-131-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-217-0x00007FF635C90000-0x00007FF635FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-148-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-109-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1292-254-0x00007FF6BCD60000-0x00007FF6BD0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-244-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp

Filesize
3.3MB

Download
memory/1452-122-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp

Filesize
3.3MB

Download
memory/1452-147-0x00007FF646BD0000-0x00007FF646F21000-memory.dmp

Filesize
3.3MB

Download
memory/1920-90-0x00007FF6378A0000-0x00007FF637BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-243-0x00007FF6378A0000-0x00007FF637BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-213-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp

Filesize
3.3MB

Download
memory/2020-10-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp

Filesize
3.3MB

Download
memory/2020-129-0x00007FF7837F0000-0x00007FF783B41000-memory.dmp

Filesize
3.3MB

Download
memory/2508-149-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp

Filesize
3.3MB

Download
memory/2508-110-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp

Filesize
3.3MB

Download
memory/2508-256-0x00007FF74CC30000-0x00007FF74CF81000-memory.dmp

Filesize
3.3MB

Download
memory/2568-220-0x00007FF659CB0000-0x00007FF65A001000-memory.dmp

Filesize
3.3MB

Download
memory/2568-67-0x00007FF659CB0000-0x00007FF65A001000-memory.dmp

Filesize
3.3MB

Download
memory/2612-76-0x00007FF7432D0000-0x00007FF743621000-memory.dmp

Filesize
3.3MB

Download
memory/2612-143-0x00007FF7432D0000-0x00007FF743621000-memory.dmp

Filesize
3.3MB

Download
memory/2612-251-0x00007FF7432D0000-0x00007FF743621000-memory.dmp

Filesize
3.3MB

Download
memory/2684-236-0x00007FF695980000-0x00007FF695CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-137-0x00007FF695980000-0x00007FF695CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-58-0x00007FF695980000-0x00007FF695CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3844-250-0x00007FF65A300000-0x00007FF65A651000-memory.dmp

Filesize
3.3MB

Download
memory/3844-115-0x00007FF65A300000-0x00007FF65A651000-memory.dmp

Filesize
3.3MB

Download
memory/4008-102-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-144-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-248-0x00007FF606C90000-0x00007FF606FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-37-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-223-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4052-133-0x00007FF7F4960000-0x00007FF7F4CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-15-0x00007FF6111B0000-0x00007FF611501000-memory.dmp

Filesize
3.3MB

Download
memory/4056-215-0x00007FF6111B0000-0x00007FF611501000-memory.dmp

Filesize
3.3MB

Download
memory/4056-130-0x00007FF6111B0000-0x00007FF611501000-memory.dmp

Filesize
3.3MB

Download
memory/4068-259-0x00007FF628590000-0x00007FF6288E1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-127-0x00007FF628590000-0x00007FF6288E1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-150-0x00007FF628590000-0x00007FF6288E1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-227-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp

Filesize
3.3MB

Download
memory/4136-134-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp

Filesize
3.3MB

Download
memory/4136-55-0x00007FF7DCE30000-0x00007FF7DD181000-memory.dmp

Filesize
3.3MB

Download
memory/4228-1-0x000001CCAEB80000-0x000001CCAEB90000-memory.dmp

Filesize
64KB

Download
memory/4228-128-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-151-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-135-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4228-0-0x00007FF63BB50000-0x00007FF63BEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-136-0x00007FF637C30000-0x00007FF637F81000-memory.dmp

Filesize
3.3MB

Download
memory/4604-228-0x00007FF637C30000-0x00007FF637F81000-memory.dmp

Filesize
3.3MB

Download
memory/4604-49-0x00007FF637C30000-0x00007FF637F81000-memory.dmp

Filesize
3.3MB

Download
memory/4780-252-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-108-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-146-0x00007FF628C80000-0x00007FF628FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-238-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-73-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-140-0x00007FF7908A0000-0x00007FF790BF1000-memory.dmp

Filesize
3.3MB

Download