cobaltstrike | 6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
Size

5.2MB
MD5

7daf63d1938b313710e668cd9830ab90
SHA1

66e653dc24239e2a0df3b2a8bfdf6da0d7ef23fe
SHA256

6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553
SHA512

31f9af62e46d3cd1b93c84afd0cce16d0aa6c0a1ec4aabdf981eb39864a84cb106eb47dbb822a478e87f3de05a24ca424f0a3486d3ad9d3bae30166dac0f3083
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibd56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023ca6-7.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca1-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-33.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca2-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-66.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4904-80-0x00007FF7CB740000-0x00007FF7CBA91000-memory.dmp	xmrig
behavioral2/memory/4996-81-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp	xmrig
behavioral2/memory/4004-74-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	xmrig
behavioral2/memory/3680-122-0x00007FF60C910000-0x00007FF60CC61000-memory.dmp	xmrig
behavioral2/memory/3392-123-0x00007FF7ECE80000-0x00007FF7ED1D1000-memory.dmp	xmrig
behavioral2/memory/4172-125-0x00007FF65FD00000-0x00007FF660051000-memory.dmp	xmrig
behavioral2/memory/3360-124-0x00007FF626790000-0x00007FF626AE1000-memory.dmp	xmrig
behavioral2/memory/1684-126-0x00007FF6848F0000-0x00007FF684C41000-memory.dmp	xmrig
behavioral2/memory/1124-127-0x00007FF6B8100000-0x00007FF6B8451000-memory.dmp	xmrig
behavioral2/memory/768-128-0x00007FF7A1F10000-0x00007FF7A2261000-memory.dmp	xmrig
behavioral2/memory/4660-130-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	xmrig
behavioral2/memory/3476-129-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp	xmrig
behavioral2/memory/4600-131-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	xmrig
behavioral2/memory/4004-132-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	xmrig
behavioral2/memory/2916-136-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp	xmrig
behavioral2/memory/1756-137-0x00007FF764840000-0x00007FF764B91000-memory.dmp	xmrig
behavioral2/memory/3764-141-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	xmrig
behavioral2/memory/2976-143-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp	xmrig
behavioral2/memory/2828-142-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp	xmrig
behavioral2/memory/3808-140-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp	xmrig
behavioral2/memory/1764-139-0x00007FF65C630000-0x00007FF65C981000-memory.dmp	xmrig
behavioral2/memory/2788-138-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp	xmrig
behavioral2/memory/2228-145-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp	xmrig
behavioral2/memory/4004-154-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	xmrig
behavioral2/memory/4996-211-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp	xmrig
behavioral2/memory/3476-213-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp	xmrig
behavioral2/memory/4660-215-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	xmrig
behavioral2/memory/2916-217-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp	xmrig
behavioral2/memory/1756-219-0x00007FF764840000-0x00007FF764B91000-memory.dmp	xmrig
behavioral2/memory/2788-221-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp	xmrig
behavioral2/memory/1764-223-0x00007FF65C630000-0x00007FF65C981000-memory.dmp	xmrig
behavioral2/memory/3764-229-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	xmrig
behavioral2/memory/2828-227-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp	xmrig
behavioral2/memory/3808-226-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp	xmrig
behavioral2/memory/2976-233-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp	xmrig
behavioral2/memory/4904-243-0x00007FF7CB740000-0x00007FF7CBA91000-memory.dmp	xmrig
behavioral2/memory/2228-245-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp	xmrig
behavioral2/memory/3680-247-0x00007FF60C910000-0x00007FF60CC61000-memory.dmp	xmrig
behavioral2/memory/4600-249-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	xmrig
behavioral2/memory/3392-251-0x00007FF7ECE80000-0x00007FF7ED1D1000-memory.dmp	xmrig
behavioral2/memory/3360-257-0x00007FF626790000-0x00007FF626AE1000-memory.dmp	xmrig
behavioral2/memory/4172-256-0x00007FF65FD00000-0x00007FF660051000-memory.dmp	xmrig
behavioral2/memory/768-261-0x00007FF7A1F10000-0x00007FF7A2261000-memory.dmp	xmrig
behavioral2/memory/1684-259-0x00007FF6848F0000-0x00007FF684C41000-memory.dmp	xmrig
behavioral2/memory/1124-254-0x00007FF6B8100000-0x00007FF6B8451000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4996	NPmZMiX.exe
3476	URnYKuD.exe
4660	AAFcIiJ.exe
2916	WGHrDPU.exe
1756	OTqvsFp.exe
2788	mAkCghM.exe
1764	OcAFoZW.exe
3764	JwvtTtV.exe
2828	eEaOlkF.exe
3808	sfmiDFQ.exe
2976	xxSYkjy.exe
4904	umXVUxA.exe
2228	JRfAhur.exe
4600	rTQUuYB.exe
3680	EezzxEg.exe
3392	ExXqeMu.exe
3360	Yvhjpol.exe
4172	MoFTToa.exe
1684	niRYmFu.exe
1124	LUtEASw.exe
768	Rjihrhi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4004-0-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-7.dat	upx
behavioral2/files/0x0008000000023ca1-9.dat	upx
behavioral2/files/0x0007000000023ca5-17.dat	upx
behavioral2/files/0x0007000000023ca9-30.dat	upx
behavioral2/files/0x0007000000023cab-53.dat	upx
behavioral2/memory/2828-58-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-59.dat	upx
behavioral2/files/0x0007000000023cac-56.dat	upx
behavioral2/memory/3808-55-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-52.dat	upx
behavioral2/memory/3764-49-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	upx
behavioral2/memory/1764-48-0x00007FF65C630000-0x00007FF65C981000-memory.dmp	upx
behavioral2/memory/2788-43-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-41.dat	upx
behavioral2/memory/1756-38-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-33.dat	upx
behavioral2/memory/2916-26-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp	upx
behavioral2/memory/4660-16-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	upx
behavioral2/memory/3476-15-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp	upx
behavioral2/memory/4996-8-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp	upx
behavioral2/memory/2976-70-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp	upx
behavioral2/files/0x0008000000023ca2-76.dat	upx
behavioral2/files/0x0007000000023cb1-86.dat	upx
behavioral2/files/0x0007000000023cb3-90.dat	upx
behavioral2/files/0x0007000000023cb4-93.dat	upx
behavioral2/files/0x0007000000023cb5-96.dat	upx
behavioral2/files/0x0007000000023cb6-99.dat	upx
behavioral2/files/0x0007000000023cb2-106.dat	upx
behavioral2/files/0x0007000000023cb8-120.dat	upx
behavioral2/memory/2228-113-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-104.dat	upx
behavioral2/files/0x0007000000023cb0-82.dat	upx
behavioral2/memory/4904-80-0x00007FF7CB740000-0x00007FF7CBA91000-memory.dmp	upx
behavioral2/memory/4996-81-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp	upx
behavioral2/memory/4004-74-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-66.dat	upx
behavioral2/memory/3680-122-0x00007FF60C910000-0x00007FF60CC61000-memory.dmp	upx
behavioral2/memory/3392-123-0x00007FF7ECE80000-0x00007FF7ED1D1000-memory.dmp	upx
