cobaltstrike | 9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225

Analysis

max time kernel
110s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
Size

5.2MB
MD5

da360db17586266aa0c6efe336a251f0
SHA1

010090ffcbd80d2f7315fa4dc1f3d5e33a5385ef
SHA256

9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225
SHA512

b209793ea5227b2a792ef6d060d12687f000044940c6c8c1966114d40a001bed4c225c05731d0452ca17de91ae272d36e4e94d26b38214b23605bfcb425e12aa
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l1:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000d000000023b7f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-37.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b88-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-126.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-91.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-79.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-41.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2640-68-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	xmrig
behavioral2/memory/1372-131-0x00007FF655D80000-0x00007FF6560D1000-memory.dmp	xmrig
behavioral2/memory/4032-130-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp	xmrig
behavioral2/memory/4720-129-0x00007FF7D9440000-0x00007FF7D9791000-memory.dmp	xmrig
behavioral2/memory/1980-128-0x00007FF6881D0000-0x00007FF688521000-memory.dmp	xmrig
behavioral2/memory/3136-125-0x00007FF719440000-0x00007FF719791000-memory.dmp	xmrig
behavioral2/memory/2972-122-0x00007FF7B78C0000-0x00007FF7B7C11000-memory.dmp	xmrig
behavioral2/memory/4260-118-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp	xmrig
behavioral2/memory/3648-117-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp	xmrig
behavioral2/memory/4176-109-0x00007FF70AF60000-0x00007FF70B2B1000-memory.dmp	xmrig
behavioral2/memory/2196-83-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp	xmrig
behavioral2/memory/4868-35-0x00007FF7902C0000-0x00007FF790611000-memory.dmp	xmrig
behavioral2/memory/2640-132-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	xmrig
behavioral2/memory/2976-138-0x00007FF756050000-0x00007FF7563A1000-memory.dmp	xmrig
behavioral2/memory/2596-147-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp	xmrig
behavioral2/memory/2640-155-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	xmrig
behavioral2/memory/5020-151-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	xmrig
behavioral2/memory/4644-149-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp	xmrig
behavioral2/memory/4092-145-0x00007FF613280000-0x00007FF6135D1000-memory.dmp	xmrig
behavioral2/memory/1988-144-0x00007FF739630000-0x00007FF739981000-memory.dmp	xmrig
behavioral2/memory/2604-143-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp	xmrig
behavioral2/memory/4028-142-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp	xmrig
behavioral2/memory/624-141-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp	xmrig
behavioral2/memory/3288-139-0x00007FF615440000-0x00007FF615791000-memory.dmp	xmrig
behavioral2/memory/2196-204-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp	xmrig
behavioral2/memory/3648-214-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp	xmrig
behavioral2/memory/4032-216-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp	xmrig
behavioral2/memory/4260-218-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp	xmrig
behavioral2/memory/4868-220-0x00007FF7902C0000-0x00007FF790611000-memory.dmp	xmrig
behavioral2/memory/3288-228-0x00007FF615440000-0x00007FF615791000-memory.dmp	xmrig
behavioral2/memory/4028-235-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp	xmrig
behavioral2/memory/624-237-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp	xmrig
behavioral2/memory/2976-227-0x00007FF756050000-0x00007FF7563A1000-memory.dmp	xmrig
behavioral2/memory/2604-239-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp	xmrig
behavioral2/memory/4092-241-0x00007FF613280000-0x00007FF6135D1000-memory.dmp	xmrig
behavioral2/memory/4644-251-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp	xmrig
behavioral2/memory/2596-254-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp	xmrig
behavioral2/memory/1980-256-0x00007FF6881D0000-0x00007FF688521000-memory.dmp	xmrig
behavioral2/memory/1372-260-0x00007FF655D80000-0x00007FF6560D1000-memory.dmp	xmrig
behavioral2/memory/4720-259-0x00007FF7D9440000-0x00007FF7D9791000-memory.dmp	xmrig
behavioral2/memory/4176-253-0x00007FF70AF60000-0x00007FF70B2B1000-memory.dmp	xmrig
behavioral2/memory/2972-249-0x00007FF7B78C0000-0x00007FF7B7C11000-memory.dmp	xmrig
behavioral2/memory/3136-246-0x00007FF719440000-0x00007FF719791000-memory.dmp	xmrig
behavioral2/memory/5020-245-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	xmrig
behavioral2/memory/1988-266-0x00007FF739630000-0x00007FF739981000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2196	fDSvvus.exe
3648	BdwBUKf.exe
4032	pEZfKBC.exe
4260	bvKDGIa.exe
4868	iMrgifk.exe
2976	yrYkPIF.exe
3288	ZumixSg.exe
624	TNBrRRy.exe
4028	foVHukR.exe
2604	rkOWzYw.exe
1988	JmQosKA.exe
4092	nXAAhrq.exe
4176	HQOcPHk.exe
2596	JbCYkQm.exe
2972	vpvzjam.exe
4644	YKQOzno.exe
3136	zIkUKSs.exe
5020	rMtBtLU.exe
1980	RMbhiJF.exe
4720	XddAomG.exe
1372	MeZICAI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2640-0-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	upx
behavioral2/files/0x000d000000023b7f-5.dat	upx
behavioral2/memory/2196-7-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-11.dat	upx
behavioral2/files/0x000a000000023b8b-12.dat	upx
behavioral2/memory/3648-15-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-23.dat	upx
behavioral2/memory/4260-33-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-37.dat	upx
behavioral2/memory/3288-38-0x00007FF615440000-0x00007FF615791000-memory.dmp	upx
behavioral2/memory/2976-47-0x00007FF756050000-0x00007FF7563A1000-memory.dmp	upx
behavioral2/files/0x000b000000023b88-57.dat	upx
behavioral2/memory/2604-62-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp	upx
behavioral2/memory/2640-68-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-97.dat	upx
behavioral2/memory/5020-108-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-123.dat	upx
behavioral2/memory/1372-131-0x00007FF655D80000-0x00007FF6560D1000-memory.dmp	upx
behavioral2/memory/4032-130-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp	upx
behavioral2/memory/4720-129-0x00007FF7D9440000-0x00007FF7D9791000-memory.dmp	upx
behavioral2/memory/1980-128-0x00007FF6881D0000-0x00007FF688521000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-126.dat	upx
behavioral2/memory/3136-125-0x00007FF719440000-0x00007FF719791000-memory.dmp	upx
behavioral2/memory/2972-122-0x00007FF7B78C0000-0x00007FF7B7C11000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-119.dat	upx
behavioral2/memory/4260-118-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp	upx
behavioral2/memory/3648-117-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-112.dat	upx
behavioral2/files/0x000a000000023b99-110.dat	upx
behavioral2/memory/4176-109-0x00007FF70AF60000-0x00007FF70B2B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-99.dat	upx
behavioral2/memory/4644-96-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-91.dat	upx
behavioral2/memory/2596-90-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-86.dat	upx
