cobaltstrike | bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72f

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
Size

5.2MB
MD5

f8b9b9dc0f6b26654807d70aed0997e0
SHA1

2046011142672eddcabd8a864064200d3e14bbda
SHA256

bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72f
SHA512

4ad81edc614a6bdd58f43a3c0098cbcdd5c0d13221cf3a53c9d58a811a9fdf814d5eb834476b5d88b9af76d69d6e044ec51520d5d0e0875aee32b63c21794aff
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c83-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c84-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c95-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c94-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-74.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/460-61-0x00007FF6641F0000-0x00007FF664541000-memory.dmp	xmrig
behavioral2/memory/4880-68-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp	xmrig
behavioral2/memory/4668-54-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	xmrig
behavioral2/memory/4596-124-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp	xmrig
behavioral2/memory/4604-125-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp	xmrig
behavioral2/memory/3200-127-0x00007FF772CF0000-0x00007FF773041000-memory.dmp	xmrig
behavioral2/memory/3936-128-0x00007FF7EC440000-0x00007FF7EC791000-memory.dmp	xmrig
behavioral2/memory/2716-126-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp	xmrig
behavioral2/memory/4668-121-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	xmrig
behavioral2/memory/2580-129-0x00007FF70CD70000-0x00007FF70D0C1000-memory.dmp	xmrig
behavioral2/memory/1892-130-0x00007FF6D6C30000-0x00007FF6D6F81000-memory.dmp	xmrig
behavioral2/memory/2980-131-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	xmrig
behavioral2/memory/4428-132-0x00007FF630200000-0x00007FF630551000-memory.dmp	xmrig
behavioral2/memory/324-134-0x00007FF705980000-0x00007FF705CD1000-memory.dmp	xmrig
behavioral2/memory/824-133-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp	xmrig
behavioral2/memory/3712-136-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp	xmrig
behavioral2/memory/532-137-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp	xmrig
behavioral2/memory/3444-139-0x00007FF631F80000-0x00007FF6322D1000-memory.dmp	xmrig
behavioral2/memory/1536-138-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp	xmrig
behavioral2/memory/1128-135-0x00007FF7DD450000-0x00007FF7DD7A1000-memory.dmp	xmrig
behavioral2/memory/4060-142-0x00007FF6348A0000-0x00007FF634BF1000-memory.dmp	xmrig
behavioral2/memory/4392-149-0x00007FF6806B0000-0x00007FF680A01000-memory.dmp	xmrig
behavioral2/memory/4504-150-0x00007FF74D5F0000-0x00007FF74D941000-memory.dmp	xmrig
behavioral2/memory/4668-151-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	xmrig
behavioral2/memory/460-199-0x00007FF6641F0000-0x00007FF664541000-memory.dmp	xmrig
behavioral2/memory/4880-205-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp	xmrig
behavioral2/memory/4596-207-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp	xmrig
behavioral2/memory/4604-209-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp	xmrig
behavioral2/memory/2716-211-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp	xmrig
behavioral2/memory/3200-214-0x00007FF772CF0000-0x00007FF773041000-memory.dmp	xmrig
behavioral2/memory/824-222-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp	xmrig
behavioral2/memory/324-224-0x00007FF705980000-0x00007FF705CD1000-memory.dmp	xmrig
behavioral2/memory/532-226-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp	xmrig
behavioral2/memory/3712-228-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp	xmrig
behavioral2/memory/1536-240-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp	xmrig
behavioral2/memory/3936-242-0x00007FF7EC440000-0x00007FF7EC791000-memory.dmp	xmrig
behavioral2/memory/2580-246-0x00007FF70CD70000-0x00007FF70D0C1000-memory.dmp	xmrig
behavioral2/memory/2980-248-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	xmrig
behavioral2/memory/1892-244-0x00007FF6D6C30000-0x00007FF6D6F81000-memory.dmp	xmrig
behavioral2/memory/3444-237-0x00007FF631F80000-0x00007FF6322D1000-memory.dmp	xmrig
behavioral2/memory/4392-250-0x00007FF6806B0000-0x00007FF680A01000-memory.dmp	xmrig
behavioral2/memory/4428-252-0x00007FF630200000-0x00007FF630551000-memory.dmp	xmrig
behavioral2/memory/4060-256-0x00007FF6348A0000-0x00007FF634BF1000-memory.dmp	xmrig
behavioral2/memory/4504-257-0x00007FF74D5F0000-0x00007FF74D941000-memory.dmp	xmrig
behavioral2/memory/1128-254-0x00007FF7DD450000-0x00007FF7DD7A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
460	Lxmkgad.exe
4880	yeBLTWK.exe
4596	KtPcjjZ.exe
4604	vSCxBVu.exe
2716	ynaBybA.exe
3200	hHRLJZN.exe
824	PJyTpyX.exe
324	rTmgXUo.exe
3712	cMIflTF.exe
532	ywIbRmj.exe
1536	WfvIdfR.exe
3444	WxcZPEb.exe
3936	mReDPTL.exe
2580	nVNmoCi.exe
1892	LtBvGzc.exe
2980	HaoWVFo.exe
4428	vBHPFjr.exe
1128	YUvgKoC.exe