behavioral2/memory/4172-125-0x00007FF65FD00000-0x00007FF660051000-memory.dmp	upx
behavioral2/memory/3360-124-0x00007FF626790000-0x00007FF626AE1000-memory.dmp	upx
behavioral2/memory/1684-126-0x00007FF6848F0000-0x00007FF684C41000-memory.dmp	upx
behavioral2/memory/1124-127-0x00007FF6B8100000-0x00007FF6B8451000-memory.dmp	upx
behavioral2/memory/768-128-0x00007FF7A1F10000-0x00007FF7A2261000-memory.dmp	upx
behavioral2/memory/4660-130-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	upx
behavioral2/memory/3476-129-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp	upx
behavioral2/memory/4600-131-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp	upx
behavioral2/memory/4004-132-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	upx
behavioral2/memory/2916-136-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp	upx
behavioral2/memory/1756-137-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
behavioral2/memory/3764-141-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	upx
behavioral2/memory/2976-143-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp	upx
behavioral2/memory/2828-142-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp	upx
behavioral2/memory/3808-140-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp	upx
behavioral2/memory/1764-139-0x00007FF65C630000-0x00007FF65C981000-memory.dmp	upx
behavioral2/memory/2788-138-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp	upx
behavioral2/memory/2228-145-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp	upx
behavioral2/memory/4004-154-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp	upx
behavioral2/memory/4996-211-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp	upx
behavioral2/memory/3476-213-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp	upx
behavioral2/memory/4660-215-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	upx
behavioral2/memory/2916-217-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp	upx
behavioral2/memory/1756-219-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
behavioral2/memory/2788-221-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AAFcIiJ.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\eEaOlkF.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\ExXqeMu.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\niRYmFu.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\Rjihrhi.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\URnYKuD.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\WGHrDPU.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\mAkCghM.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\sfmiDFQ.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\umXVUxA.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\rTQUuYB.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\MoFTToa.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\NPmZMiX.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\JwvtTtV.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\JRfAhur.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\Yvhjpol.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\LUtEASw.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\OcAFoZW.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\xxSYkjy.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\EezzxEg.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
File created	C:\Windows\System\OTqvsFp.exe	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
Token: SeLockMemoryPrivilege	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4996	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	84
PID 4004 wrote to memory of 4996	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	84
PID 4004 wrote to memory of 3476	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	85
PID 4004 wrote to memory of 3476	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	85
PID 4004 wrote to memory of 4660	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	86
PID 4004 wrote to memory of 4660	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	86
PID 4004 wrote to memory of 2916	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	87
PID 4004 wrote to memory of 2916	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	87
PID 4004 wrote to memory of 1756	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	88
PID 4004 wrote to memory of 1756	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	88
PID 4004 wrote to memory of 2788	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	89
PID 4004 wrote to memory of 2788	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	89
PID 4004 wrote to memory of 1764	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	90
PID 4004 wrote to memory of 1764	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	90
PID 4004 wrote to memory of 3808	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	91
PID 4004 wrote to memory of 3808	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	91
PID 4004 wrote to memory of 3764	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	92
PID 4004 wrote to memory of 3764	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	92
PID 4004 wrote to memory of 2828	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	93
PID 4004 wrote to memory of 2828	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	93
PID 4004 wrote to memory of 2976	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	94
PID 4004 wrote to memory of 2976	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	94
PID 4004 wrote to memory of 4904	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	95
PID 4004 wrote to memory of 4904	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	95
PID 4004 wrote to memory of 2228	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	96
PID 4004 wrote to memory of 2228	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	96
PID 4004 wrote to memory of 4600	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	97
PID 4004 wrote to memory of 4600	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	97
PID 4004 wrote to memory of 3680	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	98
PID 4004 wrote to memory of 3680	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	98
PID 4004 wrote to memory of 3392	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	99
PID 4004 wrote to memory of 3392	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	99
PID 4004 wrote to memory of 3360	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	100
PID 4004 wrote to memory of 3360	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	100
PID 4004 wrote to memory of 4172	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	101
PID 4004 wrote to memory of 4172	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	101
PID 4004 wrote to memory of 1684	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	102
PID 4004 wrote to memory of 1684	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	102
PID 4004 wrote to memory of 1124	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	103
PID 4004 wrote to memory of 1124	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	103
PID 4004 wrote to memory of 768	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	104
PID 4004 wrote to memory of 768	4004	6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe	104