behavioral2/memory/2196-83-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-79.dat	upx
behavioral2/memory/4092-78-0x00007FF613280000-0x00007FF6135D1000-memory.dmp	upx
behavioral2/memory/1988-73-0x00007FF739630000-0x00007FF739981000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-71.dat	upx
behavioral2/files/0x000a000000023b92-55.dat	upx
behavioral2/memory/4028-54-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-50.dat	upx
behavioral2/memory/624-49-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-41.dat	upx
behavioral2/memory/4868-35-0x00007FF7902C0000-0x00007FF790611000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-28.dat	upx
behavioral2/memory/4032-18-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp	upx
behavioral2/memory/2640-132-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	upx
behavioral2/memory/2976-138-0x00007FF756050000-0x00007FF7563A1000-memory.dmp	upx
behavioral2/memory/2596-147-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp	upx
behavioral2/memory/2640-155-0x00007FF793FB0000-0x00007FF794301000-memory.dmp	upx
behavioral2/memory/5020-151-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	upx
behavioral2/memory/4644-149-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp	upx
behavioral2/memory/4092-145-0x00007FF613280000-0x00007FF6135D1000-memory.dmp	upx
behavioral2/memory/1988-144-0x00007FF739630000-0x00007FF739981000-memory.dmp	upx
behavioral2/memory/2604-143-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp	upx
behavioral2/memory/4028-142-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp	upx
behavioral2/memory/624-141-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp	upx
behavioral2/memory/3288-139-0x00007FF615440000-0x00007FF615791000-memory.dmp	upx
behavioral2/memory/2196-204-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp	upx
behavioral2/memory/3648-214-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp	upx
behavioral2/memory/4032-216-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp	upx
behavioral2/memory/4260-218-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nXAAhrq.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\zIkUKSs.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\rMtBtLU.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\RMbhiJF.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\BdwBUKf.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\bvKDGIa.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\rkOWzYw.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\vpvzjam.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\YKQOzno.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\fDSvvus.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\ZumixSg.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\JmQosKA.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\HQOcPHk.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\JbCYkQm.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\MeZICAI.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\pEZfKBC.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\foVHukR.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\TNBrRRy.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\XddAomG.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\iMrgifk.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
File created	C:\Windows\System\yrYkPIF.exe	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
Token: SeLockMemoryPrivilege	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2196	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	84
PID 2640 wrote to memory of 2196	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	84
PID 2640 wrote to memory of 3648	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	85
PID 2640 wrote to memory of 3648	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	85
PID 2640 wrote to memory of 4032	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	86
PID 2640 wrote to memory of 4032	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	86
PID 2640 wrote to memory of 4260	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	87
PID 2640 wrote to memory of 4260	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	87
PID 2640 wrote to memory of 4868	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	88
PID 2640 wrote to memory of 4868	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	88
PID 2640 wrote to memory of 2976	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	89
PID 2640 wrote to memory of 2976	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	89
PID 2640 wrote to memory of 3288	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	90
PID 2640 wrote to memory of 3288	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	90
PID 2640 wrote to memory of 624	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	91
PID 2640 wrote to memory of 624	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	91
PID 2640 wrote to memory of 4028	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	92
PID 2640 wrote to memory of 4028	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	92
PID 2640 wrote to memory of 2604	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	93
PID 2640 wrote to memory of 2604	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	93
PID 2640 wrote to memory of 1988	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	94
PID 2640 wrote to memory of 1988	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	94
PID 2640 wrote to memory of 4092	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	95
PID 2640 wrote to memory of 4092	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	95
PID 2640 wrote to memory of 4176	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	96
PID 2640 wrote to memory of 4176	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	96
PID 2640 wrote to memory of 2596	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	97
PID 2640 wrote to memory of 2596	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	97
PID 2640 wrote to memory of 2972	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	98
PID 2640 wrote to memory of 2972	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	98
PID 2640 wrote to memory of 4644	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	99
PID 2640 wrote to memory of 4644	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	99
PID 2640 wrote to memory of 3136	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	100
PID 2640 wrote to memory of 3136	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	100
PID 2640 wrote to memory of 5020	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	101
PID 2640 wrote to memory of 5020	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	101
PID 2640 wrote to memory of 1980	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	102
PID 2640 wrote to memory of 1980	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	102
PID 2640 wrote to memory of 4720	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	103
PID 2640 wrote to memory of 4720	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	103
PID 2640 wrote to memory of 1372	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	104
PID 2640 wrote to memory of 1372	2640	9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe	104

