cobaltstrike | 84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
Size

5.2MB
MD5

44f5c432cb782e1542a69a671e3a0e00
SHA1

5b127bc08376ecd7555268ea3364cb2db6f5c93b
SHA256

84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51
SHA512

9e045d501cd9599f4ccdb76ac544f8a737562af935d5e76014ebafe381cdc806a620e8ca831b947de0607ff87959d13e1fe6c447b6956d9a090f3bde7e19f368
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBib+56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023cc2-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd0-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd3-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd2-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd1-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccf-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-14.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cc3-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd5-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd6-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd7-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd8-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cd9-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4288-61-0x00007FF6658F0000-0x00007FF665C41000-memory.dmp	xmrig
behavioral2/memory/3312-79-0x00007FF743230000-0x00007FF743581000-memory.dmp	xmrig
behavioral2/memory/3568-85-0x00007FF660830000-0x00007FF660B81000-memory.dmp	xmrig
behavioral2/memory/1020-78-0x00007FF79FF30000-0x00007FF7A0281000-memory.dmp	xmrig
behavioral2/memory/4764-74-0x00007FF697FB0000-0x00007FF698301000-memory.dmp	xmrig
behavioral2/memory/4004-66-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp	xmrig
behavioral2/memory/1644-59-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	xmrig
behavioral2/memory/992-54-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp	xmrig
behavioral2/memory/4248-115-0x00007FF6FE2C0000-0x00007FF6FE611000-memory.dmp	xmrig
behavioral2/memory/4268-127-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp	xmrig
behavioral2/memory/3228-135-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp	xmrig
behavioral2/memory/1012-130-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp	xmrig
behavioral2/memory/4756-129-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp	xmrig
behavioral2/memory/4172-120-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp	xmrig
behavioral2/memory/4392-110-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	xmrig
behavioral2/memory/2380-106-0x00007FF775CF0000-0x00007FF776041000-memory.dmp	xmrig
behavioral2/memory/2088-148-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp	xmrig
behavioral2/memory/3992-149-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp	xmrig
behavioral2/memory/752-150-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp	xmrig
behavioral2/memory/4496-156-0x00007FF660B30000-0x00007FF660E81000-memory.dmp	xmrig
behavioral2/memory/2196-157-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	xmrig
behavioral2/memory/384-155-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp	xmrig
behavioral2/memory/4392-151-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	xmrig
behavioral2/memory/4392-173-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	xmrig
behavioral2/memory/4172-217-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp	xmrig
behavioral2/memory/4268-219-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp	xmrig
behavioral2/memory/1644-221-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	xmrig
behavioral2/memory/1012-223-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp	xmrig
behavioral2/memory/4756-225-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp	xmrig
behavioral2/memory/992-227-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp	xmrig
behavioral2/memory/4004-231-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp	xmrig
behavioral2/memory/4288-229-0x00007FF6658F0000-0x00007FF665C41000-memory.dmp	xmrig
behavioral2/memory/4764-233-0x00007FF697FB0000-0x00007FF698301000-memory.dmp	xmrig
behavioral2/memory/3568-236-0x00007FF660830000-0x00007FF660B81000-memory.dmp	xmrig
behavioral2/memory/1020-242-0x00007FF79FF30000-0x00007FF7A0281000-memory.dmp	xmrig
behavioral2/memory/3228-241-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp	xmrig
behavioral2/memory/3312-239-0x00007FF743230000-0x00007FF743581000-memory.dmp	xmrig
behavioral2/memory/2088-245-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp	xmrig
behavioral2/memory/3992-246-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp	xmrig
behavioral2/memory/752-255-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp	xmrig
behavioral2/memory/2380-257-0x00007FF775CF0000-0x00007FF776041000-memory.dmp	xmrig
behavioral2/memory/4248-259-0x00007FF6FE2C0000-0x00007FF6FE611000-memory.dmp	xmrig
behavioral2/memory/384-261-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp	xmrig
behavioral2/memory/4496-263-0x00007FF660B30000-0x00007FF660E81000-memory.dmp	xmrig
behavioral2/memory/2196-265-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4172	lgQssiz.exe
4268	piCLAvw.exe
4756	nEOIqwC.exe
1012	NAzVYJx.exe
992	HhdsnMy.exe
1644	qvUMzNy.exe
4004	zCJSuNq.exe
4764	TgyuOZz.exe
4288	AXjPNGN.exe
1020	hjcwbDc.exe
3228	BczGStz.exe
3312	blCsesL.exe
3568	nFfJxeu.exe
2088	GVPwslG.exe
3992	LDLsvAz.exe
752	StAsDoO.exe
2380	KivGimw.exe
4248	CBoaWrI.exe
384	widVoRA.exe
4496	qZMooiR.exe
2196	TfwTXAV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4392-0-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/files/0x0008000000023cc2-4.dat	upx
behavioral2/memory/4172-8-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-23.dat	upx
behavioral2/files/0x0007000000023cc8-36.dat	upx
behavioral2/files/0x0007000000023ccd-43.dat	upx
behavioral2/files/0x0007000000023cce-55.dat	upx
behavioral2/memory/4288-61-0x00007FF6658F0000-0x00007FF665C41000-memory.dmp	upx
behavioral2/files/0x0007000000023cd0-69.dat	upx
behavioral2/memory/3312-79-0x00007FF743230000-0x00007FF743581000-memory.dmp	upx
behavioral2/memory/2088-84-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-88.dat	upx
behavioral2/memory/3992-89-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp	upx
behavioral2/memory/3568-85-0x00007FF660830000-0x00007FF660B81000-memory.dmp	upx
behavioral2/files/0x0007000000023cd2-82.dat	upx
behavioral2/memory/1020-78-0x00007FF79FF30000-0x00007FF7A0281000-memory.dmp	upx
behavioral2/files/0x0007000000023cd1-76.dat	upx
behavioral2/memory/4764-74-0x00007FF697FB0000-0x00007FF698301000-memory.dmp	upx
behavioral2/files/0x0007000000023ccf-67.dat	upx
behavioral2/memory/4004-66-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp	upx
behavioral2/memory/3228-63-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp	upx
behavioral2/memory/1644-59-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-57.dat	upx
behavioral2/memory/992-54-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-49.dat	upx
behavioral2/files/0x0007000000023cc9-44.dat	upx
behavioral2/memory/1012-42-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp	upx
behavioral2/memory/4756-32-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-27.dat	upx
behavioral2/files/0x0007000000023cc6-14.dat	upx
behavioral2/memory/4268-20-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp	upx
behavioral2/files/0x0008000000023cc3-94.dat	upx
behavioral2/files/0x0007000000023cd5-100.dat	upx
behavioral2/files/0x0007000000023cd6-107.dat	upx
behavioral2/files/0x0007000000023cd7-113.dat	upx
behavioral2/files/0x0007000000023cd8-117.dat	upx