4060	ossvVUp.exe
4504	bJXlomH.exe
4392	ZimMqVt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4668-0-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	upx
behavioral2/files/0x0008000000023c83-5.dat	upx
behavioral2/memory/460-7-0x00007FF6641F0000-0x00007FF664541000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-10.dat	upx
behavioral2/files/0x0007000000023c87-11.dat	upx
behavioral2/memory/4596-18-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp	upx
behavioral2/memory/4880-12-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp	upx
behavioral2/files/0x0008000000023c84-23.dat	upx
behavioral2/files/0x0007000000023c8a-27.dat	upx
behavioral2/memory/2716-30-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp	upx
behavioral2/memory/4604-26-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-34.dat	upx
behavioral2/memory/3200-37-0x00007FF772CF0000-0x00007FF773041000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-41.dat	upx
behavioral2/files/0x0007000000023c8d-45.dat	upx
behavioral2/files/0x0007000000023c8e-55.dat	upx
behavioral2/files/0x0007000000023c8f-60.dat	upx
behavioral2/memory/460-61-0x00007FF6641F0000-0x00007FF664541000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-67.dat	upx
behavioral2/files/0x0007000000023c92-79.dat	upx
behavioral2/files/0x0007000000023c95-94.dat	upx
behavioral2/files/0x0007000000023c96-99.dat	upx
behavioral2/files/0x0007000000023c97-104.dat	upx
behavioral2/files/0x0007000000023c99-114.dat	upx
behavioral2/files/0x0007000000023c9a-118.dat	upx
behavioral2/files/0x0007000000023c98-109.dat	upx
behavioral2/files/0x0007000000023c94-89.dat	upx
behavioral2/files/0x0007000000023c93-84.dat	upx
behavioral2/files/0x0007000000023c91-74.dat	upx
behavioral2/memory/4880-68-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp	upx
behavioral2/memory/532-62-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp	upx
behavioral2/memory/3712-59-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp	upx
behavioral2/memory/4668-54-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	upx
behavioral2/memory/324-46-0x00007FF705980000-0x00007FF705CD1000-memory.dmp	upx
behavioral2/memory/824-42-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp	upx
behavioral2/memory/4596-124-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp	upx
behavioral2/memory/4604-125-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp	upx
behavioral2/memory/3200-127-0x00007FF772CF0000-0x00007FF773041000-memory.dmp	upx
behavioral2/memory/3936-128-0x00007FF7EC440000-0x00007FF7EC791000-memory.dmp	upx
behavioral2/memory/2716-126-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp	upx
behavioral2/memory/4668-121-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	upx
behavioral2/memory/1536-120-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp	upx
behavioral2/memory/2580-129-0x00007FF70CD70000-0x00007FF70D0C1000-memory.dmp	upx
behavioral2/memory/1892-130-0x00007FF6D6C30000-0x00007FF6D6F81000-memory.dmp	upx
behavioral2/memory/2980-131-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp	upx
behavioral2/memory/4428-132-0x00007FF630200000-0x00007FF630551000-memory.dmp	upx
behavioral2/memory/324-134-0x00007FF705980000-0x00007FF705CD1000-memory.dmp	upx
behavioral2/memory/824-133-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp	upx
behavioral2/memory/3712-136-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp	upx
behavioral2/memory/532-137-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp	upx
behavioral2/memory/3444-139-0x00007FF631F80000-0x00007FF6322D1000-memory.dmp	upx
behavioral2/memory/1536-138-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp	upx
behavioral2/memory/1128-135-0x00007FF7DD450000-0x00007FF7DD7A1000-memory.dmp	upx
behavioral2/memory/4060-142-0x00007FF6348A0000-0x00007FF634BF1000-memory.dmp	upx
behavioral2/memory/4392-149-0x00007FF6806B0000-0x00007FF680A01000-memory.dmp	upx
behavioral2/memory/4504-150-0x00007FF74D5F0000-0x00007FF74D941000-memory.dmp	upx
behavioral2/memory/4668-151-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp	upx
behavioral2/memory/460-199-0x00007FF6641F0000-0x00007FF664541000-memory.dmp	upx
behavioral2/memory/4880-205-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp	upx
behavioral2/memory/4596-207-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp	upx
behavioral2/memory/4604-209-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp	upx
behavioral2/memory/2716-211-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp	upx
behavioral2/memory/3200-214-0x00007FF772CF0000-0x00007FF773041000-memory.dmp	upx
