cobaltstrike | b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
Size

5.2MB
MD5

c36aa22473b61847cb7df4e770bebd8b
SHA1

4a283c6f22560295019bf67f199ac2d4f82d9aef
SHA256

b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f
SHA512

6425c39ae66fd9100ebe2a8bbd6efc702ff7ae3fed77064328cb3a393c04d5da1af73192f54ec4ff41b0102475dd5dde7703f38098a3c32e4ce8ad49368629fb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c4f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-9.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ca8-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-107.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb2-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-58.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4068-70-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp	xmrig
behavioral2/memory/3360-69-0x00007FF643200000-0x00007FF643551000-memory.dmp	xmrig
behavioral2/memory/3860-54-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	xmrig
behavioral2/memory/3848-34-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp	xmrig
behavioral2/memory/3576-121-0x00007FF609390000-0x00007FF6096E1000-memory.dmp	xmrig
behavioral2/memory/1636-123-0x00007FF6BC420000-0x00007FF6BC771000-memory.dmp	xmrig
behavioral2/memory/4420-125-0x00007FF748F30000-0x00007FF749281000-memory.dmp	xmrig
behavioral2/memory/2520-127-0x00007FF70BFC0000-0x00007FF70C311000-memory.dmp	xmrig
behavioral2/memory/720-126-0x00007FF68C670000-0x00007FF68C9C1000-memory.dmp	xmrig
behavioral2/memory/1404-124-0x00007FF6A8800000-0x00007FF6A8B51000-memory.dmp	xmrig
behavioral2/memory/4592-128-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	xmrig
behavioral2/memory/4400-122-0x00007FF66D9D0000-0x00007FF66DD21000-memory.dmp	xmrig
behavioral2/memory/4504-129-0x00007FF6B1470000-0x00007FF6B17C1000-memory.dmp	xmrig
behavioral2/memory/1212-130-0x00007FF608EC0000-0x00007FF609211000-memory.dmp	xmrig
behavioral2/memory/3860-131-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	xmrig
behavioral2/memory/3684-136-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp	xmrig
behavioral2/memory/3220-138-0x00007FF7B03F0000-0x00007FF7B0741000-memory.dmp	xmrig
behavioral2/memory/2568-139-0x00007FF66C140000-0x00007FF66C491000-memory.dmp	xmrig
behavioral2/memory/2616-143-0x00007FF6894F0000-0x00007FF689841000-memory.dmp	xmrig
behavioral2/memory/916-144-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp	xmrig
behavioral2/memory/640-142-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp	xmrig
behavioral2/memory/2448-140-0x00007FF6014B0000-0x00007FF601801000-memory.dmp	xmrig
behavioral2/memory/4784-141-0x00007FF633570000-0x00007FF6338C1000-memory.dmp	xmrig
behavioral2/memory/3860-155-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	xmrig
behavioral2/memory/3360-210-0x00007FF643200000-0x00007FF643551000-memory.dmp	xmrig
behavioral2/memory/4068-212-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp	xmrig
behavioral2/memory/1212-214-0x00007FF608EC0000-0x00007FF609211000-memory.dmp	xmrig
behavioral2/memory/3684-218-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp	xmrig
behavioral2/memory/3848-217-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp	xmrig
behavioral2/memory/4784-221-0x00007FF633570000-0x00007FF6338C1000-memory.dmp	xmrig
behavioral2/memory/2448-222-0x00007FF6014B0000-0x00007FF601801000-memory.dmp	xmrig
behavioral2/memory/2568-233-0x00007FF66C140000-0x00007FF66C491000-memory.dmp	xmrig
behavioral2/memory/640-235-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp	xmrig
behavioral2/memory/2616-237-0x00007FF6894F0000-0x00007FF689841000-memory.dmp	xmrig
behavioral2/memory/916-239-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp	xmrig
behavioral2/memory/3576-241-0x00007FF609390000-0x00007FF6096E1000-memory.dmp	xmrig
behavioral2/memory/3220-243-0x00007FF7B03F0000-0x00007FF7B0741000-memory.dmp	xmrig
behavioral2/memory/1636-249-0x00007FF6BC420000-0x00007FF6BC771000-memory.dmp	xmrig
behavioral2/memory/4420-254-0x00007FF748F30000-0x00007FF749281000-memory.dmp	xmrig
behavioral2/memory/1404-253-0x00007FF6A8800000-0x00007FF6A8B51000-memory.dmp	xmrig
behavioral2/memory/4400-250-0x00007FF66D9D0000-0x00007FF66DD21000-memory.dmp	xmrig
behavioral2/memory/4592-259-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	xmrig
behavioral2/memory/720-262-0x00007FF68C670000-0x00007FF68C9C1000-memory.dmp	xmrig
behavioral2/memory/2520-261-0x00007FF70BFC0000-0x00007FF70C311000-memory.dmp	xmrig
behavioral2/memory/4504-257-0x00007FF6B1470000-0x00007FF6B17C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3360	YGaSvxQ.exe
4068	fEvqwNU.exe
1212	WdwJWIG.exe
3684	LIHZfiV.exe
3848	vngCPVF.exe
2568	XTIWyre.exe
2448	DXpdEUz.exe
4784	OMMxUKT.exe
640	aNJEZYk.exe
2616	JEjPolU.exe
916	przUlhL.exe
3576	IUwZlTc.exe
3220	ewPjntA.exe
4400	VIxoSnk.exe
1636	pKzqXnw.exe
1404	FDXBbiV.exe
4420	gMurfFY.exe
720	VIbtJMd.exe