behavioral2/memory/4248-115-0x00007FF6FE2C0000-0x00007FF6FE611000-memory.dmp	upx
behavioral2/memory/384-121-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp	upx
behavioral2/memory/4496-126-0x00007FF660B30000-0x00007FF660E81000-memory.dmp	upx
behavioral2/memory/4268-127-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp	upx
behavioral2/files/0x0007000000023cd9-131.dat	upx
behavioral2/memory/3228-135-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp	upx
behavioral2/memory/2196-133-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	upx
behavioral2/memory/1012-130-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp	upx
behavioral2/memory/4756-129-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp	upx
behavioral2/memory/4172-120-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp	upx
behavioral2/memory/4392-110-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/memory/2380-106-0x00007FF775CF0000-0x00007FF776041000-memory.dmp	upx
behavioral2/memory/752-97-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp	upx
behavioral2/memory/2088-148-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp	upx
behavioral2/memory/3992-149-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp	upx
behavioral2/memory/752-150-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp	upx
behavioral2/memory/4496-156-0x00007FF660B30000-0x00007FF660E81000-memory.dmp	upx
behavioral2/memory/2196-157-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp	upx
behavioral2/memory/384-155-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp	upx
behavioral2/memory/4392-151-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/memory/4392-173-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp	upx
behavioral2/memory/4172-217-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp	upx
behavioral2/memory/4268-219-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp	upx
behavioral2/memory/1644-221-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	upx
behavioral2/memory/1012-223-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp	upx
behavioral2/memory/4756-225-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp	upx
behavioral2/memory/992-227-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp	upx
behavioral2/memory/4004-231-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GVPwslG.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\KivGimw.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\CBoaWrI.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\TfwTXAV.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\NAzVYJx.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\TgyuOZz.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\blCsesL.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\LDLsvAz.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\HhdsnMy.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\qvUMzNy.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\nFfJxeu.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\BczGStz.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\StAsDoO.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\qZMooiR.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\piCLAvw.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\nEOIqwC.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\AXjPNGN.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\widVoRA.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\lgQssiz.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\zCJSuNq.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
File created	C:\Windows\System\hjcwbDc.exe	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
Token: SeLockMemoryPrivilege	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4172	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	84
PID 4392 wrote to memory of 4172	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	84
PID 4392 wrote to memory of 4268	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	85
PID 4392 wrote to memory of 4268	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	85
PID 4392 wrote to memory of 4756	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	86
PID 4392 wrote to memory of 4756	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	86
PID 4392 wrote to memory of 1012	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	87
PID 4392 wrote to memory of 1012	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	87
PID 4392 wrote to memory of 992	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	88
PID 4392 wrote to memory of 992	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	88
PID 4392 wrote to memory of 1644	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	89
PID 4392 wrote to memory of 1644	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	89
PID 4392 wrote to memory of 4004	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	90
PID 4392 wrote to memory of 4004	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	90
PID 4392 wrote to memory of 4764	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	91
PID 4392 wrote to memory of 4764	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	91
PID 4392 wrote to memory of 4288	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	92
PID 4392 wrote to memory of 4288	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	92
PID 4392 wrote to memory of 1020	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	93
PID 4392 wrote to memory of 1020	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	93
PID 4392 wrote to memory of 3228	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	94
PID 4392 wrote to memory of 3228	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	94
PID 4392 wrote to memory of 3312	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	95
PID 4392 wrote to memory of 3312	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	95
PID 4392 wrote to memory of 3568	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	96
PID 4392 wrote to memory of 3568	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	96
PID 4392 wrote to memory of 2088	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	97
PID 4392 wrote to memory of 2088	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	97
PID 4392 wrote to memory of 3992	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	98
PID 4392 wrote to memory of 3992	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	98
PID 4392 wrote to memory of 752	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	99
PID 4392 wrote to memory of 752	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	99
PID 4392 wrote to memory of 2380	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	100
PID 4392 wrote to memory of 2380	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	100
PID 4392 wrote to memory of 4248	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	101
PID 4392 wrote to memory of 4248	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	101
PID 4392 wrote to memory of 384	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	102
PID 4392 wrote to memory of 384	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	102
PID 4392 wrote to memory of 4496	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	103
PID 4392 wrote to memory of 4496	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	103
PID 4392 wrote to memory of 2196	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	104
PID 4392 wrote to memory of 2196	4392	84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe	104