C:\Users\Admin\AppData\Local\Temp\9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe
"C:\Users\Admin\AppData\Local\Temp\9e6c7020d5fc2955ccea3e5ca320d1da4b3d1c9f984a8690d382251b95a4d225N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System\fDSvvus.exe
  C:\Windows\System\fDSvvus.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\BdwBUKf.exe
  C:\Windows\System\BdwBUKf.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\pEZfKBC.exe
  C:\Windows\System\pEZfKBC.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\bvKDGIa.exe
  C:\Windows\System\bvKDGIa.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\iMrgifk.exe
  C:\Windows\System\iMrgifk.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\yrYkPIF.exe
  C:\Windows\System\yrYkPIF.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\ZumixSg.exe
  C:\Windows\System\ZumixSg.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\TNBrRRy.exe
  C:\Windows\System\TNBrRRy.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\foVHukR.exe
  C:\Windows\System\foVHukR.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\rkOWzYw.exe
  C:\Windows\System\rkOWzYw.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\JmQosKA.exe
  C:\Windows\System\JmQosKA.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\nXAAhrq.exe
  C:\Windows\System\nXAAhrq.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\HQOcPHk.exe
  C:\Windows\System\HQOcPHk.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\JbCYkQm.exe
  C:\Windows\System\JbCYkQm.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\vpvzjam.exe
  C:\Windows\System\vpvzjam.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\YKQOzno.exe
  C:\Windows\System\YKQOzno.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\zIkUKSs.exe
  C:\Windows\System\zIkUKSs.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\rMtBtLU.exe
  C:\Windows\System\rMtBtLU.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\RMbhiJF.exe
  C:\Windows\System\RMbhiJF.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\XddAomG.exe
  C:\Windows\System\XddAomG.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\MeZICAI.exe
  C:\Windows\System\MeZICAI.exe
  2⤵
  - Executes dropped EXE
  PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BdwBUKf.exe