2520	eYSLGcW.exe
4592	YbUPOmD.exe
4504	FtTXYAU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-0-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	upx
behavioral2/files/0x000a000000023c4f-5.dat	upx
behavioral2/files/0x0007000000023cb5-9.dat	upx
behavioral2/files/0x000a000000023ca8-14.dat	upx
behavioral2/memory/4068-18-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb6-20.dat	upx
behavioral2/files/0x0007000000023cb7-29.dat	upx
behavioral2/files/0x0007000000023cb8-35.dat	upx
behavioral2/memory/2568-36-0x00007FF66C140000-0x00007FF66C491000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-43.dat	upx
behavioral2/files/0x0007000000023cba-49.dat	upx
behavioral2/memory/4784-48-0x00007FF633570000-0x00007FF6338C1000-memory.dmp	upx
behavioral2/memory/2448-42-0x00007FF6014B0000-0x00007FF601801000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-60.dat	upx
behavioral2/files/0x0007000000023cbf-71.dat	upx
behavioral2/files/0x0007000000023cc0-77.dat	upx
behavioral2/files/0x0007000000023cc2-94.dat	upx
behavioral2/files/0x0007000000023cc3-100.dat	upx
behavioral2/files/0x0007000000023cc5-112.dat	upx
behavioral2/files/0x0007000000023cc7-119.dat	upx
behavioral2/files/0x0007000000023cc6-115.dat	upx
behavioral2/files/0x0007000000023cc4-107.dat	upx
behavioral2/files/0x0009000000023cb2-92.dat	upx
behavioral2/files/0x0007000000023cc1-87.dat	upx
behavioral2/memory/916-76-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-74.dat	upx
behavioral2/memory/4068-70-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp	upx
behavioral2/memory/3360-69-0x00007FF643200000-0x00007FF643551000-memory.dmp	upx
behavioral2/memory/2616-63-0x00007FF6894F0000-0x00007FF689841000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-58.dat	upx
behavioral2/memory/640-57-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp	upx
behavioral2/memory/3860-54-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	upx
behavioral2/memory/3848-34-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp	upx
behavioral2/memory/3684-31-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp	upx
behavioral2/memory/1212-23-0x00007FF608EC0000-0x00007FF609211000-memory.dmp	upx
behavioral2/memory/3360-8-0x00007FF643200000-0x00007FF643551000-memory.dmp	upx
behavioral2/memory/3576-121-0x00007FF609390000-0x00007FF6096E1000-memory.dmp	upx
behavioral2/memory/1636-123-0x00007FF6BC420000-0x00007FF6BC771000-memory.dmp	upx
behavioral2/memory/4420-125-0x00007FF748F30000-0x00007FF749281000-memory.dmp	upx
behavioral2/memory/2520-127-0x00007FF70BFC0000-0x00007FF70C311000-memory.dmp	upx
behavioral2/memory/720-126-0x00007FF68C670000-0x00007FF68C9C1000-memory.dmp	upx
behavioral2/memory/1404-124-0x00007FF6A8800000-0x00007FF6A8B51000-memory.dmp	upx
behavioral2/memory/4592-128-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp	upx
behavioral2/memory/4400-122-0x00007FF66D9D0000-0x00007FF66DD21000-memory.dmp	upx
behavioral2/memory/4504-129-0x00007FF6B1470000-0x00007FF6B17C1000-memory.dmp	upx
behavioral2/memory/1212-130-0x00007FF608EC0000-0x00007FF609211000-memory.dmp	upx
behavioral2/memory/3860-131-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	upx
behavioral2/memory/3684-136-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp	upx
behavioral2/memory/3220-138-0x00007FF7B03F0000-0x00007FF7B0741000-memory.dmp	upx
behavioral2/memory/2568-139-0x00007FF66C140000-0x00007FF66C491000-memory.dmp	upx
behavioral2/memory/2616-143-0x00007FF6894F0000-0x00007FF689841000-memory.dmp	upx
behavioral2/memory/916-144-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp	upx
behavioral2/memory/640-142-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp	upx
behavioral2/memory/2448-140-0x00007FF6014B0000-0x00007FF601801000-memory.dmp	upx
behavioral2/memory/4784-141-0x00007FF633570000-0x00007FF6338C1000-memory.dmp	upx
behavioral2/memory/3860-155-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp	upx
behavioral2/memory/3360-210-0x00007FF643200000-0x00007FF643551000-memory.dmp	upx
behavioral2/memory/4068-212-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp	upx
behavioral2/memory/1212-214-0x00007FF608EC0000-0x00007FF609211000-memory.dmp	upx
behavioral2/memory/3684-218-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp	upx
behavioral2/memory/3848-217-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp	upx
behavioral2/memory/4784-221-0x00007FF633570000-0x00007FF6338C1000-memory.dmp	upx
behavioral2/memory/2448-222-0x00007FF6014B0000-0x00007FF601801000-memory.dmp	upx