C:\Users\Admin\AppData\Local\Temp\84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe
"C:\Users\Admin\AppData\Local\Temp\84a292a3e46a3449f47af6afa0a4bd4b0d1292ac1b8fa1977a5631be25ce2f51N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\System\lgQssiz.exe
  C:\Windows\System\lgQssiz.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\piCLAvw.exe
  C:\Windows\System\piCLAvw.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\nEOIqwC.exe
  C:\Windows\System\nEOIqwC.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\NAzVYJx.exe
  C:\Windows\System\NAzVYJx.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\HhdsnMy.exe
  C:\Windows\System\HhdsnMy.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\qvUMzNy.exe
  C:\Windows\System\qvUMzNy.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\zCJSuNq.exe
  C:\Windows\System\zCJSuNq.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\TgyuOZz.exe
  C:\Windows\System\TgyuOZz.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\AXjPNGN.exe
  C:\Windows\System\AXjPNGN.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\hjcwbDc.exe
  C:\Windows\System\hjcwbDc.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\BczGStz.exe
  C:\Windows\System\BczGStz.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\blCsesL.exe
  C:\Windows\System\blCsesL.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\nFfJxeu.exe
  C:\Windows\System\nFfJxeu.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\GVPwslG.exe
  C:\Windows\System\GVPwslG.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\LDLsvAz.exe
  C:\Windows\System\LDLsvAz.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\StAsDoO.exe
  C:\Windows\System\StAsDoO.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\KivGimw.exe
  C:\Windows\System\KivGimw.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\CBoaWrI.exe
  C:\Windows\System\CBoaWrI.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\widVoRA.exe
  C:\Windows\System\widVoRA.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\qZMooiR.exe
  C:\Windows\System\qZMooiR.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\TfwTXAV.exe
  C:\Windows\System\TfwTXAV.exe
  2⤵
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AXjPNGN.exe