behavioral2/memory/824-222-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cMIflTF.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\WxcZPEb.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\YUvgKoC.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\ZimMqVt.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\Lxmkgad.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\yeBLTWK.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\KtPcjjZ.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\ynaBybA.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\HaoWVFo.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\vBHPFjr.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\vSCxBVu.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\hHRLJZN.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\mReDPTL.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\nVNmoCi.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\PJyTpyX.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\ossvVUp.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\bJXlomH.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\rTmgXUo.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\ywIbRmj.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\WfvIdfR.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
File created	C:\Windows\System\LtBvGzc.exe	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
Token: SeLockMemoryPrivilege	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 460	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	84
PID 4668 wrote to memory of 460	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	84
PID 4668 wrote to memory of 4880	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	85
PID 4668 wrote to memory of 4880	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	85
PID 4668 wrote to memory of 4596	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	86
PID 4668 wrote to memory of 4596	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	86
PID 4668 wrote to memory of 4604	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	87
PID 4668 wrote to memory of 4604	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	87
PID 4668 wrote to memory of 2716	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	88
PID 4668 wrote to memory of 2716	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	88
PID 4668 wrote to memory of 3200	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	89
PID 4668 wrote to memory of 3200	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	89
PID 4668 wrote to memory of 824	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	92
PID 4668 wrote to memory of 824	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	92
PID 4668 wrote to memory of 324	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	94
PID 4668 wrote to memory of 324	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	94
PID 4668 wrote to memory of 3712	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	95
PID 4668 wrote to memory of 3712	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	95
PID 4668 wrote to memory of 532	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	96
PID 4668 wrote to memory of 532	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	96
PID 4668 wrote to memory of 1536	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	97
PID 4668 wrote to memory of 1536	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	97
PID 4668 wrote to memory of 3444	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	98
PID 4668 wrote to memory of 3444	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	98
PID 4668 wrote to memory of 3936	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	99
PID 4668 wrote to memory of 3936	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	99
PID 4668 wrote to memory of 2580	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	100
PID 4668 wrote to memory of 2580	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	100
PID 4668 wrote to memory of 1892	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	101
PID 4668 wrote to memory of 1892	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	101
PID 4668 wrote to memory of 2980	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	102
PID 4668 wrote to memory of 2980	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	102
PID 4668 wrote to memory of 4428	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	103
PID 4668 wrote to memory of 4428	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	103
PID 4668 wrote to memory of 1128	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	104
PID 4668 wrote to memory of 1128	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	104
PID 4668 wrote to memory of 4060	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	105
PID 4668 wrote to memory of 4060	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	105
PID 4668 wrote to memory of 4504	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	106
PID 4668 wrote to memory of 4504	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	106
PID 4668 wrote to memory of 4392	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	107
PID 4668 wrote to memory of 4392	4668	bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe	107