C:\Users\Admin\AppData\Local\Temp\6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe
"C:\Users\Admin\AppData\Local\Temp\6c0b175ec4029304472e651cfda86561a871fc91f7941c0d729ea57f57a13553N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\System\NPmZMiX.exe
  C:\Windows\System\NPmZMiX.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\URnYKuD.exe
  C:\Windows\System\URnYKuD.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\AAFcIiJ.exe
  C:\Windows\System\AAFcIiJ.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\WGHrDPU.exe
  C:\Windows\System\WGHrDPU.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\OTqvsFp.exe
  C:\Windows\System\OTqvsFp.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\mAkCghM.exe
  C:\Windows\System\mAkCghM.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\OcAFoZW.exe
  C:\Windows\System\OcAFoZW.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\sfmiDFQ.exe
  C:\Windows\System\sfmiDFQ.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\JwvtTtV.exe
  C:\Windows\System\JwvtTtV.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\eEaOlkF.exe
  C:\Windows\System\eEaOlkF.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\xxSYkjy.exe
  C:\Windows\System\xxSYkjy.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\umXVUxA.exe
  C:\Windows\System\umXVUxA.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\JRfAhur.exe
  C:\Windows\System\JRfAhur.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\rTQUuYB.exe
  C:\Windows\System\rTQUuYB.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\EezzxEg.exe
  C:\Windows\System\EezzxEg.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\ExXqeMu.exe
  C:\Windows\System\ExXqeMu.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\Yvhjpol.exe
  C:\Windows\System\Yvhjpol.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\MoFTToa.exe
  C:\Windows\System\MoFTToa.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\niRYmFu.exe
  C:\Windows\System\niRYmFu.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\LUtEASw.exe
  C:\Windows\System\LUtEASw.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\Rjihrhi.exe
  C:\Windows\System\Rjihrhi.exe
  2⤵
  - Executes dropped EXE
  PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AAFcIiJ.exe