behavioral2/memory/2568-233-0x00007FF66C140000-0x00007FF66C491000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pKzqXnw.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\FtTXYAU.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\YGaSvxQ.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\DXpdEUz.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\OMMxUKT.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\aNJEZYk.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\przUlhL.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\FDXBbiV.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\VIbtJMd.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\eYSLGcW.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\XTIWyre.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\JEjPolU.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\VIxoSnk.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\gMurfFY.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\ewPjntA.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\YbUPOmD.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\fEvqwNU.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\WdwJWIG.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\LIHZfiV.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\vngCPVF.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
File created	C:\Windows\System\IUwZlTc.exe	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
Token: SeLockMemoryPrivilege	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 3360	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	84
PID 3860 wrote to memory of 3360	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	84
PID 3860 wrote to memory of 4068	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	85
PID 3860 wrote to memory of 4068	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	85
PID 3860 wrote to memory of 1212	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	87
PID 3860 wrote to memory of 1212	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	87
PID 3860 wrote to memory of 3684	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	88
PID 3860 wrote to memory of 3684	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	88
PID 3860 wrote to memory of 3848	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	89
PID 3860 wrote to memory of 3848	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	89
PID 3860 wrote to memory of 2568	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	90
PID 3860 wrote to memory of 2568	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	90
PID 3860 wrote to memory of 2448	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	91
PID 3860 wrote to memory of 2448	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	91
PID 3860 wrote to memory of 4784	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	92
PID 3860 wrote to memory of 4784	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	92
PID 3860 wrote to memory of 640	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	93
PID 3860 wrote to memory of 640	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	93
PID 3860 wrote to memory of 2616	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	95
PID 3860 wrote to memory of 2616	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	95
PID 3860 wrote to memory of 916	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	96
PID 3860 wrote to memory of 916	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	96
PID 3860 wrote to memory of 3576	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	97
PID 3860 wrote to memory of 3576	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	97
PID 3860 wrote to memory of 3220	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	98
PID 3860 wrote to memory of 3220	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	98
PID 3860 wrote to memory of 4400	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	99
PID 3860 wrote to memory of 4400	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	99
PID 3860 wrote to memory of 1636	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	100
PID 3860 wrote to memory of 1636	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	100
PID 3860 wrote to memory of 1404	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	101
PID 3860 wrote to memory of 1404	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	101
PID 3860 wrote to memory of 4420	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	102
PID 3860 wrote to memory of 4420	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	102
PID 3860 wrote to memory of 720	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	103
PID 3860 wrote to memory of 720	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	103
PID 3860 wrote to memory of 2520	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	104
PID 3860 wrote to memory of 2520	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	104
PID 3860 wrote to memory of 4592	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	105
PID 3860 wrote to memory of 4592	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	105
PID 3860 wrote to memory of 4504	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	106
PID 3860 wrote to memory of 4504	3860	b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe	106