C:\Users\Admin\AppData\Local\Temp\bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe
"C:\Users\Admin\AppData\Local\Temp\bfb58ff0ec65fe992ba67b412999b1b0f975fbc1d8557fd5e500afc669e0e72fN.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\System\Lxmkgad.exe
  C:\Windows\System\Lxmkgad.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\yeBLTWK.exe
  C:\Windows\System\yeBLTWK.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\KtPcjjZ.exe
  C:\Windows\System\KtPcjjZ.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\vSCxBVu.exe
  C:\Windows\System\vSCxBVu.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\ynaBybA.exe
  C:\Windows\System\ynaBybA.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\hHRLJZN.exe
  C:\Windows\System\hHRLJZN.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\PJyTpyX.exe
  C:\Windows\System\PJyTpyX.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\rTmgXUo.exe
  C:\Windows\System\rTmgXUo.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\cMIflTF.exe
  C:\Windows\System\cMIflTF.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\ywIbRmj.exe
  C:\Windows\System\ywIbRmj.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\WfvIdfR.exe
  C:\Windows\System\WfvIdfR.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\WxcZPEb.exe
  C:\Windows\System\WxcZPEb.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\mReDPTL.exe
  C:\Windows\System\mReDPTL.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\nVNmoCi.exe
  C:\Windows\System\nVNmoCi.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\LtBvGzc.exe
  C:\Windows\System\LtBvGzc.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\HaoWVFo.exe
  C:\Windows\System\HaoWVFo.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\vBHPFjr.exe
  C:\Windows\System\vBHPFjr.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\YUvgKoC.exe
  C:\Windows\System\YUvgKoC.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\ossvVUp.exe
  C:\Windows\System\ossvVUp.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\bJXlomH.exe
  C:\Windows\System\bJXlomH.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\ZimMqVt.exe
  C:\Windows\System\ZimMqVt.exe
  2⤵
  - Executes dropped EXE
  PID:4392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HaoWVFo.exe

