cobaltstrike | 43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df

Resubmissions

11-06-2024 12:46

240611-pzqqwsxcna 10

11-06-2024 12:38

240611-pt2afaxeqj 10

Analysis

max time kernel
25s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

673d8b4bc5c4ae22db5852a3b922a1f5
SHA1

867e4c7e622b0b5e243ee61e9f08e6c1a6d7d9f9
SHA256

43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df
SHA512

08e3c65c427284c8b93f079b4370f3aa6983b6932d55c66b6e17767c8e6e7cc1bfd24a5453523fa10197a6070866d20abd8c322d0d0849fdaf61db8f76d41d25
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CZiydiA.exe	cobalt_reflective_dll
C:\Windows\System\aasuYNv.exe	cobalt_reflective_dll
C:\Windows\System\TtROpCz.exe	cobalt_reflective_dll
C:\Windows\System\LKoheel.exe	cobalt_reflective_dll
C:\Windows\System\eLGQkLl.exe	cobalt_reflective_dll
C:\Windows\System\OUBGmpU.exe	cobalt_reflective_dll
C:\Windows\System\aqHxGUe.exe	cobalt_reflective_dll
C:\Windows\System\dSUIXvf.exe	cobalt_reflective_dll
C:\Windows\System\XGNzVDo.exe	cobalt_reflective_dll
C:\Windows\System\IjYSNrL.exe	cobalt_reflective_dll
C:\Windows\System\NtrFIRx.exe	cobalt_reflective_dll
C:\Windows\System\USHqSrm.exe	cobalt_reflective_dll
C:\Windows\System\LQFfJMt.exe	cobalt_reflective_dll
C:\Windows\System\RVTPvJq.exe	cobalt_reflective_dll
C:\Windows\System\FoYYcYV.exe	cobalt_reflective_dll
C:\Windows\System\kIKZTNS.exe	cobalt_reflective_dll
C:\Windows\System\RXePwSb.exe	cobalt_reflective_dll
C:\Windows\System\OefMECT.exe	cobalt_reflective_dll
C:\Windows\System\nOTuAdo.exe	cobalt_reflective_dll
C:\Windows\System\oxisiwB.exe	cobalt_reflective_dll
C:\Windows\System\PfqBGVu.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 58 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/432-0-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	xmrig
C:\Windows\System\CZiydiA.exe	xmrig
behavioral2/memory/4840-7-0x00007FF64C620000-0x00007FF64C974000-memory.dmp	xmrig
C:\Windows\System\aasuYNv.exe	xmrig
behavioral2/memory/4500-13-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp	xmrig
C:\Windows\System\TtROpCz.exe	xmrig
behavioral2/memory/3588-20-0x00007FF7F5950000-0x00007FF7F5CA4000-memory.dmp	xmrig
C:\Windows\System\LKoheel.exe	xmrig
behavioral2/memory/3928-24-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp	xmrig
behavioral2/memory/4380-31-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp	xmrig
C:\Windows\System\eLGQkLl.exe	xmrig
behavioral2/memory/4812-38-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp	xmrig
C:\Windows\System\OUBGmpU.exe	xmrig
C:\Windows\System\aqHxGUe.exe	xmrig
behavioral2/memory/3916-44-0x00007FF608060000-0x00007FF6083B4000-memory.dmp	xmrig
C:\Windows\System\dSUIXvf.exe	xmrig
C:\Windows\System\XGNzVDo.exe	xmrig
behavioral2/memory/3976-52-0x00007FF64CBC0000-0x00007FF64CF14000-memory.dmp	xmrig
C:\Windows\System\IjYSNrL.exe	xmrig
C:\Windows\System\NtrFIRx.exe	xmrig
C:\Windows\System\USHqSrm.exe	xmrig
behavioral2/memory/1492-72-0x00007FF6E35F0000-0x00007FF6E3944000-memory.dmp	xmrig
behavioral2/memory/1712-75-0x00007FF747EF0000-0x00007FF748244000-memory.dmp	xmrig
C:\Windows\System\LQFfJMt.exe	xmrig
behavioral2/memory/5388-78-0x00007FF676980000-0x00007FF676CD4000-memory.dmp	xmrig
behavioral2/memory/4840-65-0x00007FF64C620000-0x00007FF64C974000-memory.dmp	xmrig
behavioral2/memory/432-62-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	xmrig
behavioral2/memory/1196-57-0x00007FF6354D0000-0x00007FF635824000-memory.dmp	xmrig
behavioral2/memory/4500-82-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp	xmrig
behavioral2/memory/4984-83-0x00007FF728420000-0x00007FF728774000-memory.dmp	xmrig
C:\Windows\System\RVTPvJq.exe	xmrig
C:\Windows\System\FoYYcYV.exe	xmrig
behavioral2/memory/3816-108-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	xmrig
C:\Windows\System\kIKZTNS.exe	xmrig
C:\Windows\System\RXePwSb.exe	xmrig
behavioral2/memory/1900-116-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	xmrig
behavioral2/memory/4572-112-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp	xmrig
behavioral2/memory/3916-110-0x00007FF608060000-0x00007FF6083B4000-memory.dmp	xmrig
behavioral2/memory/4812-109-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp	xmrig
behavioral2/memory/4380-100-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp	xmrig
C:\Windows\System\OefMECT.exe	xmrig
behavioral2/memory/2052-94-0x00007FF654E00000-0x00007FF655154000-memory.dmp	xmrig
behavioral2/memory/3928-93-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp	xmrig
behavioral2/memory/3904-92-0x00007FF782100000-0x00007FF782454000-memory.dmp	xmrig
C:\Windows\System\nOTuAdo.exe	xmrig
behavioral2/memory/5208-121-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp	xmrig
C:\Windows\System\oxisiwB.exe	xmrig
C:\Windows\System\PfqBGVu.exe	xmrig
behavioral2/memory/1712-134-0x00007FF747EF0000-0x00007FF748244000-memory.dmp	xmrig
behavioral2/memory/1232-135-0x00007FF64BD00000-0x00007FF64C054000-memory.dmp	xmrig
behavioral2/memory/2932-132-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp	xmrig
behavioral2/memory/2052-136-0x00007FF654E00000-0x00007FF655154000-memory.dmp	xmrig
behavioral2/memory/3816-137-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	xmrig
behavioral2/memory/4572-138-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp	xmrig
behavioral2/memory/1900-141-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	xmrig
behavioral2/memory/5208-140-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp	xmrig
behavioral2/memory/2932-139-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp	xmrig
behavioral2/memory/432-142-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CZiydiA.exeTtROpCz.exeaasuYNv.exeLKoheel.exeOUBGmpU.exeeLGQkLl.exeaqHxGUe.exedSUIXvf.exeXGNzVDo.exeIjYSNrL.exeNtrFIRx.exeUSHqSrm.exeLQFfJMt.exeRVTPvJq.exeFoYYcYV.exeOefMECT.exeRXePwSb.exekIKZTNS.exenOTuAdo.exeoxisiwB.exePfqBGVu.exe