Filesize
5.2MB

MD5
4cd6386aae2e2ee510e299a2fa43a563

SHA1
62172f7f0a8e280e21b5fba44563ad67358b3203

SHA256
44cada1c3759d966d625f6789ffcb46d9869df246fbd57cac695e86df5b8b70a

SHA512
d2d21d2eaacfe1cd3149022407bfa03daf8377b9fb419897278cd4d1ca91e76d3f50acf7d0555293232a80ccb7913902b8a00bc80587d6119675e1005de34b36

Download Submit
C:\Windows\System\EezzxEg.exe

Filesize
5.2MB

MD5
b5b66243779b8cf9441e2f88ef1c052c

SHA1
c4198a4f0b7c0e74018f77ccfa182234c8980466

SHA256
2d06012fec35a36f6185ef06b103746a3195f53967b540ba901f0b9a32ea0493

SHA512
b410a3b3ee3822cb0bcb5b39605680ddbefb3082ad07a69b41e77a91bc57fa0c049f199bb90804cbbc9f70609849a42599d46b5faf89b39b5fff8aab2d96178e

Download Submit
C:\Windows\System\ExXqeMu.exe

Filesize
5.2MB

MD5
38ac68c306b8bd7c281ab411ebf8a81a

SHA1
13744e4a2fe16479e6a960c57739538e2674b640

SHA256
d0231f00f86f0969e1be8feb39940ee58eba79d1200b62f8e12e927924b60255

SHA512
6b9ae740c8fe3aaa0b1b18be0482bcd358753dd404384a97e7839daef5c7979f8a63cda1fca05ba440eb78c42abbd734878c87d0810cc9b4a69b2c894451a3c7

Download Submit
C:\Windows\System\JRfAhur.exe

Filesize
5.2MB

MD5
9343c67700f8883d2c2a663dcd4fe0a9

SHA1
262cccb19a8dd42a65d0e9db63645a52d6cf5ebf

SHA256
910cfed3258bb56ac4fe18abccc85761fbd124a18f6555ab274bf5e684a7a2cc

SHA512
8ec03b98349b3bd65c149f03e064a3b3a5d540e5fd5f219ac75992299ee4adff4ffecfd8e21cd82252e4f014a191a9d732acfbf88ea99e098abdef7b645d4fa7

Download Submit
C:\Windows\System\JwvtTtV.exe

Filesize
5.2MB

MD5
7938a6beb619c33c2777525457f03215

SHA1
964cf93ee01f42431f9369ae6d202549f8405266

SHA256
d3bfec4cb15bd04caee59c9126dc3477627de278a8c18a1886246af5023e52ff

SHA512
c10946d211b4bfe0c28af74227e637c25cac52d36a9e206b660ac36f89ceaa82ac691614cd2eb9350e18b2b6236d3e8a7e3e8048f77fe1d931a1dbad9e6fe8e8

Download Submit
C:\Windows\System\LUtEASw.exe

Filesize
5.2MB

MD5
b0f42d1216447962da512a6a517ea323

SHA1
6fea9cf06d9582bc3e594b0dc7f5d2d68b1bf6be

SHA256
4ee2b71494d89b875b2587d00786165ffcc2c6f02428880057cc70d21118decd

SHA512
c2e9f754f44409098b171b6652a60f5b149c9e2c9727c73fa16b93bacd0775891dd5585b1c209bb6b798df10ad97734c351585f39c90ca69cc320703983d6702