Filesize
5.2MB

MD5
3cc930c20c56576e2eaa026e70cb53a3

SHA1
d20b052cd8322f4ca38bdc53e702d3e8c37c968e

SHA256
1de247456cf2f74309fcc6941a105c015ebfa9e058df2721f26fcb019b069e11

SHA512
38550d91a21b111b25e694a5ca46f2cae0fe8d4c6db71a61bda2c0763854c546f7a94a36e7cf15643f8525dce80145dffaf2d1d7c774cb7217c9ec114940267d

Download Submit
C:\Windows\System\KtPcjjZ.exe

Filesize
5.2MB

MD5
15da8e02277e87ab99df0a22f5c3e6d9

SHA1
04d0047f45da1dd65f000f3f37c66d13ab84415b

SHA256
bdc7fed8abc43624b7a669cc2ead4dacc9d513b60443070608805e19e2d594e8

SHA512
01c26ef628e22bb130624d3fe5b57486dcb5a820f059012ecf692c9c04eb263630363720c72a370c183a8f0d9776b7012452900f59322002a9c2de79d1c6f773

Download Submit
C:\Windows\System\LtBvGzc.exe

Filesize
5.2MB

MD5
a245c33d229aea1017c8087513ed6bdc

SHA1
b423a5753c35aaa6dab9823d9656456572af1039

SHA256
962411cbe7af8ed8567d405adb12d4948017c1382ade476007daa2cc2fd3fc3f

SHA512
3628e139adfc68bcd765e030d1940c32091f2a57a34fbc3175c4c26becc33fc33b7b7a6bd9f938350c8d104bed9d98f90101f942b935267dc57016060ca1e239

Download Submit
C:\Windows\System\Lxmkgad.exe

Filesize
5.2MB

MD5
d50d38d321321eac48d347fd0abc5fb8

SHA1
afaf6fb639456776681eac811438e229eda6daf2

SHA256
885f0c669a65770a65ec2acdd72fec1bc7221a3ef2a92e89a5542ef577a15369

SHA512
6f3ee283ba00defd965c14f1ff6f965a30e2edd4d36ae0785326f73cec1ddc9836d0a27180c49740b392845a2abb31cdec0d4776e10bab60e12a8e5705f58f5f

Download Submit
C:\Windows\System\PJyTpyX.exe

Filesize
5.2MB

MD5
1f59871ccda2e2400c6f126e467bbcb3

SHA1
3547b9e99681606e3556667a1da5e1070dfb2953

SHA256
05433ef1c4b9820cf7853ed1c967a07d0922e286f932e2468177fdb20979a212

SHA512
676eb8ab9a58efd4673242e2b9a9be5258df8c098b38ceef54aaebf80da7693b23f3e5bda9c4867c6f7a0c1a838589460e444e0356e57245e9461d02eef1f12e

Download Submit
C:\Windows\System\WfvIdfR.exe

Filesize
5.2MB

MD5
05cd0f1c2c0e18e0e96133f9caa4a51d

SHA1
6080002dbff792b4ad9a89ebab40eeb2de0e2e01

SHA256
6a395f47b9210de39b8e00c0124254ab743349a92c96872e82684f01cc92e8f9

SHA512
8fdef0f9048f606b19935d71e8bb45923a545c09b12b483fc931f9e8c9e26941158b9a6bb00cc92c9e699afb49143f7b962190037069a704f01d87d51046fc82

Download Submit
C:\Windows\System\WxcZPEb.exe

Filesize
5.2MB

MD5
0593c1ba0666eedfffff0aaa79731e53

SHA1
32cdfe0cac3dfa426f336d074eecf9e781993c8d

SHA256
4daed041326b56a75228cb09004118ce45e8d75657a16c9ed21d4c6001cdda89

SHA512
f9033f078278e699a5c529670e55cb378b4a93e9da60bbaaef8a5e6bc25f8e29dfbb9456478d74dea9bf08a792cc7d43ba129132b28a40823aeffe32b65df550

Download Submit
C:\Windows\System\YUvgKoC.exe

Filesize
5.2MB

MD5
d9b49fcc43a16cbba0fb73a0f3b37b2a

SHA1
978eba58137a4f2f431bc9efec4320b37b6a032a

SHA256
03820f96c1ccea415fd8bea36be5ed73f6b1b42235cef73c62680874483f3604

SHA512
2ddcc85ecb8a49cf6e13b35af69b981d975c7778196895721a13abc2a81099035e7051e050a9a6a3c79b480cab9a8c5bfad81c2d2ae21243f2d66f649745dfff

Download Submit
C:\Windows\System\ZimMqVt.exe

Filesize
5.2MB

MD5
5055cc497800472e0d0445e7324e8886

SHA1
692e6e7c30c00356430ff61d6f5e9c5576458204

SHA256
7828b5c4b07191bc1214998f77105a12c9324a5ed0d9061be96b9bd8ad9a7218

SHA512
567619a40584e80b41a03ffedc369b921a370c9cc8cf1ab6aa59b2af5a67aa948a44eb36252445b56dd515be89517b56fdffd078631db4f1e8f5b66d3cfa3cf5

