cobaltstrike | 68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
Size

5.2MB
MD5

63be4bb8d339b8fa420874457468b200
SHA1

0bd72110c1f0bb300674e510d2b75ef4744370ac
SHA256

68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5
SHA512

4e5e1dfaf4a1dd1898f0b831991d93013e1ccf8d67b129123b8e84894561dfc3b5f874a3b71a4503df6a492ab8f9985e1124d934b2e198e42580f2349e7ecc69
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\SdIKoDP.exe	cobalt_reflective_dll
C:\Windows\System\fGLkcgD.exe	cobalt_reflective_dll
C:\Windows\System\kUefigO.exe	cobalt_reflective_dll
C:\Windows\System\KtFEPji.exe	cobalt_reflective_dll
C:\Windows\System\XKbKsTg.exe	cobalt_reflective_dll
C:\Windows\System\WWRRQUZ.exe	cobalt_reflective_dll
C:\Windows\System\VIHggJD.exe	cobalt_reflective_dll
C:\Windows\System\ydvceRG.exe	cobalt_reflective_dll
C:\Windows\System\irvrdqI.exe	cobalt_reflective_dll
C:\Windows\System\NHOkfrl.exe	cobalt_reflective_dll
C:\Windows\System\fyivnAC.exe	cobalt_reflective_dll
C:\Windows\System\NMyBBLt.exe	cobalt_reflective_dll
C:\Windows\System\uXwWqFj.exe	cobalt_reflective_dll
C:\Windows\System\zbVmqoH.exe	cobalt_reflective_dll
C:\Windows\System\vvLJmYy.exe	cobalt_reflective_dll
C:\Windows\System\ZHXAIpw.exe	cobalt_reflective_dll
C:\Windows\System\AfdTyGr.exe	cobalt_reflective_dll
C:\Windows\System\GZgCqhL.exe	cobalt_reflective_dll
C:\Windows\System\HYJBVOn.exe	cobalt_reflective_dll
C:\Windows\System\XeOHfMq.exe	cobalt_reflective_dll
C:\Windows\System\UyBpDoV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1428-26-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp	xmrig
behavioral2/memory/2904-33-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	xmrig
behavioral2/memory/3784-40-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp	xmrig
behavioral2/memory/4640-52-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	xmrig
behavioral2/memory/2460-56-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp	xmrig
behavioral2/memory/64-75-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp	xmrig
behavioral2/memory/5012-84-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp	xmrig
behavioral2/memory/2904-108-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	xmrig
behavioral2/memory/2472-109-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp	xmrig
behavioral2/memory/660-93-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp	xmrig
behavioral2/memory/868-86-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp	xmrig
behavioral2/memory/2532-78-0x00007FF618690000-0x00007FF6189E1000-memory.dmp	xmrig
behavioral2/memory/4560-76-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp	xmrig
behavioral2/memory/216-69-0x00007FF622DF0000-0x00007FF623141000-memory.dmp	xmrig
behavioral2/memory/220-61-0x00007FF7351F0000-0x00007FF735541000-memory.dmp	xmrig
behavioral2/memory/2852-128-0x00007FF6110F0000-0x00007FF611441000-memory.dmp	xmrig
behavioral2/memory/4708-139-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp	xmrig
behavioral2/memory/2244-141-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp	xmrig
behavioral2/memory/4640-135-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	xmrig
behavioral2/memory/1864-134-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp	xmrig
behavioral2/memory/676-145-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp	xmrig
behavioral2/memory/2692-150-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp	xmrig
behavioral2/memory/1048-153-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp	xmrig
behavioral2/memory/1912-152-0x00007FF669D00000-0x00007FF66A051000-memory.dmp	xmrig
behavioral2/memory/220-156-0x00007FF7351F0000-0x00007FF735541000-memory.dmp	xmrig
behavioral2/memory/216-203-0x00007FF622DF0000-0x00007FF623141000-memory.dmp	xmrig
behavioral2/memory/4560-205-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp	xmrig
behavioral2/memory/5012-207-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp	xmrig
behavioral2/memory/1428-215-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp	xmrig
behavioral2/memory/2904-217-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	xmrig
behavioral2/memory/3784-219-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp	xmrig
behavioral2/memory/1864-221-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp	xmrig
behavioral2/memory/4640-225-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	xmrig
behavioral2/memory/2460-227-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp	xmrig
behavioral2/memory/676-229-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp	xmrig
behavioral2/memory/64-231-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp	xmrig
behavioral2/memory/2532-233-0x00007FF618690000-0x00007FF6189E1000-memory.dmp	xmrig
behavioral2/memory/868-235-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp	xmrig
behavioral2/memory/660-237-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp	xmrig
behavioral2/memory/2692-239-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp	xmrig
behavioral2/memory/2472-241-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp	xmrig
behavioral2/memory/1912-243-0x00007FF669D00000-0x00007FF66A051000-memory.dmp	xmrig
behavioral2/memory/1048-245-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp	xmrig
behavioral2/memory/2852-247-0x00007FF6110F0000-0x00007FF611441000-memory.dmp	xmrig
behavioral2/memory/4708-252-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp	xmrig
behavioral2/memory/2244-254-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