Download Submit
C:\Windows\System\MoFTToa.exe

Filesize
5.2MB

MD5
88714deb58235a1a18159a485826b858

SHA1
f75a5cb58391680f204ebb35e9db6b891ab98cc8

SHA256
db105f60b86ff7ce47ee92f86daf4ec2c6804953c437392bd898af018361cc8c

SHA512
d8164181a9b18d151d20978316e480d08c848887e4d374305a142f94746079b680cb0946b07c103b5eef7bf79eeb85ec291614eb20e5d915f4d13650727721ae

Download Submit
C:\Windows\System\NPmZMiX.exe

Filesize
5.2MB

MD5
1e31325768b3e80ad3204ab8861495ee

SHA1
c56145e01571e0d879194dbcb1d3a1155b5c1afb

SHA256
4cefd7f98917dfd16ce9a10fcf5a54ce4aaf4202993fe45c1231436460c1e2e2

SHA512
68e75335bf5f96cada19b84ff872e002a97b95fa06915a9bcf2722f09c519f22806d47742c2e1ebd8525e3efba7e50a7ece9fc013535a929749e94eb75500998

Download Submit
C:\Windows\System\OTqvsFp.exe

Filesize
5.2MB

MD5
401ac30ca19ef6373432ad2a2d242ee7

SHA1
96f21281c1b34676a270dded989d839a1457df1f

SHA256
a8b26f5ba0598281c242ffad0daf2ef5675c73b134d7dae9530a6291457ee3ae

SHA512
4deecff9746aaa6dd64d040210d46fa14fe9afcaf0b021e25d22ec1497d2224774dbb88910ace135238e34bf781e7dda89fad579f5077bc38fb193c6127dc15f

Download Submit
C:\Windows\System\OcAFoZW.exe

Filesize
5.2MB

MD5
e14107a1a862ad146cfa27df0e7f90e9

SHA1
d9749fc919d1d62f11bc7037cd30de07eb69dbf6

SHA256
fd598754183d031050e01c33b34d3207768d40c82559ad31657a68dbfe0aa47c

SHA512
a114b53443d1756593df945be918f5fa89fb327db102390c1cf44f0fa841f9ab64fd4fabc3f31850b877a9e8017c1deda97f287d86bcdf04fcc790522b994821

Download Submit
C:\Windows\System\Rjihrhi.exe

Filesize
5.2MB

MD5
dcf3bd96a6650de290a018b534c537d6

SHA1
bfcb516d84269364b6c1156b7f9c29ad0117655a

SHA256
ea7c51a4f93a5681222da36338a4bff1719624b6b6612f9941725eb7a7d71c04

SHA512
e22ab08641f956bf159b7427cba8f6cd3e3b4c59114a8568f8b268f4c9a5e724345dbdbf2919c4ed1ae1d9166b7a6691ba0e3455da0a0d51c4c69719f2f658e0

Download Submit
C:\Windows\System\URnYKuD.exe

Filesize
5.2MB

MD5
f8a93a94eb3e4a2bd5266b25e777c8f6

SHA1
b6f4fce7d164fe0292331eb06e5d2c8f1fc0cdd5

SHA256
b6dc5bf9336ea8eb811fa6a4387714c031e7050498bd9427eda0089e473ac39a

SHA512
2e54ced64f3c6b2fb5b157fd7a187205ede912f2385e67fca3ca40424f6bff65565a119050c9116591bef618fedf67f184ae2efba5d81736c463a89a2b63fac4

Download Submit
C:\Windows\System\WGHrDPU.exe

Filesize
5.2MB

MD5
e6859a7f16f77695dc733f88b838c97c

SHA1
5195778eabd27e3f984c4832b84ceb594a7345bf

SHA256
6da4433a2aabc08cfa9dc330c39201a8e2bb6af0f60be636f773e429bf124d3e

SHA512
63278922a6ff0b466f7646fdf141a51e237819ff5275f15ed6837cf2a6df62b90436d06b9dc1fb5081bf1fb4c6ddbf3648da7ad76b6836964a5acd063832ce17

Download Submit
C:\Windows\System\Yvhjpol.exe

Filesize
5.2MB

MD5
b95defd49ecabd3415b74b0a4cc6fd61

SHA1
0e1edaf4d4771bdc9bf6ead496c333c74f25ac4f

SHA256
eaee1d977aaa8809ab40215ce38c2abeef487d55f5c62187ddad901e84898317

SHA512
66d2fdd1b115cab4bba257cc58d86a78286b052d6ae439ae097e2dfdaf8c22e87f2cdacecf013cfad66444572d072b7c7ad8b78f1b2286c44e9c0388a28ab5a2