Download Submit
C:\Windows\System\bJXlomH.exe

Filesize
5.2MB

MD5
3fb377463c1af962ad81a942bd545c68

SHA1
d86434ef3cff712bfb92e55892bdd575a2acf27f

SHA256
6b6d8b6d00505e456764c018fdae501e5bd0d614272115be93b8c2ec40eedab6

SHA512
00dcc3ae18ad2b7c8369a1de347be5fc695157c3a16ade87d35d3acac4e30af3e0a49afab8240e32ab41a491d03c0d00de1809cfaaba599ea16239ad010d7b28

Download Submit
C:\Windows\System\cMIflTF.exe

Filesize
5.2MB

MD5
1eb8b338e00686fedba2180656653b45

SHA1
6235565b9777e4a67472d7950786a6183c192b14

SHA256
1efe9492669c81e63f924cd58e4e6471974978a92cbcfd3fb987aaca0797c230

SHA512
78edc6f3e68afbfa3774b53f6ff0085ec269e84e86bc9262816bce3edba6b7ba693671e60296b48b0ded9eaae29877ccb6fdc2d24ffcefc87cbc3d78d0ba03ac

Download Submit
C:\Windows\System\hHRLJZN.exe

Filesize
5.2MB

MD5
be2d538f189a1e15194da29c8e1582c5

SHA1
4804c03420e6443cf7c43537f88e631751fff245

SHA256
0ae6e62fc714741d7d76e99ec0f3ed4e4003546077d4cb12bf61b7ad8791dc4f

SHA512
718c0184b64fa6bda569852a883081c32962666cac62a6b72055e1aae66ca603d3923371ded8583b34ca670db0f8184a0e1064945263a05a0a3098a3f545ea34

Download Submit
C:\Windows\System\mReDPTL.exe

Filesize
5.2MB

MD5
9453b72c3470608edbc798c730923030

SHA1
36b58c2b4134b9677c34c185a06281a19170b8f7

SHA256
967faf6e5e6f873ad8c47a1e25fb725aa29bce530dca40e53c13a8cc0ba7ba0b

SHA512
54eb982fc0158a0c61c3a3b9b0e0264a9c7a2a455049c601c30eb9ec35af46843b5d4447d13de76702458eb0d689403b974ece918ec7b240b9911b93c1acd7cc

Download Submit
C:\Windows\System\nVNmoCi.exe

Filesize
5.2MB

MD5
f85de22a7aa4a965970ee318f66fac9a

SHA1
fbe888b3c65a9c111f1f0c31fe51a79fc8953964

SHA256
4b1538b8f65a9f0e5770f62d79b00859951e4817f22d49c313d7bf4a7908a9cf

SHA512
33567416821b84078a4bc620b500f6c3b274d6f634dd4a391fc2d72a106caf61bc22ab2e2c984a9c4722abd1bc5d0c494457b9b33339bfa5ef229e6529084a77

Download Submit
C:\Windows\System\ossvVUp.exe

Filesize
5.2MB

MD5
a29711f17e7ece9f86b2287b43a53a80

SHA1
990ef8a3ffbb24652c316047dd588c47d765c21b

SHA256
10670e8942682976a264be2c420718aea9e3f0ebc8f8a3651d7d237ba8a46288

SHA512
03ac71a2a5e0c317c41782ec789e366a131bd1cb7337a4ca7e5104d67c15cd8b58cbcb4674f5442fcdfa62f0eb244a3b7f9b3fda4942e888a4f359175172338b

Download Submit
C:\Windows\System\rTmgXUo.exe

Filesize
5.2MB

MD5
eefa506c2b79ff503a7d7ff214033532

SHA1
533d8c8eacfd0cf7964e1f31588d2b39504aa2cc

SHA256
2f8039380de3202a1c9fa0a0208037d0363621796c97c8fc928ceb623e1bc292

SHA512
c2428235f5fd567207dd0ab6bb2442e71e7f7c2cb9b2e1addc15a32f528da88dda0c6c9d3936a5be352c95fd24d1d04588fde9b27a1b973001a893ae4ad8e58d