Filesize
5.2MB

MD5
1f11ee1033756a9ff8ec0f840fc4b34e

SHA1
af959d1a18c419617daccbfacd73b1c964a3dc67

SHA256
a722dbe54a9f795bcabbd9ded9fe944e47eec19ec200e42aaad1fd9c43d4ed2e

SHA512
89ffab5d850171bfe65099e3b8637adbfe6f9d969fb5336e9a3950ffb7e56a7b74045dbc9ddc6a63d409aeb1c36ccc164563c58afe81c0042d1c766801557a5f

Download Submit
C:\Windows\System\HQOcPHk.exe

Filesize
5.2MB

MD5
02e965426f3f43d0e2646f0803030bf4

SHA1
7c0862c161aa9e6ef98563bb1ee3329a20832869

SHA256
4ad1ebd2dfe1a3c1da87568f9acb9921267f5c315241c04193c9f2fec517717e

SHA512
cedff7a5d2e0428953abc765276b0883365abde363f52e9ee08ede35d5fb6ea2019e3cb0bbb0f2cf3329e014fe0537cb7e696224a2922a1744e87d840b51fc6a

Download Submit
C:\Windows\System\JbCYkQm.exe

Filesize
5.2MB

MD5
ba83424fe351bad4d8b937c35dbefe41

SHA1
9f8cc318cce936885d082401191fd28f4d578460

SHA256
afd881378685e7a9e4f91941371fec5f2fb5a7e7254e9af85a4620d97ffdab20

SHA512
f31f533a2bb3bbb31ffc71687cbb6f3a4e492d36973c52037b2e205c7d366b2f6b2aea5f3daf8d4a860da23ac8e7e5783a7ab554192e132f45781b86c80da53c

Download Submit
C:\Windows\System\JmQosKA.exe

Filesize
5.2MB

MD5
d3cc9e8200690af0f3079aa672b8d5db

SHA1
d6d5e137e890eeb1c4fca6dc09c9232a453ca4d0

SHA256
73617c75f6c17a8f0731035231256f17b4f8740284801fba17ccc50fd07c4713

SHA512
ab9b601dc7df0546e8f9bd1096d03adc5f474f2cc7020c619f8d3468ea4ad627d7c56bce6a692b2d89629df146f852f3169cca76acc42fa59f5cc8d679c96e5e

Download Submit
C:\Windows\System\MeZICAI.exe

Filesize
5.2MB

MD5
1bcf80abd91711ecf0acdd1533062009

SHA1
329bf515dd2533fc9b9a26609529d7b609d1bf6d

SHA256
852046e7cd69caf08de63148326b479108d60c1db74333025ca68a9767839bfa

SHA512
410dd2c4afd4dcca56a568610f09be849793654b5d5996f6f66df0c0d9a594ad2def1ee244a31dafeddd8e4c4cb5ff5c2b69e40eb4b16b1805471e379e798ad9

Download Submit
C:\Windows\System\RMbhiJF.exe

Filesize
5.2MB

MD5
b2fb4febd87926a2a6bb240f28cc6022

SHA1
b30ecb4f75b9d69f6da810f98b34b72463c4684f

SHA256
9e8125f0e2e5a5d8fcc1775e1d6a0fbdbeb9e14dad5b69bc3e0b2642278e79dc

SHA512
792916f157ad26af61388e63ae6ede11bedb70506284d6d3b1ac21f6140b34b47ad41af9b6feab8e013b0e59ce1228ce8ca5b0bf449da455fd0ae36cdd94741c

Download Submit
C:\Windows\System\TNBrRRy.exe

Filesize
5.2MB

MD5
f112f385d51b4815e65568fbeaf74d45

SHA1
3b42f3efbe0a9e4efc13ffb2ef268b5c6553928d

SHA256
a14af274377bb6cf86e83130291634e593676340947dd9ed65c5dbb65ad56c13

SHA512
13169dcaf459a860e8c33f9151bcfb970460e1de7e50601d2a4c24d55f32f2ee784a5b4881efc51278565be43b38b52aacbd1c6f24afc8f81a02c855db330d26