Filesize
5.2MB

MD5
577ea72410b41e40105d2a54a5811fb8

SHA1
ff7e66a05b263d009f64a259fd559bd8ed5b4b69

SHA256
626f8ee50440b62b9588167d4c122103aa346ea34765ad2e8c7ac22833b359cd

SHA512
755656327c84b42fb6aee0e1ca8f3ab19758f8ddd6a205955326b74a9f14f9440eff23718fc245bf10a8d8e6405df2cc3b253f0337b010b4feb21425f2655358

Download Submit
C:\Windows\System\BczGStz.exe

Filesize
5.2MB

MD5
9e887b58d6af3066659cdc45989cd2c7

SHA1
677465e2d173bdb3fe4e9aee58f33d01c7ccb091

SHA256
ee22ac96d460ff267f0b9dee956ae9690177cd0ae96e47eb83f99d007d13f5ce

SHA512
cd1df5ea735cc1f6b8f0959c1a7af2daaeb0e83ffa0ab332b10777caf9c6a61f11bd63218f8d429c471135dccdd4c65bdc42f07081842500ace135835de0813a

Download Submit
C:\Windows\System\CBoaWrI.exe

Filesize
5.2MB

MD5
88b52833bbdaf30a5e392e3174720813

SHA1
1c498f43f188727cd007db55616a78d4bd2b4526

SHA256
cec1860ced4e2d723ed8819ad47cbf31a8e1f854aae5dea1d53ba2092f6bf1cb

SHA512
dbf15be89f51f887894eb40c935a38dd0147d00bc8ef2f1139509de7bd49420a1054ac10d2dcadf000eda04d5e9c658ecf3a6debc74071da8b81eed8825ed77b

Download Submit
C:\Windows\System\GVPwslG.exe

Filesize
5.2MB

MD5
6039de182719a4884071d9ddeb632d2f

SHA1
b055d0da6dc5f69751b126640648fd631c2b374e

SHA256
56d24c087f7f990b952568af45e38001615011f9b07842de1a1f8b6dd0bdd4c7

SHA512
72e493640e00bb4ed7f5d913f6a301493f47b49e30c9bceaacbe8d030ea36edbabfec6401d63480177d14729fa4208ba454489abade3044c3e07a7f466da3d04

Download Submit
C:\Windows\System\HhdsnMy.exe

Filesize
5.2MB

MD5
5190da7245afc986f9a4f548b3154859

SHA1
7123ed9d912547ee7ce3187716e3e08720df594c

SHA256
31ca4b4e3629438bb37a1c96d33a11d3c4502a3239fefa332cb71231026c17bf

SHA512
8b613b1d31a1acd9cc1c8a105d8e872d7e6d19ce746d6038f944eb1eb98d828463869fdf66e35467c7b5607a095dd8fc2b10a243e88e882b8b78ca726be4ff98

Download Submit
C:\Windows\System\KivGimw.exe

Filesize
5.2MB

MD5
995b72c88f85e954db780c27d3a30fb0

SHA1
4416121f910146ee907ce76b1f2dc064a1c555f0

SHA256
e8772a8022cdb0b199ca65deddf6e7f2de42d72acfe4ca0ddb47483a1fb5968c

SHA512
931c4a2e0460c0d10d1eea6656163bb4376145d246e1498eb85fe1b0f31b1f53fa90eb399078c8ff63bd2f0513308f1363a69673f811d927cf7072e6f5aa60fd

Download Submit
C:\Windows\System\LDLsvAz.exe

Filesize
5.2MB

MD5
f131b3fb3b1ca57d837c78f2673e13d8

SHA1
6c4b4e6e888160fdd21ccf21000bee7bfdd02362

SHA256
f9eeb9d15cdf5a73bd1c086bc149947c8982a138d663a84e636898c7e271839a

SHA512
0d3795a600479d91429cade92f288395b2050b8019548e4313dec029d81c0375611b7b38d19cee9f8e54a097c37b9fe3077586c8e9ed32f1edf551a19998c6ad