C:\Users\Admin\AppData\Local\Temp\b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe
"C:\Users\Admin\AppData\Local\Temp\b78e1c8136deb6e4ce5a0adcb2ebde7c89a4276cd155d41b586fe919ee8ad67f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\System\YGaSvxQ.exe
  C:\Windows\System\YGaSvxQ.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\fEvqwNU.exe
  C:\Windows\System\fEvqwNU.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\WdwJWIG.exe
  C:\Windows\System\WdwJWIG.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\LIHZfiV.exe
  C:\Windows\System\LIHZfiV.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\vngCPVF.exe
  C:\Windows\System\vngCPVF.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\XTIWyre.exe
  C:\Windows\System\XTIWyre.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\DXpdEUz.exe
  C:\Windows\System\DXpdEUz.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\OMMxUKT.exe
  C:\Windows\System\OMMxUKT.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\aNJEZYk.exe
  C:\Windows\System\aNJEZYk.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\JEjPolU.exe
  C:\Windows\System\JEjPolU.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\przUlhL.exe
  C:\Windows\System\przUlhL.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\IUwZlTc.exe
  C:\Windows\System\IUwZlTc.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\ewPjntA.exe
  C:\Windows\System\ewPjntA.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\VIxoSnk.exe
  C:\Windows\System\VIxoSnk.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\pKzqXnw.exe
  C:\Windows\System\pKzqXnw.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\FDXBbiV.exe
  C:\Windows\System\FDXBbiV.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\gMurfFY.exe
  C:\Windows\System\gMurfFY.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\VIbtJMd.exe
  C:\Windows\System\VIbtJMd.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\eYSLGcW.exe
  C:\Windows\System\eYSLGcW.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\YbUPOmD.exe
  C:\Windows\System\YbUPOmD.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\FtTXYAU.exe
  C:\Windows\System\FtTXYAU.exe
  2⤵
  - Executes dropped EXE
  PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DXpdEUz.exe