SdIKoDP.exekUefigO.exefGLkcgD.exeKtFEPji.exeXKbKsTg.exeWWRRQUZ.exeVIHggJD.exeydvceRG.exeirvrdqI.exeNHOkfrl.exefyivnAC.exeNMyBBLt.exeuXwWqFj.exezbVmqoH.exevvLJmYy.exeZHXAIpw.exeAfdTyGr.exeHYJBVOn.exeGZgCqhL.exeUyBpDoV.exeXeOHfMq.exe

pid	process
216	SdIKoDP.exe
4560	kUefigO.exe
5012	fGLkcgD.exe
1428	KtFEPji.exe
2904	XKbKsTg.exe
3784	WWRRQUZ.exe
1864	VIHggJD.exe
4640	ydvceRG.exe
2460	irvrdqI.exe
676	NHOkfrl.exe
64	fyivnAC.exe
2532	NMyBBLt.exe
868	uXwWqFj.exe
660	zbVmqoH.exe
2692	vvLJmYy.exe
2472	ZHXAIpw.exe
1912	AfdTyGr.exe
1048	HYJBVOn.exe
2852	GZgCqhL.exe
4708	UyBpDoV.exe
2244	XeOHfMq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/220-0-0x00007FF7351F0000-0x00007FF735541000-memory.dmp	upx
C:\Windows\System\SdIKoDP.exe	upx
behavioral2/memory/216-6-0x00007FF622DF0000-0x00007FF623141000-memory.dmp	upx
C:\Windows\System\fGLkcgD.exe	upx
C:\Windows\System\kUefigO.exe	upx
behavioral2/memory/5012-18-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp	upx
behavioral2/memory/4560-14-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp	upx
C:\Windows\System\KtFEPji.exe	upx
C:\Windows\System\XKbKsTg.exe	upx
behavioral2/memory/1428-26-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp	upx
C:\Windows\System\WWRRQUZ.exe	upx
behavioral2/memory/2904-33-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	upx
C:\Windows\System\VIHggJD.exe	upx
behavioral2/memory/3784-40-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp	upx
behavioral2/memory/1864-44-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp	upx
C:\Windows\System\ydvceRG.exe	upx
behavioral2/memory/4640-52-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	upx
C:\Windows\System\irvrdqI.exe	upx
behavioral2/memory/2460-56-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp	upx
C:\Windows\System\NHOkfrl.exe	upx
C:\Windows\System\fyivnAC.exe	upx
C:\Windows\System\NMyBBLt.exe	upx
behavioral2/memory/64-75-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp	upx
C:\Windows\System\uXwWqFj.exe	upx
behavioral2/memory/5012-84-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp	upx
C:\Windows\System\zbVmqoH.exe	upx
C:\Windows\System\vvLJmYy.exe	upx
C:\Windows\System\ZHXAIpw.exe	upx
behavioral2/memory/2904-108-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	upx
C:\Windows\System\AfdTyGr.exe	upx
C:\Windows\System\GZgCqhL.exe	upx
behavioral2/memory/1048-117-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp	upx
C:\Windows\System\HYJBVOn.exe	upx
behavioral2/memory/1912-112-0x00007FF669D00000-0x00007FF66A051000-memory.dmp	upx
behavioral2/memory/2472-109-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp	upx
behavioral2/memory/2692-94-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp	upx
behavioral2/memory/660-93-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp	upx
behavioral2/memory/868-86-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp	upx
behavioral2/memory/2532-78-0x00007FF618690000-0x00007FF6189E1000-memory.dmp	upx
behavioral2/memory/4560-76-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp	upx
behavioral2/memory/216-69-0x00007FF622DF0000-0x00007FF623141000-memory.dmp	upx
behavioral2/memory/676-62-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp	upx