Download Submit
C:\Windows\System\eEaOlkF.exe

Filesize
5.2MB

MD5
b945cfb1a8808d17708c5108a3690c85

SHA1
c5812bb145a9fef456a8f509efbca53bff76aa35

SHA256
e848c2b7cf607af4387fb099096025e1dce3678d2335568a420be1d64fc8d193

SHA512
b6a621a37a83b2631831cbd95d380e823f147047e6a0a3e825341deba34e105fa0a6d023a5110bc091a11dc03d7aaa9251349e9d9ccdf5282022353989b05cbc

Download Submit
C:\Windows\System\mAkCghM.exe

Filesize
5.2MB

MD5
c03015f9de7c91a3855cad795be79fe6

SHA1
43af235bbbbd611e21f0931d04ba5cddd769eaaa

SHA256
50c050de6ceed46ebbdde01f634ea9ab8cdc3bd68e4bfb286ec6a98d868e663f

SHA512
5f8825e3a6c3260b5f8aa899e16c51f49d4b5f490b2c6ff5fa3cf11b90266c28a1d0773ab431fcfffeaaf48e42adc9c1bf7af99c290b666b5b8dc9424185ade7

Download Submit
C:\Windows\System\niRYmFu.exe

Filesize
5.2MB

MD5
f1b085da2f16492c58dd313de055f6f5

SHA1
257cc7efc453bf4d7a341bbd33fdb91371634714

SHA256
a90ba1550131510ac116c6d7c797fef53bdf8fd8012449ecc52db24f37c188d5

SHA512
edea28cff06add34a65ec259885270b372f33c6bf4438dd1561f5e213583879144aa9f07c10cb0a9164cce349cf679b171dd56d1ce3567c1ea7d40dab7c6db80

Download Submit
C:\Windows\System\rTQUuYB.exe

Filesize
5.2MB

MD5
e992d2ecf58ae29eb3625e58298fb948

SHA1
4ff293dda3b4f0e714e3fe9c22cb9be654bbeb8b

SHA256
96fe9b20b56448812637a05b5f8b0aeea8837ad32f84072181678b4bbe8efb22

SHA512
730bff04d662bc85cc7a1681ecc8217ac7dbcec2a15585feef6949834a98aef5ba888b15593cf2ce334fe442cb3097d47fbe4343f620ff38ebec274743897576

Download Submit
C:\Windows\System\sfmiDFQ.exe

Filesize
5.2MB

MD5
7754ebca7faa617fc8fd8f0a34ff3597

SHA1
f26cdfb50ae65929050cec8b805ef641838d8348

SHA256
842466cd7f165f1d4d2c0093ce41ee7edbd554a2d39d791dc9f7fab7e1da939a

SHA512
86449e746539e113d0850690721f530e92ec5a9a914af55d93177ca70f5f3f56ac37e9ff82e34df36191190333553cdc574fe0ee9c68034b6d824eddcb760ced

Download Submit
C:\Windows\System\umXVUxA.exe

Filesize
5.2MB

MD5
45c0bccf78bc68df1a90cd52e03123e1

SHA1
3faa102523ef261313ea3bf795e24a5fd88b6d7d

SHA256
986e45b52387c6938d9bb117031fbb4994eaf2d2b98b4297b70a83d8b8eec218

SHA512
b6e4d3b90a62ad6fbbf451c8b40f85674dbce581e771394c595e5a1989c8162a8bb2e9023c2434fa349a7c5de65f5b6b6126b3e26c1b01632666dfcfae25bd04

Download Submit
C:\Windows\System\xxSYkjy.exe

Filesize
5.2MB

MD5
2515980a4788dd5e0ab87f9eefa2308a

SHA1
faf1425a92ff81084efc146759676501f1fb5379

SHA256
3f79843500498621d830863eb20a2c6f3fd9f6a8e50ad7c1939b1dfc081824fc

SHA512
1e9f6a6cdd2c3ef8b48cf98aa6073b1ea76aaed108ccf89159d59e6b7ba1487be77f67e4558c2fb9387daeab83cce7a785fea844529ff1bcb2a647b5b9830e36