Filesize
5.2MB

MD5
1cc35dcface4ce3961f4837805795778

SHA1
a3ea7f651ec26bba272fca8e75da898cceead111

SHA256
136413d95bd986e5db97ea19ff07a5df6efcfa9adf2cc8530eb07280b2eb973e

SHA512
283df01694ae6f845cb31a085cacf14fdb1b8921aba8b7a5ea60da265c50aa4a45ec489e901b7b5a10a274ce7b7dc6b6f0c0bea2156f1dc0ae01625009e6f8e2

Download Submit
C:\Windows\System\FDXBbiV.exe

Filesize
5.2MB

MD5
c12bdc68c8c66833ba7f7b5f512c2035

SHA1
160cef9bdafedf60710402eab74e53ed691fa459

SHA256
4dff9ef39be62b51ccd58ef66d0fcd7e2c447b9a8944bedb0a3992cfb18295a5

SHA512
1434fff60d0834f1e5120ca2144074f0268c9074d7ff73dc23908f3a49114bdd4e8c57ec7a828f817d364a3238a3138805ee09935dee901352dc6eaf4c59d762

Download Submit
C:\Windows\System\FtTXYAU.exe

Filesize
5.2MB

MD5
5052b875851bb2a94bb619520ce08151

SHA1
47afb6a387bab18d77c670051dc7ef7414497072

SHA256
0988a2df1eea54bb20b7b65a02dd1425c26d920afb82fbbf23d768dbb8bb66f0

SHA512
4cf49354423e114b20eb88a80a8b733ff8fa896035a53a84f25e98c5209169a8861bcc02d00f2d93d253bfc9046e8d6c92cfed47640bcda248c6702ee1b52573

Download Submit
C:\Windows\System\IUwZlTc.exe

Filesize
5.2MB

MD5
c0ab675c01f3076d8a1fb72af6e89b9a

SHA1
f43f28b167ae80b53f6f7d722d410108ebc6381e

SHA256
122661468b078090999977cbeeb2e49114d3482ae05af7e482c5837d0807cfb4

SHA512
f626073242b6ef444678e7fe65b3efce375b87fff53a4f27fc3bcc6339eee7258afa7b4fd1a8aa43e3552c35a005bfd98a50e06a06c4a78ecd514e8e1107bca5

Download Submit
C:\Windows\System\JEjPolU.exe

Filesize
5.2MB

MD5
43d1be5d7c95a053902724e794733fc5

SHA1
068421183d3559bdc4150e601d292787320326d2

SHA256
d05039bf3b883d43d827c650e37774314d3d9edcba13b97043b40d4b093e669c

SHA512
8ab1d6ec9ed902972601af656569d8f5c61a9548afe90c3c3a2197e931d943a24810a018b756fce48eb450bd13573fe14489320e4bc33aa5b0d1049ae184ad13

Download Submit
C:\Windows\System\LIHZfiV.exe

Filesize
5.2MB

MD5
dd12ece011a5a81801e5fe7ad547455c

SHA1
db9eb2d51cffe0f7514ff12efb54a38e156b788a

SHA256
7975b81f33e0e96d639b8b9ec0d21f4df94bcbf9208caa28dbec1fa69c0bbb38

SHA512
7188602f4dd64e77d10ae34a809027327c0fb1a4005091185c3f82da977fabfaee02502e54cf081d654102b4ae30d5af159395ca1640b83e849d98a448c678f3

Download Submit
C:\Windows\System\OMMxUKT.exe

Filesize
5.2MB

MD5
9163eee1be6c8a57019c86f5cbb27541

SHA1
498b82fa18333d8efbd79895c85174f9ac1e06f6

SHA256
23b146a1a6c1dda1a596f7f5e2968355ac194ae54e6f675a9922d789473902f8

SHA512
0316e24568073b787fce94395bcea503cac58b0d79af78b69364c55002ac0ccd84d8170f03728824016efc0955277a612b0b8683a6a5efcfadb17a46551a7205

Download Submit
C:\Windows\System\VIbtJMd.exe

Filesize
5.2MB

MD5
3918dd32ead333da8fc546483a87b1ba

SHA1
686ee4391338ca548e7516341c5e789c0d703392

SHA256
85960c1e20c28290ae613e48d1d8a37aad47c21f14cffe04504b6792cee6392d

SHA512
fb85ebb4bc3ed9172d55d8ea108a2d39fc2142e6efe3edb2d6cc31048835207a37e43c800fffcd7f71b2602b9f426caf02a844444ccaf18421f1059927209852

Download Submit
C:\Windows\System\VIxoSnk.exe

Filesize
5.2MB

MD5
270be66adc19423532cf816da5f1a0a1

SHA1
78cd31597efe4f872ecba768e7635fbb75cd27c9

SHA256
e3460148fdb98de95dabcd84131bce9964fcff6f027000582eb7afd39df6565a

SHA512
4eb58c23967674490862f82925cd5df8ef853b34e0d2e9734a033a061577aab6d905b0b336a11e807353064eadd881d5a913ed3dfe707cb2beb771ee62ebb847