Download Submit
C:\Windows\System\XddAomG.exe

Filesize
5.2MB

MD5
7604d646af59d358c9ca3ced9c10128d

SHA1
a7494b25b62c04380c5e8e854705ef27bdf97a11

SHA256
bc5f8376c865c5358c3b2349dd14cbca692a0fc4f1787bccc544062ee2e0db20

SHA512
f4de0a3df2cfab492e46073c7038512761629e538d3440609219fd6f0d12d533acf4eb3d9116461f03b4af5cb545ead3e24f12ea3101f4357a00dbaba9306295

Download Submit
C:\Windows\System\YKQOzno.exe

Filesize
5.2MB

MD5
ef35ad393b72b62174f2838d00d15108

SHA1
63e7d0623f1084388085d77e37330797e650b899

SHA256
b6dc14e2d90b50698a968aa324a9dbdbd9a8f73c2bfd1bda4a5f9d082bef9499

SHA512
e9ebf45514b224fbc5494fb3f49fcc99797f659ce2b68ff693ec00f20dc4a82ca86720e7d752f8edbd6fb0e30f7e386c440329cf895c0bab0831fa3c6da4f467

Download Submit
C:\Windows\System\ZumixSg.exe

Filesize
5.2MB

MD5
83b0956d6065d6893afbdfe90232a632

SHA1
db3cd5cac066805d388dd8e5759b648e692ce181

SHA256
6c187c08433c19f857514b10156dbf4383a1f9ad1c67b9daffb7216cb86c5270

SHA512
3a168cd62d62367a8b510b4ce7420c5d655d53bf60696b5962fff8eba9f88cfbc4c2f06ce24de2a855acef3621199ea054f4bde3c0be14ed2cdb3a08e1ae8d10

Download Submit
C:\Windows\System\bvKDGIa.exe

Filesize
5.2MB

MD5
7ca3bfd4da21fe8e1e5d135b4130d5c2

SHA1
2215609bf300a40c5814f04e3afdac87b9fbda78

SHA256
8364c0dd421f89b305d6639e527b0b4a2ae68b4714ed52775e9d3699a6dbbecb

SHA512
91c752e2cc9a4b97e71466bf6ee4519a9bf490b2d020d1b3175796f291d11e6a1fcd5b66cef03f6af64d0c7e11a4f92121778be8a9993f38c3c9ff57cb39df75

Download Submit
C:\Windows\System\fDSvvus.exe

Filesize
5.2MB

MD5
8a2e4a6835f60d1d1b6a710c9bd9531c

SHA1
2a19d05f7af8db8d7a1f4efdaba7918ee292d71c

SHA256
8804735dca5c6f36ee7d0d4a4cb3578c9fb17960bb1ec8d1c4e623092a163d21

SHA512
d79c6875cb7182b85c5e18892385d825f4968960c0aabcb7a9523fa0f19b2546d8de93da6e01034cfdeb1d942c4eeec1db5ee4fd3b343bc0fca8445038c07a25

Download Submit
C:\Windows\System\foVHukR.exe

Filesize
5.2MB

MD5
3b64ae1a46c0e0aa42b39366955541c5

SHA1
52a2fae6c0eb8ae6eb9986deebcfd0900b85e513

SHA256
c0ef69197eb1f9974e1cf9d5c9df5d349d63804f0d518bd59d3ca8cb92117051

SHA512
4af1946622cf681da33c6c65bea5a76afa7a33d3f65b4e223a1c2b35bc2474cf4ec6f9507da34e2fbb5672014fa522e05ca3e577dc63fa522279e464c4a142da

Download Submit
C:\Windows\System\iMrgifk.exe

Filesize
5.2MB

MD5
6ad20b1c9c5e5e93a97a0150d61a91a5

SHA1
e4452b9acbb5b05881ccafdab11c26265c8e8c60

SHA256
5d4c5b77f124302d93e1d8da0bbdcbacc65d409c25fe3ca136fbdac9573e3db8

SHA512
9fd08b8c05705c3614f55c9d5bb70bfddb1e4bdd6234a1a6a4b7d36d5ef40400e411e5e35e000764fe418eb9cd977b9dc7b0f3afdeeb7275a227b54a1c35b776