Download Submit
C:\Windows\System\NAzVYJx.exe

Filesize
5.2MB

MD5
c4e68b18e92e41ad97ab727ccb8494a3

SHA1
b636e4a4a2fa90479c20f549512736d8392a32d6

SHA256
7dbbe4495c1cc932b64b3ce07f008610bf2ea12ce50eca40dad950e22d9548d8

SHA512
d1c6f0257156ff1140595e035820ed6bbe5221640705fa15c9121d96701afe2ab3bbe1e40645db44baf3deba2ebb4ad7f491b2a63e524e8d3bbde34e30f2a478

Download Submit
C:\Windows\System\StAsDoO.exe

Filesize
5.2MB

MD5
58160925b18f386fe2e3929c6512107f

SHA1
34dcb300e844f2a9172c723f9476039ac64e21dd

SHA256
268111feceb5d4542f57313cfe1cff9b81ffda352ce275f8e241a43ffca9678a

SHA512
9c60cf1b436be100a979659a21ade6b93974eeb48defd812b31e09fdce39990538c714bdd763b4018e9f0a5e1287e043afa5bd160c148223d42f168c3ed475eb

Download Submit
C:\Windows\System\TfwTXAV.exe

Filesize
5.2MB

MD5
cc7edf6c8d560b18b205fe2e461be1d5

SHA1
bf5b5092768841d34e938759d899bc305cfff33a

SHA256
b4f5cedfcceeed78ab305c39675b32b41b47ee748ff15b1cd1fb8aa0238b0579

SHA512
d42a365e8fe45cb46dd3717b647fdf5223e9416ca9337b0dfbb79ae244618fc7af463d3f45d14d30d3e8328b3ae271a4078333d1e0b150b79402111be6867eb7

Download Submit
C:\Windows\System\TgyuOZz.exe

Filesize
5.2MB

MD5
69134967cff008e5eaa08ac31a5b5f88

SHA1
9fd61ad2677e11fc4497cf7f3eba2466bac137d3

SHA256
7797ef1250db0818108085bf3553ebf2e477a201e988ef54b6e63c1ca3fb6788

SHA512
a8abd895bc0b9d20c8cb7d2f89ad8e3436a29d54e37574eaffec5df03e668146e50f297bf297d890af5b435270e058857e6603cb8a62c2019c0ec986a36299b8

Download Submit
C:\Windows\System\blCsesL.exe

Filesize
5.2MB

MD5
fcac5b0cfe180ad4817bb6390e41ed53

SHA1
11422469b3108c00bb9b2a38f0f2629302bf3c52

SHA256
162698f51e101675e0d14abe9a76ee2151f34fff56a86e7bfab096f753b9ad59

SHA512
37d2ac15b9dffcd7617a7a65d1c306da8f64ea0f2d65226228b78aad83800d3e5b046ad0f7823ab58231ec7072e02d4c1463f547d47b2aee0a8d6c5e161ef7ee

Download Submit
C:\Windows\System\hjcwbDc.exe

Filesize
5.2MB

MD5
2d0d5f82f9c5e5113e444e084d4049d5

SHA1
a1e5834f7ad4e51dad66bafd6c8158155dea8cd3

SHA256
99dc8192a15d30b358165ccaa2e7332fe8123a2f89df9e66dfdacaef2cf7eb01

SHA512
d9f89fdb29b4f290aed780c61b6dfd259684f5376a9219374f4a9ddbd84cbb96a591589f5209800bfd0c0821d6543f12ab1d28c187a575ef14c0625a52264513

Download Submit
C:\Windows\System\lgQssiz.exe

Filesize
5.2MB

MD5
baf44a27a70d3ade813470901e117fca

SHA1
1544a1fa9a29570f66dd1681798cad04f2d3f916

SHA256
bc8dd54f43406475b0f2fc9785aeb454a4c3b634afb15d702b9bea00a16c3d53

SHA512
6d416a1c1e5a18e7e6b60bbebcca4adca75663c8e1f36512d1cb7dbafaa0ed49915c88c7bda50b530f486e4a5ed6126932a5e1056a4a90973ada06bfd3d52454

Download Submit
C:\Windows\System\nEOIqwC.exe

Filesize
5.2MB

MD5
e45f671964ff8026c531d819925c8c56

SHA1
1d9050ffede4a199a85017451a02984374fd2462

SHA256
b01291213ecf7022515605135f0eccf6858f5cbe4c357b9b3c0b7390a80780f6

SHA512
19382417a36dfece0390fa558d564cf1d8e4eab8c95e25fd0b736a3b7c78242181007e15dfd1237850fbbe3bf39c7c2413dc34594dd5e9a243568c192de76dd2