Download Submit
C:\Windows\System\WdwJWIG.exe

Filesize
5.2MB

MD5
640a9194d24a4fc7b23554cd17add562

SHA1
a94f4925942558f5b76fca91867bb5656c5cd1ea

SHA256
cc7d8c99788a745660dffa8dd4e9d68975e2c0ab411b3455379355d052796d4b

SHA512
8732c817595dde0b93009e32abf43244f9f44146d38521b14a8a082bc52abc44c5adaf737beccb84de37ab40025accb5f3872c2127bc957ddd0845a0befd0093

Download Submit
C:\Windows\System\XTIWyre.exe

Filesize
5.2MB

MD5
bcecd584b1c0672df328e2f3186c3e8a

SHA1
7cf2b291aacb497304478d4bf15f0b59245ec6e7

SHA256
51cb97e525ccc3140bda87483636e4184dfff75e0ee32f1aa09811855739c649

SHA512
58047d5f0e69924f84823bdb7edf3c07c499b890eb987a2705d0ac72a7806d4ea6bf3477ce061c088b78df503b7631e5ed2ee795e5892dbc2b8012edd54dfec3

Download Submit
C:\Windows\System\YGaSvxQ.exe

Filesize
5.2MB

MD5
92ae0e2efc773c6d86c24781e305c0c1

SHA1
a5558e0b13e4ec7780fe9f4285a6f67180451602

SHA256
5e65451c54f21f8eb8b8d1cc377b0a486f0da5417caaab23f03ef09af43da8c9

SHA512
ed12bd66e238a38869a0b0042f4c79baf536e74952e3635f69408d8fd21a94174aa153755bbfaac96aef90f718a3ee049a1c3c2b9d43717a5e5aeba158ac82fc

Download Submit
C:\Windows\System\YbUPOmD.exe

Filesize
5.2MB

MD5
21d3664f5edffec247d4cdb3592f344b

SHA1
5db6a96011a0404e4704a59aa07773d55737d457

SHA256
409bed8b6403dfb9a8eca89c1e70e13a2eb1687d7fdef9af1eab5b7299b7d2b8

SHA512
b4d2f43e15aa548c5f6da10eefca7fc399132bc52fda79dc9376993225b2e60add8b7cb3c23cb9fd2cb32c32d5db12aae98cef29e3561ac0bd1cfd8d936a19b1

Download Submit
C:\Windows\System\aNJEZYk.exe

Filesize
5.2MB

MD5
e9ae7ba3868c5fb1df08aa6a9cd1ad95

SHA1
3c17305913a973a9065286b058505cdc0608211b

SHA256
11c6f687d838639705021db5e87c9b667282f3570ac92f6760334a1567c27165

SHA512
a872c2e97c5fcf519451ae5e9f3a8f9dc850f3fa4fb08c02493fbc741e86fcb035528ff8d3aa0716521b85ec14eff9bf5a402e9bc534b20b7ae65e48f176b902

Download Submit
C:\Windows\System\eYSLGcW.exe

Filesize
5.2MB

MD5
c4eec8e3f7eea11bec92b0616af4f90d

SHA1
5333116e13d74af175d6439d4a1ef6377a0224df

SHA256
465a412568b79620309bef4ecf44703ebd6989a703a838fb2f090def73c95212

SHA512
c542b7e5408aceeb427d7fbe45442aaeeaed80bf3eb7a7c81ffb8b7d149842eef04a6b6e11f21fc5d461629761b52ff1fe95699bca0703f75b2afce727feb892

Download Submit
C:\Windows\System\ewPjntA.exe

Filesize
5.2MB

MD5
936f4b8a0a7d4730ce71fbd7d9f295ff

SHA1
5e3779a323556612fcd740e5fcce2a5afab481f2

SHA256
64f4e98e11f46100b9082f3a08c18f38147aef2ce83cc7b890d1b362a0fa1edd

SHA512
6ba5e0175d45c5eae80527293376984e884b70b88197d4abf89ea8b8612019bb2f5ef7119e1d95e388643fcc6795e57b8a12a6162587bf4f7456e5a836128d0e