behavioral2/memory/220-61-0x00007FF7351F0000-0x00007FF735541000-memory.dmp	upx
behavioral2/memory/2852-128-0x00007FF6110F0000-0x00007FF611441000-memory.dmp	upx
C:\Windows\System\XeOHfMq.exe	upx
behavioral2/memory/4708-139-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp	upx
behavioral2/memory/2244-141-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp	upx
behavioral2/memory/4640-135-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	upx
behavioral2/memory/1864-134-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp	upx
C:\Windows\System\UyBpDoV.exe	upx
behavioral2/memory/676-145-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp	upx
behavioral2/memory/2692-150-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp	upx
behavioral2/memory/1048-153-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp	upx
behavioral2/memory/1912-152-0x00007FF669D00000-0x00007FF66A051000-memory.dmp	upx
behavioral2/memory/220-156-0x00007FF7351F0000-0x00007FF735541000-memory.dmp	upx
behavioral2/memory/216-203-0x00007FF622DF0000-0x00007FF623141000-memory.dmp	upx
behavioral2/memory/4560-205-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp	upx
behavioral2/memory/5012-207-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp	upx
behavioral2/memory/1428-215-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp	upx
behavioral2/memory/2904-217-0x00007FF738CF0000-0x00007FF739041000-memory.dmp	upx
behavioral2/memory/3784-219-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp	upx
behavioral2/memory/1864-221-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp	upx
behavioral2/memory/4640-225-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp	upx
behavioral2/memory/2460-227-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\fGLkcgD.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\VIHggJD.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\HYJBVOn.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\GZgCqhL.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\UyBpDoV.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\XeOHfMq.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\ydvceRG.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\uXwWqFj.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\zbVmqoH.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\XKbKsTg.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\WWRRQUZ.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\irvrdqI.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\vvLJmYy.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\AfdTyGr.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\SdIKoDP.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\kUefigO.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\KtFEPji.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\NHOkfrl.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\fyivnAC.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\NMyBBLt.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
File created	C:\Windows\System\ZHXAIpw.exe	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
Token: SeLockMemoryPrivilege	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe

description	pid	process	target process
PID 220 wrote to memory of 216	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	SdIKoDP.exe
PID 220 wrote to memory of 216	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	SdIKoDP.exe
PID 220 wrote to memory of 4560	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	kUefigO.exe
PID 220 wrote to memory of 4560	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	kUefigO.exe
PID 220 wrote to memory of 5012	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	fGLkcgD.exe
PID 220 wrote to memory of 5012	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	fGLkcgD.exe
PID 220 wrote to memory of 1428	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	KtFEPji.exe
PID 220 wrote to memory of 1428	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	KtFEPji.exe
PID 220 wrote to memory of 2904	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	XKbKsTg.exe
PID 220 wrote to memory of 2904	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	XKbKsTg.exe
PID 220 wrote to memory of 3784	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	WWRRQUZ.exe
PID 220 wrote to memory of 3784	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	WWRRQUZ.exe
PID 220 wrote to memory of 1864	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	VIHggJD.exe
PID 220 wrote to memory of 1864	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	VIHggJD.exe
PID 220 wrote to memory of 4640	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	ydvceRG.exe
PID 220 wrote to memory of 4640	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	ydvceRG.exe
PID 220 wrote to memory of 2460	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	irvrdqI.exe
PID 220 wrote to memory of 2460	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	irvrdqI.exe
PID 220 wrote to memory of 676	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	NHOkfrl.exe
PID 220 wrote to memory of 676	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	NHOkfrl.exe
PID 220 wrote to memory of 64	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	fyivnAC.exe
PID 220 wrote to memory of 64	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	fyivnAC.exe
PID 220 wrote to memory of 2532	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	NMyBBLt.exe
PID 220 wrote to memory of 2532	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	NMyBBLt.exe
PID 220 wrote to memory of 868	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	uXwWqFj.exe
PID 220 wrote to memory of 868	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	uXwWqFj.exe
PID 220 wrote to memory of 660	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	zbVmqoH.exe
PID 220 wrote to memory of 660	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	zbVmqoH.exe
PID 220 wrote to memory of 2692	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	vvLJmYy.exe
PID 220 wrote to memory of 2692	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	vvLJmYy.exe
PID 220 wrote to memory of 2472	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	ZHXAIpw.exe
PID 220 wrote to memory of 2472	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	ZHXAIpw.exe
PID 220 wrote to memory of 1912	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	AfdTyGr.exe
PID 220 wrote to memory of 1912	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	AfdTyGr.exe
PID 220 wrote to memory of 1048	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	HYJBVOn.exe
PID 220 wrote to memory of 1048	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	HYJBVOn.exe
PID 220 wrote to memory of 2852	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	GZgCqhL.exe
PID 220 wrote to memory of 2852	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	GZgCqhL.exe
PID 220 wrote to memory of 4708	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	UyBpDoV.exe
PID 220 wrote to memory of 4708	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	UyBpDoV.exe
PID 220 wrote to memory of 2244	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	XeOHfMq.exe
PID 220 wrote to memory of 2244	220	2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe	XeOHfMq.exe

C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024052263be4bb8d339b8fa420874457468b200cobaltstrikecobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System\SdIKoDP.exe
C:\Windows\System\SdIKoDP.exe
2⤵
- Executes dropped EXE
PID:216

C:\Windows\System\kUefigO.exe
C:\Windows\System\kUefigO.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System\fGLkcgD.exe
C:\Windows\System\fGLkcgD.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\KtFEPji.exe
C:\Windows\System\KtFEPji.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\XKbKsTg.exe
C:\Windows\System\XKbKsTg.exe
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\System\WWRRQUZ.exe
C:\Windows\System\WWRRQUZ.exe
2⤵
- Executes dropped EXE
PID:3784

C:\Windows\System\VIHggJD.exe
C:\Windows\System\VIHggJD.exe
2⤵
- Executes dropped EXE
PID:1864

C:\Windows\System\ydvceRG.exe
C:\Windows\System\ydvceRG.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\System\irvrdqI.exe
C:\Windows\System\irvrdqI.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System\NHOkfrl.exe
C:\Windows\System\NHOkfrl.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\fyivnAC.exe
C:\Windows\System\fyivnAC.exe
2⤵
- Executes dropped EXE
PID:64

C:\Windows\System\NMyBBLt.exe
C:\Windows\System\NMyBBLt.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\uXwWqFj.exe
C:\Windows\System\uXwWqFj.exe
2⤵
- Executes dropped EXE
PID:868

C:\Windows\System\zbVmqoH.exe
C:\Windows\System\zbVmqoH.exe
2⤵
- Executes dropped EXE
PID:660

C:\Windows\System\vvLJmYy.exe
C:\Windows\System\vvLJmYy.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\ZHXAIpw.exe
C:\Windows\System\ZHXAIpw.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\AfdTyGr.exe
C:\Windows\System\AfdTyGr.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\HYJBVOn.exe
C:\Windows\System\HYJBVOn.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\System\GZgCqhL.exe
C:\Windows\System\GZgCqhL.exe
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\System\UyBpDoV.exe
C:\Windows\System\UyBpDoV.exe
2⤵
- Executes dropped EXE
PID:4708