Download Submit
memory/768-261-0x00007FF7A1F10000-0x00007FF7A2261000-memory.dmp

Filesize
3.3MB

Download
memory/768-128-0x00007FF7A1F10000-0x00007FF7A2261000-memory.dmp

Filesize
3.3MB

Download
memory/1124-254-0x00007FF6B8100000-0x00007FF6B8451000-memory.dmp

Filesize
3.3MB

Download
memory/1124-127-0x00007FF6B8100000-0x00007FF6B8451000-memory.dmp

Filesize
3.3MB

Download
memory/1684-126-0x00007FF6848F0000-0x00007FF684C41000-memory.dmp

Filesize
3.3MB

Download
memory/1684-259-0x00007FF6848F0000-0x00007FF684C41000-memory.dmp

Filesize
3.3MB

Download
memory/1756-137-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/1756-38-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/1756-219-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/1764-48-0x00007FF65C630000-0x00007FF65C981000-memory.dmp

Filesize
3.3MB

Download
memory/1764-223-0x00007FF65C630000-0x00007FF65C981000-memory.dmp

Filesize
3.3MB

Download
memory/1764-139-0x00007FF65C630000-0x00007FF65C981000-memory.dmp

Filesize
3.3MB

Download
memory/2228-145-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-113-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-245-0x00007FF6F7D90000-0x00007FF6F80E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-138-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-221-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-43-0x00007FF61ED90000-0x00007FF61F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-142-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-227-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-58-0x00007FF7EE790000-0x00007FF7EEAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-26-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp

Filesize
3.3MB

Download
memory/2916-217-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp

Filesize
3.3MB

Download
memory/2916-136-0x00007FF7FCC00000-0x00007FF7FCF51000-memory.dmp

Filesize
3.3MB

Download
memory/2976-70-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp

Filesize
3.3MB

Download
memory/2976-233-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp

Filesize
3.3MB

Download
memory/2976-143-0x00007FF7C5DC0000-0x00007FF7C6111000-memory.dmp

Filesize
3.3MB

Download
memory/3360-124-0x00007FF626790000-0x00007FF626AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3360-257-0x00007FF626790000-0x00007FF626AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-123-0x00007FF7ECE80000-0x00007FF7ED1D1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-251-0x00007FF7ECE80000-0x00007FF7ED1D1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-129-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3476-213-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3476-15-0x00007FF69C6C0000-0x00007FF69CA11000-memory.dmp

Filesize
3.3MB

Download
memory/3680-122-0x00007FF60C910000-0x00007FF60CC61000-memory.dmp

Filesize
3.3MB

Download
memory/3680-247-0x00007FF60C910000-0x00007FF60CC61000-memory.dmp

Filesize
3.3MB

Download
memory/3764-141-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-49-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-229-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/3808-55-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp

Filesize
3.3MB

Download
memory/3808-226-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp

Filesize
3.3MB

Download
memory/3808-140-0x00007FF62AB30000-0x00007FF62AE81000-memory.dmp

Filesize
3.3MB

Download
memory/4004-132-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-154-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-0-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-74-0x00007FF7F4E50000-0x00007FF7F51A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-1-0x0000017E937B0000-0x0000017E937C0000-memory.dmp

Filesize
64KB

Download
memory/4172-125-0x00007FF65FD00000-0x00007FF660051000-memory.dmp

Filesize
3.3MB

Download
memory/4172-256-0x00007FF65FD00000-0x00007FF660051000-memory.dmp

Filesize
3.3MB

Download
memory/4600-131-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp

Filesize
3.3MB

Download
memory/4600-249-0x00007FF7BC540000-0x00007FF7BC891000-memory.dmp

Filesize
3.3MB

Download
memory/4660-16-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp

Filesize
3.3MB

Download
memory/4660-215-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp

Filesize
3.3MB

Download
memory/4660-130-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp

Filesize
3.3MB

Download
memory/4904-243-0x00007FF7CB740000-0x00007FF7CBA91000-memory.dmp

Filesize
3.3MB

Download
memory/4904-80-0x00007FF7CB740000-0x00007FF7CBA91000-memory.dmp

Filesize
3.3MB

Download
memory/4996-211-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp

Filesize
3.3MB

Download
memory/4996-81-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp

Filesize
3.3MB

Download
memory/4996-8-0x00007FF7ACCB0000-0x00007FF7AD001000-memory.dmp

Filesize
3.3MB

Download