Download Submit
C:\Windows\System\nXAAhrq.exe

Filesize
5.2MB

MD5
683dc488e77894e8e318aea219bb5043

SHA1
9d640e97d92dae7555f7b680db7d25d916dd7785

SHA256
df22fbfdbf05e94d646289cdd98c88043c309b9ea2d630f468a01197385cc283

SHA512
8a3b3af7ef6e4aac25f7820a77dfa6c99f4c8490549afa061bb19812079de47060e4cba2c401a3d4d4f7fb8b3975cf0240295245c9a0275fc67df9cece82acda

Download Submit
C:\Windows\System\pEZfKBC.exe

Filesize
5.2MB

MD5
ecc5c98c295be2375961bc93e6eb2596

SHA1
64695d0f276a09dc6be8b4d061cbe11a4848fa29

SHA256
229e0ceacc926da285825d8671dbd6b41a63817956b2029f94ba91044d0c4ec7

SHA512
1a9660daf0df1f8f771f084bfa0984eecb55a8643130cec77beb2f43a3cbf38b9e6d379d15296a81b26222affc97b5aee653d4e37b04164d606255b78c7578a3

Download Submit
C:\Windows\System\rMtBtLU.exe

Filesize
5.2MB

MD5
2b70be5996a8e82bb3711759e53fb860

SHA1
dba2fe5d3051d78bed615ef8c14a82fbd7a2ead0

SHA256
524a97ae9dcab9935195638c8a38229d7ac6331295ab2d848b9ef8904a37e393

SHA512
90e51b443d9d6b5e5870d7cf1d908bc89d8dd34c67319f8507e58d9f13885f91c50500648db852c8d56ee6c65431df1204df2a501cb532afec6ebdacfad09a9e

Download Submit
C:\Windows\System\rkOWzYw.exe

Filesize
5.2MB

MD5
5c4327933a23c8182e5ccddcbb9f6e9e

SHA1
a01a78f8579434405ac452e77568a392656e284e

SHA256
add271519684019242ee1e9c9e8fa2d9cbff8b06f239bc0c9c650d28808353bc

SHA512
6eb7345c4e0a8aaa25462dedf3a8213b5b0aee53a8476bd6d6497ca6e670ec65fe0bdd2dcebd4fe93253c7e3057845af3081292a6292931d6ab6af2a68ae7ed7

Download Submit
C:\Windows\System\vpvzjam.exe

Filesize
5.2MB

MD5
fe2f89b00ae79078337dcfc8dc3cbfd0

SHA1
5fc4f0319a0da0edf6fefec5e78e99cb9de3c865

SHA256
d94ecd8fa9c3ee678a8ab1e7036a7066f31c27191c3d2e64205821ba8f77142a

SHA512
bf41a83fb6c72158a79238e406bc8dfe6cf75e72fb4be8f2d4f13395c669a9b07f77cba8841845a6f086397c53b4e0902283c306ee9c9b1c50f6cfcc1cdf721b

Download Submit
C:\Windows\System\yrYkPIF.exe

Filesize
5.2MB

MD5
90645bfebf2b20d07c164a9e8eeec398

SHA1
c3ea91e5473026f86e86215e16ff0e5acac83a4d

SHA256
6185519cb43d7f4ef50e497b471b600d21d8be9dc2382b08f1d85db6e61eb794

SHA512
3ab811c4a94e37b6f7ffbf87fc2a6e6370b2208c2cc67011c9896592b4002979030ac4307e218ff8532d7c5371e5b9cd52be62f05d61b6a15436e6c8c7176f53

Download Submit
C:\Windows\System\zIkUKSs.exe

Filesize
5.2MB

MD5
9e2d3091d15d8b20f198594baf0b9b8c

SHA1
c7f3663a78beb8d6159a358f3458b0edc49cf10e

SHA256
13a37b7a14a6bba33ee852cb3b188230caf0cb08ba72107e0f13e03aa2071af8

SHA512
77b2efe4ec74d20de6de0b4c5474180e3134a3e43774f341b38a19e7f792a7728228a024b71f78966b9729462a95d65b1463f81e93e65abca125606a45400ece

Download Submit
memory/624-49-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp

Filesize
3.3MB

Download
memory/624-141-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp

Filesize
3.3MB

Download
memory/624-237-0x00007FF6E00F0000-0x00007FF6E0441000-memory.dmp

Filesize
3.3MB

Download
memory/1372-131-0x00007FF655D80000-0x00007FF6560D1000-memory.dmp

Filesize
3.3MB

Download
memory/1372-260-0x00007FF655D80000-0x00007FF6560D1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-128-0x00007FF6881D0000-0x00007FF688521000-memory.dmp