C:\Windows\System\XeOHfMq.exe
C:\Windows\System\XeOHfMq.exe
2⤵
- Executes dropped EXE
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AfdTyGr.exe
Filesize
5.2MB

MD5
2b3a36ac3230bedaee109783ac4c1fef

SHA1
16411d9b0e9bd51a456086e93ae08210d81ae789

SHA256
9d7e10210a361b3156569d5f002f884e370682110fbe408eb4d64da80647c1db

SHA512
2a1d77d01ba544da2d5db7afc87b4ad3d3cc937c4657993e5c7c92009acd62f880a10df3ae210e61504b55ade301fad362f367b23f7ed79362a64f8011cb99c4

Download Submit
C:\Windows\System\GZgCqhL.exe
Filesize
5.2MB

MD5
2814864a3c40ac9fbcef0ec358908533

SHA1
768fa6c2c3f3415f73b788120c8398ff5d80a57e

SHA256
e1bf2ae11a245c780717ea00d091b596316d8c862e26d11ee1e2e721196db348

SHA512
111dc1f7c12db41e9d08b0fb63ef7b1473200030c33fe8de0bef8dce0b6314258428494e2dfe0c4cc72b7573cd127494e21d0b9d681a79a79af5f28e9ec06a44

Download Submit
C:\Windows\System\HYJBVOn.exe
Filesize
5.2MB

MD5
e76a9fc0d56ce04b2669103054cecd08

SHA1
941f9a7ba231539c5222a73b7da937afac427855

SHA256
fa50e02c2a007cd8006ddf5ea7d9b0de6f5a31cb6e7f15d2b4d4f10a42a6a41f

SHA512
56b8bbfbdd5e61fd33080298e696f2cef97714d7111ea5c38f1377a17d71ecc878fc98c1659174ec4418872a1368302e6b7e54a4b1cd36156fcc951a04a343ad

Download Submit
C:\Windows\System\KtFEPji.exe
Filesize
5.2MB

MD5
401341dbf1741aeb5fdf07ba6aa9d2cb

SHA1
5877d30926033b2643dc9c3c9abd8ed783dd01c7

SHA256
7ed3216534b62e0ffb43c3a54a41fa8a1af0f764e0e091d7c29c8c2f1f390f84

SHA512
4e0c5789a90a285a20839590eab3efa86ff693a4b218fb716b27b5dd1c689a6d70ac83df4609710e55515f0e610f53c8b7b7f6daa884076e34d3c73e2e4fa7d9

Download Submit
C:\Windows\System\NHOkfrl.exe
Filesize
5.2MB

MD5
da473e0a7521f3d8879ff1982bfca922

SHA1
a3fe28430e768e53d84f90c5008cc3dcc4ef8316

SHA256
ec7b3e19fa576a96c2d8705d8e64d72381905dcc78452554b08b1d411d29eada

SHA512
0c308ccd548ab11f100560666c8123c474aafe2965fa8b176f6c7cf8aa49b82b3dfbd4036f25efb8e2cfc46792f0bbd4fa9c2c9e1f5949aafc3ec0cbd96bdfe1

Download Submit
C:\Windows\System\NMyBBLt.exe
Filesize
5.2MB

MD5
680213ad05f8b7242354f6f465ee2adb

SHA1
cc7ceeffddf84adf7d4a749b7ef669442e025b48

SHA256
84c090e3577e9ae528e62859be454a5c0723206b0986d1b5eb8be74665e8987e

SHA512
ff97105cd289a9be62eafc1c9d9577d1148e0eb8ad59852230d8d70283000e8f0ca826ff2d797d77103ad78309a5604d66ef4efd9f9ad1f51682af63d5980bfe

Download Submit
C:\Windows\System\SdIKoDP.exe
Filesize
5.2MB

MD5
2fa2e30bfb8cafcae33ff733b110b07e

SHA1
3ca3563d0b96fbc60cf8e84224a93f19d69df7b5

SHA256
41f160cba604b2b2e3580f4bc849e756fd166ea9f5e520b616cbb486a08e562d

SHA512
1be77d3c2783c3bdacd35f4882e04e5bbae62e1cb802ed31f8787647382b1db3ae4bc88c8f0e5edb6fc67183dbabc3f47bec1199e278dd83a67407babac0172b