Download Submit
C:\Windows\System\vBHPFjr.exe

Filesize
5.2MB

MD5
68b462bde695526fddc6422b29ff0da3

SHA1
2cf1f64ed16a450da91fb5e27cb5aba9c24b981d

SHA256
db3552a4ea6f999bd9da0df8ab0f9a35e76741fff84ba8af6ae2b56f0312c768

SHA512
3fa4550c42d6a1f4361f1c185901a721c8d6e334e5151043757d59fa4eab0ef3c3eb47ad6849b2c6004083cc12b289a760de997ac11d7ef94e86758c46f5ad93

Download Submit
C:\Windows\System\vSCxBVu.exe

Filesize
5.2MB

MD5
e08945fe60eb296ed2b6f1ac696e70bb

SHA1
aa56c0357aa0a04f9c9f3b8d6fcdc58a3a402387

SHA256
693771ac7bafb747f1f338593afe4c751499865844d6627a0926858ea7a48a40

SHA512
8d839077d8b9aa5e0b24e6f3e9b2188a97e4f43e637429737a3d0f32f68e38197a381bea166e74be476dd34411e12029b673165dfedc4dd4a3055b455ccbe753

Download Submit
C:\Windows\System\yeBLTWK.exe

Filesize
5.2MB

MD5
007f3d09d2ba1cb0a696e402a25ac677

SHA1
156295923377e5487ce8476b1a48b7e29cf9adf3

SHA256
8ae87bf1bf181839b1fe93877abd26384d7b84259ea0230915eb067f31271930

SHA512
b637ceebce1f97243e87ae6c1b7acee5bc674e8eae1552f55bfdb238548821ddd2fd433e7a29809fa6b9e484b9c861f4c201c689d03ff4d34b47465a49bef7ea

Download Submit
C:\Windows\System\ynaBybA.exe

Filesize
5.2MB

MD5
50efb596cceec43c9d01685980cdbd6c

SHA1
62ed826386ab88cd316f7ffc251f5f4c8f37449d

SHA256
ba9787f957ba425925ebb06f4de31ea012bbe14668067f6a7c3171c4be4fbf5f

SHA512
70c548c9535ec90cfede6defa22d689b558b2795b6482968cdcf1e562e69227df1c96beefe80e7ea6f9c736dbd7dcd7e8ed2d4026e32c954c70cc8b0825c5181

Download Submit
C:\Windows\System\ywIbRmj.exe

Filesize
5.2MB

MD5
02445c40fe47f393ee53b2240eec04b4

SHA1
d67b22ca1b8d70abe67f18351a5834d02dd9c517

SHA256
1c07d30d4d79ce89a83b1f439255646ab8cac3333f175264aa4ddd6da1919798

SHA512
c0cdfb91714baed8ceaf0221fd5a5c334ac79389bb35e20ad8e85b427ea08d9f62e69378e050b2406c40a76c66135c3d3f758882ac4f82615a6e4f8fa0880e4f

Download Submit
memory/324-224-0x00007FF705980000-0x00007FF705CD1000-memory.dmp

Filesize
3.3MB

Download
memory/324-46-0x00007FF705980000-0x00007FF705CD1000-memory.dmp

Filesize
3.3MB

Download
memory/324-134-0x00007FF705980000-0x00007FF705CD1000-memory.dmp

Filesize
3.3MB

Download
memory/460-7-0x00007FF6641F0000-0x00007FF664541000-memory.dmp

Filesize
3.3MB

Download
memory/460-61-0x00007FF6641F0000-0x00007FF664541000-memory.dmp

Filesize
3.3MB

Download
memory/460-199-0x00007FF6641F0000-0x00007FF664541000-memory.dmp

Filesize
3.3MB

Download
memory/532-137-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp

Filesize
3.3MB

Download
memory/532-62-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp

Filesize
3.3MB

Download
memory/532-226-0x00007FF605D80000-0x00007FF6060D1000-memory.dmp

Filesize
3.3MB

Download
memory/824-133-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp

Filesize
3.3MB

Download
memory/824-222-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp

Filesize
3.3MB

Download
memory/824-42-0x00007FF63BA90000-0x00007FF63BDE1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-135-0x00007FF7DD450000-0x00007FF7DD7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-254-0x00007FF7DD450000-0x00007FF7DD7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1536-120-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp

Filesize
3.3MB

Download
memory/1536-240-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp

Filesize
3.3MB

Download
memory/1536-138-0x00007FF7CDEC0000-0x00007FF7CE211000-memory.dmp

Filesize
3.3MB

Download
memory/1892-244-0x00007FF6D6C30000-0x00007FF6D6F81000-memory.dmp

Filesize
3.3MB

Download
memory/1892-130-0x00007FF6D6C30000-0x00007FF6D6F81000-memory.dmp

Filesize
3.3MB

Download
memory/2580-129-0x00007FF70CD70000-0x00007FF70D0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-246-0x00007FF70CD70000-0x00007FF70D0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-126-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-30-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-211-0x00007FF73A870000-0x00007FF73ABC1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-131-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp

Filesize
3.3MB

Download
memory/2980-248-0x00007FF7FE200000-0x00007FF7FE551000-memory.dmp

Filesize
3.3MB

Download
memory/3200-214-0x00007FF772CF0000-0x00007FF773041000-memory.dmp

Filesize
3.3MB

Download
memory/3200-127-0x00007FF772CF0000-0x00007FF773041000-memory.dmp

Filesize
3.3MB

Download
memory/3200-37-0x00007FF772CF0000-0x00007FF773041000-memory.dmp

Filesize
3.3MB

Download
memory/3444-237-0x00007FF631F80000-0x00007FF6322D1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-139-0x00007FF631F80000-0x00007FF6322D1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-228-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-59-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-136-0x00007FF74B850000-0x00007FF74BBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-128-0x00007FF7EC440000-0x00007FF7EC791000-memory.dmp

Filesize
3.3MB

Download
memory/3936-242-0x00007FF7EC440000-0x00007FF7EC791000-memory.dmp

Filesize
3.3MB

Download
memory/4060-256-0x00007FF6348A0000-0x00007FF634BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-142-0x00007FF6348A0000-0x00007FF634BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-149-0x00007FF6806B0000-0x00007FF680A01000-memory.dmp

Filesize
3.3MB

Download
memory/4392-250-0x00007FF6806B0000-0x00007FF680A01000-memory.dmp

Filesize
3.3MB

Download
memory/4428-252-0x00007FF630200000-0x00007FF630551000-memory.dmp

Filesize
3.3MB

Download
memory/4428-132-0x00007FF630200000-0x00007FF630551000-memory.dmp

Filesize
3.3MB

Download
memory/4504-257-0x00007FF74D5F0000-0x00007FF74D941000-memory.dmp

Filesize
3.3MB

Download
memory/4504-150-0x00007FF74D5F0000-0x00007FF74D941000-memory.dmp

Filesize
3.3MB

Download
memory/4596-207-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-18-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-124-0x00007FF6BB350000-0x00007FF6BB6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-125-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-26-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-209-0x00007FF754D90000-0x00007FF7550E1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-54-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-0-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-121-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-151-0x00007FF6E4080000-0x00007FF6E43D1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-1-0x000001F9284D0000-0x000001F9284E0000-memory.dmp

Filesize
64KB

Download
memory/4880-68-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp

Filesize
3.3MB

Download
memory/4880-12-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp

Filesize
3.3MB

Download
memory/4880-205-0x00007FF6C12F0000-0x00007FF6C1641000-memory.dmp

Filesize
3.3MB

Download