Filesize
3.3MB

Download
memory/1980-256-0x00007FF6881D0000-0x00007FF688521000-memory.dmp

Filesize
3.3MB

Download
memory/1988-144-0x00007FF739630000-0x00007FF739981000-memory.dmp

Filesize
3.3MB

Download
memory/1988-73-0x00007FF739630000-0x00007FF739981000-memory.dmp

Filesize
3.3MB

Download
memory/1988-266-0x00007FF739630000-0x00007FF739981000-memory.dmp

Filesize
3.3MB

Download
memory/2196-204-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-7-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-83-0x00007FF72B050000-0x00007FF72B3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-147-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2596-254-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2596-90-0x00007FF63CBB0000-0x00007FF63CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2604-143-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp

Filesize
3.3MB

Download
memory/2604-62-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp

Filesize
3.3MB

Download
memory/2604-239-0x00007FF7CC520000-0x00007FF7CC871000-memory.dmp

Filesize
3.3MB

Download
memory/2640-155-0x00007FF793FB0000-0x00007FF794301000-memory.dmp

Filesize
3.3MB

Download
memory/2640-0-0x00007FF793FB0000-0x00007FF794301000-memory.dmp

Filesize
3.3MB

Download
memory/2640-132-0x00007FF793FB0000-0x00007FF794301000-memory.dmp

Filesize
3.3MB

Download
memory/2640-68-0x00007FF793FB0000-0x00007FF794301000-memory.dmp

Filesize
3.3MB

Download
memory/2640-1-0x000001F09D010000-0x000001F09D020000-memory.dmp

Filesize
64KB

Download
memory/2972-249-0x00007FF7B78C0000-0x00007FF7B7C11000-memory.dmp

Filesize
3.3MB

Download
memory/2972-122-0x00007FF7B78C0000-0x00007FF7B7C11000-memory.dmp

Filesize
3.3MB

Download
memory/2976-227-0x00007FF756050000-0x00007FF7563A1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-138-0x00007FF756050000-0x00007FF7563A1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-47-0x00007FF756050000-0x00007FF7563A1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-125-0x00007FF719440000-0x00007FF719791000-memory.dmp

Filesize
3.3MB

Download
memory/3136-246-0x00007FF719440000-0x00007FF719791000-memory.dmp

Filesize
3.3MB

Download
memory/3288-228-0x00007FF615440000-0x00007FF615791000-memory.dmp

Filesize
3.3MB

Download
memory/3288-38-0x00007FF615440000-0x00007FF615791000-memory.dmp

Filesize
3.3MB

Download
memory/3288-139-0x00007FF615440000-0x00007FF615791000-memory.dmp

Filesize
3.3MB

Download
memory/3648-15-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-214-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-117-0x00007FF6D3670000-0x00007FF6D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-235-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-142-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-54-0x00007FF7D4790000-0x00007FF7D4AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4032-216-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp

Filesize
3.3MB

Download
memory/4032-18-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp

Filesize
3.3MB

Download
memory/4032-130-0x00007FF6B90B0000-0x00007FF6B9401000-memory.dmp

Filesize
3.3MB

Download
memory/4092-241-0x00007FF613280000-0x00007FF6135D1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-145-0x00007FF613280000-0x00007FF6135D1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-78-0x00007FF613280000-0x00007FF6135D1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-109-0x00007FF70AF60000-0x00007FF70B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-253-0x00007FF70AF60000-0x00007FF70B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-218-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-33-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4260-118-0x00007FF77C1A0000-0x00007FF77C4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4644-251-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp

Filesize
3.3MB

Download
memory/4644-96-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp

Filesize
3.3MB

Download
memory/4644-149-0x00007FF67F2C0000-0x00007FF67F611000-memory.dmp

Filesize
3.3MB

Download
memory/4720-129-0x00007FF7D9440000-0x00007FF7D9791000-memory.dmp

Filesize
3.3MB

Download
memory/4720-259-0x00007FF7D9440000-0x00007FF7D9791000-memory.dmp

Filesize
3.3MB

Download
memory/4868-35-0x00007FF7902C0000-0x00007FF790611000-memory.dmp

Filesize
3.3MB

Download
memory/4868-220-0x00007FF7902C0000-0x00007FF790611000-memory.dmp

Filesize
3.3MB

Download
memory/5020-108-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download
memory/5020-151-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download
memory/5020-245-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download