Download Submit
C:\Windows\System\UyBpDoV.exe
Filesize
5.2MB

MD5
bc7f66e2c1f04b4cdb341261881cefcd

SHA1
75e1a151419662e0f518023a833a57a80235cc66

SHA256
06f69e5a9429a5740fe5d7a9369a8a6cc87ceee2bfdae86abb5db20d47be0258

SHA512
ea484c4924321e83290054f7a2d3fa078765149524b752a356125a994cf635a1c70518649c4920284a27598dba20db5ce5cd1bdfe50becc2f64e19525d9f524f

Download Submit
C:\Windows\System\VIHggJD.exe
Filesize
5.2MB

MD5
f750739068c020ac031f2d68202cbe0c

SHA1
99350c14e7c0c4db436734c734d62f7f174ce079

SHA256
deb4f0cd45dd2a25ed7a9284b5ef659aba1137dd20bc365ea1da3729f71188c0

SHA512
87db1c624d7ee2b9451ca1c9e72be35b5dcaaac20fbde3b4c22582a898e2b11083f96a22b0b83d19f836547ab83b2a27e450e0134f1ad8e5fc316743b220a342

Download Submit
C:\Windows\System\WWRRQUZ.exe
Filesize
5.2MB

MD5
a637faae944a00c689d91cc5d64554fe

SHA1
cd14467a9ad6d0dbb33b608349949e98dab546d8

SHA256
d8345b1c4722f4f6d6d330971f7650618f06d2b979e5458543d6e50e5b518b4e

SHA512
9c4c6fdfe42bdc70a4e82645d027a5b9cd4717b4f89d9db332d7f21555583b75e48f594fc39783193999a37b9785c1565bd39a458cd1899e80d5e93ce14e769a

Download Submit
C:\Windows\System\XKbKsTg.exe
Filesize
5.2MB

MD5
052f6b011b4bd1ce7da06aa7d97c7fec

SHA1
852c5893e3d7205cda844c1d33c4ad7afa9995eb

SHA256
ca302a88cf717fc55a914fab5154621bf7f15b85b3e388746044b52798b77c62

SHA512
4119c6cc5331f6b01433a9740e33516e95f78fb782964e44bddd2f18ed2d465105dedbcc7b2890f3f36cdebc4d5fbb36206a37b1811a889cd1635ca995d204e0

Download Submit
C:\Windows\System\XeOHfMq.exe
Filesize
5.2MB

MD5
9bcaa3972771ad3419d6d9e7c40c97f6

SHA1
f3e5c4406df8bb603ad22b675f37b4f5bb9cc4b2

SHA256
f6321f854faf836c7f2f7e39b63349735172e4634d08a5d24b81cc155d6d7531

SHA512
68c09cb98c39be71c557fd7af70deb04fc5b10baf8fef6e026b657ab19b70a5482e55cb4e308541f7fd8259ea5e9b08bebb21042013ba2137008d447477e94a8

Download Submit
C:\Windows\System\ZHXAIpw.exe
Filesize
5.2MB

MD5
81ffd519da8db987cf440893b70e8384

SHA1
27668f2dbe497a31863f0bac4a9c14d6adfef8af

SHA256
26ddc70cb17339c10516104a582d337b692d1ba2fd35aa536d1ed3dd9b08548c

SHA512
6188ab40e1b95677d66017e8812475d40eb6699361bc750ef14f9fac5720d9b7a03023aca06644506cf9a32c5760fc864e5542048371c8557ef1da8272443094

Download Submit
C:\Windows\System\fGLkcgD.exe
Filesize
5.2MB

MD5
db5d1835498be84da78cd6ba95ae7c72

SHA1
cbead27cb8e33b83dd2241a2e985cd7d1df625a5

SHA256
e821ce2cd1736ff4ca09122a17c7f19f49004f0c629a60c6e799d6ab92ed7fbf

SHA512
98441cf1085d5f8f5e6d5406f699eef60dac475009b96ce5d4784affd530280e2ea7fc1a4270d9257a53eabfbf845845fba5bee57f9dab170f1ac455fbaf3605