Download Submit
C:\Windows\System\nFfJxeu.exe

Filesize
5.2MB

MD5
b0cee374c4036b1c17dcf6ce814c67a0

SHA1
8bd4a4b57fa2edffc6ac666cb2463a0b8aee9d81

SHA256
49ef213e06a5f79d42489172af8d1260535037d6b3be223aed289225febb0bdc

SHA512
8c216a44ad1868c434873987918095f920657e462dae61639af0329302cfd6f0f1458d00cdb38dcb2dbb5bc7b81a07e6d191cad99c2efa431d208b5dd19a8b32

Download Submit
C:\Windows\System\piCLAvw.exe

Filesize
5.2MB

MD5
0080148d0bb3160999e219104bc35940

SHA1
d915ba46453a2e86c10b1a02f95a4bae6c516349

SHA256
5cb0b4fe4b75c936a9dc960bbc0fd7c02b90c056fd985768e4b402ab47b2fcad

SHA512
40a9d6535ac3e139daa8c7b7d0be97641247521b505c80840de32a0a8f79a003bb3c917953329c08afcbc3ef905bcde16cefed7115fb884c63612b5aa64b7828

Download Submit
C:\Windows\System\qZMooiR.exe

Filesize
5.2MB

MD5
6e9b4619cd16d2a9a2bc5c4c91ecbdb6

SHA1
9de9c1d5290d267014e088ed6b5d98b70dec67a3

SHA256
76a1e2e017d6db4b5c599e4c04783e14bb5304c3d69f5c5e5bc26a3db1ed377a

SHA512
6edfa5d124bddea95c007fc6e0a36973c255ccf40c8dc71fe441bd4385ffeac2d04ef32991f15c8633a12e9ce3164a1d809b8bff9fa6e0b35a54a298d7e6ff26

Download Submit
C:\Windows\System\qvUMzNy.exe

Filesize
5.2MB

MD5
86c4a21c5a3f0e23997952362a537ad4

SHA1
147d87aff788f6d9a97cfbd42c868d81d332a598

SHA256
3ac0f70d63cedf4f1b06e339ed3fa292d43a8039cc578bb040c17182d3432101

SHA512
636a718e068ac961ad84cc4ac13e064806a17ca2d5fef78cbe4674a68f4eed2a757c2ed609df70e20220ac54475d61a8926f08cfa4f9e7c45ac3553945674b48

Download Submit
C:\Windows\System\widVoRA.exe

Filesize
5.2MB

MD5
eed91e8428ca0596622c8af5e91b29c1

SHA1
5215f7412fe5d01b91787dd51275b7b018d85c9f

SHA256
1579099532456fdc1186f732d4b6254d66c82fe84ebc664972b206b9957d3b07

SHA512
05dfc46c4dae851946154d2524318a1c6df4a22a822b2a93c237390ec912843695ae1af0ee44a79ee0e89d95eff95a0fca7831943b7488438414a52338fa7a4e

Download Submit
C:\Windows\System\zCJSuNq.exe

Filesize
5.2MB

MD5
66924520446258bab9b9ed5483d21dc0

SHA1
f11b5911c6032faf5fca411a7fa0ab6d3fdad362

SHA256
3e45f4f0038332354a907ec9e4b14007c68f0e7461a762b428d6c73004a68c8e

SHA512
e46f0d87d2128c6b807c835f5ccd89e62bab6cddd3781774c3873b2016a35970e356133340c1e87221c336d793342a177abc4a19eb0f2944733ac3eb5fa6f7ff

Download Submit
memory/384-155-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp

Filesize
3.3MB

Download
memory/384-121-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp

Filesize
3.3MB

Download
memory/384-261-0x00007FF7EA2E0000-0x00007FF7EA631000-memory.dmp

Filesize
3.3MB

Download
memory/752-97-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp

Filesize
3.3MB

Download
memory/752-150-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp

Filesize
3.3MB

Download
memory/752-255-0x00007FF607F50000-0x00007FF6082A1000-memory.dmp

Filesize
3.3MB

Download
memory/992-54-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp

Filesize
3.3MB

Download
memory/992-227-0x00007FF6ADCD0000-0x00007FF6AE021000-memory.dmp

Filesize
3.3MB

Download
memory/1012-42-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp

Filesize
3.3MB

Download
memory/1012-130-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp

Filesize
3.3MB

Download
memory/1012-223-0x00007FF6EFA30000-0x00007FF6EFD81000-memory.dmp

Filesize
3.3MB

Download
memory/1020-242-0x00007FF79FF30000-0x00007FF7A0281000-memory.dmp

Filesize
3.3MB

Download
memory/1020-78-0x00007FF79FF30000-0x00007FF7A0281000-memory.dmp

Filesize
3.3MB

Download
memory/1644-59-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-221-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-148-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp

Filesize
3.3MB

Download
memory/2088-84-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp

Filesize
3.3MB

Download
memory/2088-245-0x00007FF753BB0000-0x00007FF753F01000-memory.dmp

Filesize
3.3MB

Download
memory/2196-133-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-265-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-157-0x00007FF63E260000-0x00007FF63E5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-106-0x00007FF775CF0000-0x00007FF776041000-memory.dmp

Filesize
3.3MB

Download
memory/2380-257-0x00007FF775CF0000-0x00007FF776041000-memory.dmp

Filesize
3.3MB

Download
memory/3228-63-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp

Filesize
3.3MB

Download
memory/3228-135-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp

Filesize
3.3MB

Download
memory/3228-241-0x00007FF6DC1E0000-0x00007FF6DC531000-memory.dmp

Filesize
3.3MB

Download
memory/3312-79-0x00007FF743230000-0x00007FF743581000-memory.dmp

Filesize
3.3MB

Download
memory/3312-239-0x00007FF743230000-0x00007FF743581000-memory.dmp

Filesize
3.3MB

Download
memory/3568-236-0x00007FF660830000-0x00007FF660B81000-memory.dmp

Filesize
3.3MB

Download
memory/3568-85-0x00007FF660830000-0x00007FF660B81000-memory.dmp

Filesize
3.3MB

Download
memory/3992-246-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-149-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp

Filesize
3.3MB

Download
memory/3992-89-0x00007FF6088A0000-0x00007FF608BF1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-231-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-66-0x00007FF777E60000-0x00007FF7781B1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-120-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-8-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-217-0x00007FF6BDB50000-0x00007FF6BDEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4248-115-0x00007FF6FE2C0000-0x00007FF6FE611000-memory.dmp

Filesize
3.3MB

Download
memory/4248-259-0x00007FF6FE2C0000-0x00007FF6FE611000-memory.dmp

Filesize
3.3MB

Download
memory/4268-219-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp

Filesize
3.3MB

Download
memory/4268-127-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp

Filesize
3.3MB

Download
memory/4268-20-0x00007FF6E6FB0000-0x00007FF6E7301000-memory.dmp

Filesize
3.3MB

Download
memory/4288-229-0x00007FF6658F0000-0x00007FF665C41000-memory.dmp

Filesize
3.3MB

Download
memory/4288-61-0x00007FF6658F0000-0x00007FF665C41000-memory.dmp

Filesize
3.3MB

Download
memory/4392-0-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/4392-173-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/4392-1-0x0000025C797E0000-0x0000025C797F0000-memory.dmp

Filesize
64KB

Download
memory/4392-151-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/4392-110-0x00007FF7B29C0000-0x00007FF7B2D11000-memory.dmp

Filesize
3.3MB

Download
memory/4496-156-0x00007FF660B30000-0x00007FF660E81000-memory.dmp

Filesize
3.3MB

Download
memory/4496-126-0x00007FF660B30000-0x00007FF660E81000-memory.dmp

Filesize
3.3MB

Download
memory/4496-263-0x00007FF660B30000-0x00007FF660E81000-memory.dmp

Filesize
3.3MB

Download
memory/4756-32-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp

Filesize
3.3MB

Download
memory/4756-129-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp

Filesize
3.3MB

Download
memory/4756-225-0x00007FF70AB10000-0x00007FF70AE61000-memory.dmp

Filesize
3.3MB

Download
memory/4764-74-0x00007FF697FB0000-0x00007FF698301000-memory.dmp

Filesize
3.3MB

Download
memory/4764-233-0x00007FF697FB0000-0x00007FF698301000-memory.dmp

Filesize
3.3MB

Download