Download Submit
C:\Windows\System\fEvqwNU.exe

Filesize
5.2MB

MD5
d0c094b7a9478796bb3c964f3f33ada4

SHA1
4a6cf33ce1b5dca4cd8adef0917fecd326025c11

SHA256
b87c92aac044e69c8fb4b4c6ea69dd03423099d242d0a0329d79fa4a6bf9664d

SHA512
6f845c4ccdf071b53b4ad7f89f26528a73972bd9b3ccfb38eea6fc825eb52b9864536f0d4f3a7908a460dae4c96616a25fbac15e6aa9f6ee26c34f9b5c3e9fc6

Download Submit
C:\Windows\System\gMurfFY.exe

Filesize
5.2MB

MD5
8881ed5a0b36e05c6ada4b64e0638f0b

SHA1
9a3e9820841f5bfc7edaf7a028a6d5671299652e

SHA256
089b325a13e5d1e826e9f5ebc52250f0fa755bf2da8c8ed73f9b292266cc93ea

SHA512
8d14461bc00e081e236a5769d25af7d4fcb6defbf9e30205ca7f775f29d14688919fcd0f4023d91064bad20c7aa3d8159444b5c68c737c4c27c6f68bda031d12

Download Submit
C:\Windows\System\pKzqXnw.exe

Filesize
5.2MB

MD5
defee4ed4fb14182d7d1eb769bab7b87

SHA1
60aa42e641e2e8c7a1f08b4f59001daf52543ba7

SHA256
acf0066b525b57a3c1e0cd2aecf83c84be225f802568f139b9109cd1da9b7c19

SHA512
f60099b30e65c2edbc6bccc5c68433ae0a0d4faaac5824b17ddfe451ce55d94d7950682388ee24ab451a8954c3f362224b8fba04048adc366c554d4fc09223d7

Download Submit
C:\Windows\System\przUlhL.exe

Filesize
5.2MB

MD5
0ec7f878fa2666d772e2c98485cec40a

SHA1
63d2b90c40af54fe6a678473ff98125fa454bcf7

SHA256
96a4905ead9c192aae255423edc63a17b5e5cc41a283daefefc21ab177395747

SHA512
65e30a097c72fb1c3b49811a28cbe1b61b20703f797b89ec2607adadebd336365234203f7bb5f1cf0f6df567ae7905c0204920b875a87353cb0444a656f953f4

Download Submit
C:\Windows\System\vngCPVF.exe

Filesize
5.2MB

MD5
2589ddc241fc8602367febd0eb516a46

SHA1
3923d4cedcc8e9502b606a546f0e6564be043516

SHA256
f25329ab44be8f9abcd7f1902322c6de48356dc13f224a42b79dce2f98d73d27

SHA512
3c2259d164fcab9d0356a8433ca9c0b28e9978a425ce86fbd24531f8e4a62a9a941dcef383f54731ac99061b3df5ecd0ad6d2ce9d59d3d2af366e7789ebabcdd

Download Submit
memory/640-142-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp

Filesize
3.3MB

Download
memory/640-235-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp

Filesize
3.3MB

Download
memory/640-57-0x00007FF61C4B0000-0x00007FF61C801000-memory.dmp

Filesize
3.3MB

Download
memory/720-262-0x00007FF68C670000-0x00007FF68C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/720-126-0x00007FF68C670000-0x00007FF68C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/916-239-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp

Filesize
3.3MB

Download
memory/916-76-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp

Filesize
3.3MB

Download
memory/916-144-0x00007FF6948F0000-0x00007FF694C41000-memory.dmp

Filesize
3.3MB

Download
memory/1212-214-0x00007FF608EC0000-0x00007FF609211000-memory.dmp

Filesize
3.3MB

Download
memory/1212-130-0x00007FF608EC0000-0x00007FF609211000-memory.dmp

Filesize
3.3MB

Download
memory/1212-23-0x00007FF608EC0000-0x00007FF609211000-memory.dmp

Filesize
3.3MB

Download
memory/1404-253-0x00007FF6A8800000-0x00007FF6A8B51000-memory.dmp

Filesize
3.3MB

Download
memory/1404-124-0x00007FF6A8800000-0x00007FF6A8B51000-memory.dmp

Filesize
3.3MB

Download
memory/1636-249-0x00007FF6BC420000-0x00007FF6BC771000-memory.dmp

Filesize
3.3MB

Download
memory/1636-123-0x00007FF6BC420000-0x00007FF6BC771000-memory.dmp

Filesize
3.3MB

Download
memory/2448-140-0x00007FF6014B0000-0x00007FF601801000-memory.dmp

Filesize
3.3MB

Download
memory/2448-42-0x00007FF6014B0000-0x00007FF601801000-memory.dmp

Filesize
3.3MB

Download
memory/2448-222-0x00007FF6014B0000-0x00007FF601801000-memory.dmp

Filesize
3.3MB

Download
memory/2520-261-0x00007FF70BFC0000-0x00007FF70C311000-memory.dmp

Filesize
3.3MB

Download
memory/2520-127-0x00007FF70BFC0000-0x00007FF70C311000-memory.dmp

Filesize
3.3MB

Download
memory/2568-139-0x00007FF66C140000-0x00007FF66C491000-memory.dmp

Filesize
3.3MB

Download
memory/2568-233-0x00007FF66C140000-0x00007FF66C491000-memory.dmp

Filesize
3.3MB

Download
memory/2568-36-0x00007FF66C140000-0x00007FF66C491000-memory.dmp

Filesize
3.3MB

Download
memory/2616-143-0x00007FF6894F0000-0x00007FF689841000-memory.dmp

Filesize
3.3MB

Download
memory/2616-63-0x00007FF6894F0000-0x00007FF689841000-memory.dmp

Filesize
3.3MB

Download
memory/2616-237-0x00007FF6894F0000-0x00007FF689841000-memory.dmp

Filesize
3.3MB

Download
memory/3220-243-0x00007FF7B03F0000-0x00007FF7B0741000-memory.dmp

Filesize
3.3MB

Download
memory/3220-138-0x00007FF7B03F0000-0x00007FF7B0741000-memory.dmp

Filesize
3.3MB

Download
memory/3360-69-0x00007FF643200000-0x00007FF643551000-memory.dmp

Filesize
3.3MB

Download
memory/3360-210-0x00007FF643200000-0x00007FF643551000-memory.dmp

Filesize
3.3MB

Download
memory/3360-8-0x00007FF643200000-0x00007FF643551000-memory.dmp

Filesize
3.3MB

Download
memory/3576-121-0x00007FF609390000-0x00007FF6096E1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-241-0x00007FF609390000-0x00007FF6096E1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-136-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-31-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-218-0x00007FF60AE60000-0x00007FF60B1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-34-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-217-0x00007FF60A460000-0x00007FF60A7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-155-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp

Filesize
3.3MB

Download
memory/3860-54-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp

Filesize
3.3MB

Download
memory/3860-1-0x000001CD50BA0000-0x000001CD50BB0000-memory.dmp

Filesize
64KB

Download
memory/3860-0-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp

Filesize
3.3MB

Download
memory/3860-131-0x00007FF6BD000000-0x00007FF6BD351000-memory.dmp

Filesize
3.3MB

Download
memory/4068-212-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-18-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-70-0x00007FF757C60000-0x00007FF757FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-122-0x00007FF66D9D0000-0x00007FF66DD21000-memory.dmp

Filesize
3.3MB

Download
memory/4400-250-0x00007FF66D9D0000-0x00007FF66DD21000-memory.dmp

Filesize
3.3MB

Download
memory/4420-125-0x00007FF748F30000-0x00007FF749281000-memory.dmp

Filesize
3.3MB

Download
memory/4420-254-0x00007FF748F30000-0x00007FF749281000-memory.dmp

Filesize
3.3MB

Download
memory/4504-129-0x00007FF6B1470000-0x00007FF6B17C1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-257-0x00007FF6B1470000-0x00007FF6B17C1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-128-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp

Filesize
3.3MB

Download
memory/4592-259-0x00007FF7E1A40000-0x00007FF7E1D91000-memory.dmp

Filesize
3.3MB

Download
memory/4784-221-0x00007FF633570000-0x00007FF6338C1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-48-0x00007FF633570000-0x00007FF6338C1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-141-0x00007FF633570000-0x00007FF6338C1000-memory.dmp

Filesize
3.3MB

Download