Download Submit
C:\Windows\System\fyivnAC.exe
Filesize
5.2MB

MD5
c232590739b3ee2939abaa2c120b8217

SHA1
6316bdbac7b3795dd7e2aa526ff22ac211a90cb2

SHA256
908647fe42f314038aa4cc756c4b643bfd2551729de2fa9066c85f8eb0f5ba3e

SHA512
3e02f6bd06e08efdeab3b1109d83a59d0e2e2a6914df89f90cbd7ceb343cb3ae10b080980e199d21d281eeee9bb6313161731b212de38392c2aa9ca88d34a8c3

Download Submit
C:\Windows\System\irvrdqI.exe
Filesize
5.2MB

MD5
bac658ffc72f970919411ce70a3f56b4

SHA1
c83e6acbee326f67ae3db9d78d5d6ee8559ca3ae

SHA256
5f001d3ae412be2128d4af66b84db2c8d71397e4b364237caba49faf2d57dd60

SHA512
1d9419659f2850b0017279a0fa71dfd4b18af3295b74ed2d6bc4852ad404633536443c5a504bbb7df631757cb9e5cd41316a184067c6a3bba544b7468dfad1f8

Download Submit
C:\Windows\System\kUefigO.exe
Filesize
5.2MB

MD5
97dca85e3e6146dac753008091ce8fc1

SHA1
aed314569254d9fd0d128eb50aef7409e983645e

SHA256
c4b7754588213129690721eed373e790894979156048db3cc0740d3331e8ac51

SHA512
8c24e1a8f53e5899b4d94ecfd7c2a5105c512158271c955bd4cffa4edc3840a16504e8e85e6c46733efd5d358665d9900dc8671e6866fb91c39dc36d15a59275

Download Submit
C:\Windows\System\uXwWqFj.exe
Filesize
5.2MB

MD5
38947535975f5371e1518b83cd5c0d37

SHA1
30dba92ccafbc809e29f29b5f3df3a4da00fbbb2

SHA256
9a1c2d3000473c51829eeb6f1628cae36cb07c877dd3b9e286394b00c34510d6

SHA512
7592bd5c472c58553d4dc46585722f677a4dd52150215c2c1fd8e7945e3571a87417c2a547a0487a8ae9936656cbaca89ad6308cac0d84de01fd7f95bc76cada

Download Submit
C:\Windows\System\vvLJmYy.exe
Filesize
5.2MB

MD5
faf4f5e6902b454e4e42f7ca391841e5

SHA1
f9cdca20c6ea067511e336c8b8d6991a71922316

SHA256
7f91eb527ed88ec7af67961a2eb440c2952a8ff9ee0aa2f16f75993c8adb6245

SHA512
d9a7001d9210f7334ef22a4d9f1a45649e4610f4c016923d0bd29c458e3fb3204006f28b3e57302b4a6bf5f699f6cdc6a602f3d491ee28f949960716e51b6046

Download Submit
C:\Windows\System\ydvceRG.exe
Filesize
5.2MB

MD5
58a906c9bea4b7cf45798bf16b039c79

SHA1
80721aca70b93e89aee1281825ca515fe71377d2

SHA256
1888798d4df987ce2a0d295d898fa5ea29e899adc4172d0a7d6e32bd017a145f

SHA512
65698b75aa95da0b859b024a6edce5ae325dd8ec3a822ba1c095011c0d0f701aa0acfab3ee7b34a3e32ffddeabee0b82a6cc7ed840d48e284527e3e69cfe755f

Download Submit
C:\Windows\System\zbVmqoH.exe
Filesize
5.2MB

MD5
cb32241c92c462f38e486869e98b2c12

SHA1
8c6684115a5091f88e69435fd64cfe3d33f67c4d

SHA256
80484bd03528edef3d03d17cdb7f0ae5236f8b08f64b67745b0d397997bd36d3

SHA512
3c448f2f4eca11ddfed115866c8e35d930d4149ada9496069082f382316dfa6f052b9bcb0462db5513a8d5b88c9bc6259f66a4ebbfe4fe241ea8123e8ad405da

Download Submit
memory/64-75-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp

Filesize
3.3MB

Download
memory/64-231-0x00007FF7296C0000-0x00007FF729A11000-memory.dmp

Filesize
3.3MB

Download
memory/216-203-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

Filesize
3.3MB

Download
memory/216-69-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

Filesize
3.3MB

Download
memory/216-6-0x00007FF622DF0000-0x00007FF623141000-memory.dmp

Filesize
3.3MB

Download
memory/220-0-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

Filesize
3.3MB

Download
memory/220-156-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

Filesize
3.3MB

Download
memory/220-1-0x00000284E3BD0000-0x00000284E3BE0000-memory.dmp

Filesize
64KB

Download
memory/220-61-0x00007FF7351F0000-0x00007FF735541000-memory.dmp

Filesize
3.3MB

Download
memory/660-237-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp

Filesize
3.3MB

Download
memory/660-93-0x00007FF79BAF0000-0x00007FF79BE41000-memory.dmp

Filesize
3.3MB

Download
memory/676-62-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

Filesize
3.3MB

Download
memory/676-229-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

Filesize
3.3MB

Download
memory/676-145-0x00007FF71C3C0000-0x00007FF71C711000-memory.dmp

Filesize
3.3MB

Download
memory/868-86-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp

Filesize
3.3MB

Download
memory/868-235-0x00007FF7887A0000-0x00007FF788AF1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-245-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-117-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1048-153-0x00007FF759C80000-0x00007FF759FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-215-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-26-0x00007FF66E080000-0x00007FF66E3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-221-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-134-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-44-0x00007FF755C80000-0x00007FF755FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-152-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

Filesize
3.3MB

Download
memory/1912-112-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

Filesize
3.3MB

Download
memory/1912-243-0x00007FF669D00000-0x00007FF66A051000-memory.dmp

Filesize
3.3MB

Download
memory/2244-141-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp

Filesize
3.3MB

Download
memory/2244-254-0x00007FF6B1930000-0x00007FF6B1C81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-227-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2460-56-0x00007FF79CBB0000-0x00007FF79CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2472-241-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-109-0x00007FF6B1450000-0x00007FF6B17A1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-78-0x00007FF618690000-0x00007FF6189E1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-233-0x00007FF618690000-0x00007FF6189E1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-239-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-94-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-150-0x00007FF7C48A0000-0x00007FF7C4BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-128-0x00007FF6110F0000-0x00007FF611441000-memory.dmp

Filesize
3.3MB

Download
memory/2852-247-0x00007FF6110F0000-0x00007FF611441000-memory.dmp

Filesize
3.3MB

Download
memory/2904-33-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

Filesize
3.3MB

Download
memory/2904-217-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

Filesize
3.3MB

Download
memory/2904-108-0x00007FF738CF0000-0x00007FF739041000-memory.dmp

Filesize
3.3MB

Download
memory/3784-40-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3784-219-0x00007FF6F6790000-0x00007FF6F6AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4560-14-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

Filesize
3.3MB

Download
memory/4560-205-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

Filesize
3.3MB

Download
memory/4560-76-0x00007FF789DF0000-0x00007FF78A141000-memory.dmp

Filesize
3.3MB

Download
memory/4640-225-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

Filesize
3.3MB

Download
memory/4640-52-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

Filesize
3.3MB

Download
memory/4640-135-0x00007FF6529D0000-0x00007FF652D21000-memory.dmp

Filesize
3.3MB

Download
memory/4708-139-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp

Filesize
3.3MB

Download
memory/4708-252-0x00007FF7BE0D0000-0x00007FF7BE421000-memory.dmp

Filesize
3.3MB

Download
memory/5012-207-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-18-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-84-0x00007FF7B8CA0000-0x00007FF7B8FF1000-memory.dmp

Filesize
3.3MB

Download