pid	process
4840	CZiydiA.exe
4500	TtROpCz.exe
3588	aasuYNv.exe
3928	LKoheel.exe
4380	OUBGmpU.exe
4812	eLGQkLl.exe
3916	aqHxGUe.exe
3976	dSUIXvf.exe
1196	XGNzVDo.exe
1492	IjYSNrL.exe
5388	NtrFIRx.exe
1712	USHqSrm.exe
4984	LQFfJMt.exe
3904	RVTPvJq.exe
2052	FoYYcYV.exe
3816	OefMECT.exe
4572	RXePwSb.exe
1900	kIKZTNS.exe
5208	nOTuAdo.exe
2932	oxisiwB.exe
1232	PfqBGVu.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/432-0-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	upx
C:\Windows\System\CZiydiA.exe	upx
behavioral2/memory/4840-7-0x00007FF64C620000-0x00007FF64C974000-memory.dmp	upx
C:\Windows\System\aasuYNv.exe	upx
behavioral2/memory/4500-13-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp	upx
C:\Windows\System\TtROpCz.exe	upx
behavioral2/memory/3588-20-0x00007FF7F5950000-0x00007FF7F5CA4000-memory.dmp	upx
C:\Windows\System\LKoheel.exe	upx
behavioral2/memory/3928-24-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp	upx
behavioral2/memory/4380-31-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp	upx
C:\Windows\System\eLGQkLl.exe	upx
behavioral2/memory/4812-38-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp	upx
C:\Windows\System\OUBGmpU.exe	upx
C:\Windows\System\aqHxGUe.exe	upx
behavioral2/memory/3916-44-0x00007FF608060000-0x00007FF6083B4000-memory.dmp	upx
C:\Windows\System\dSUIXvf.exe	upx
C:\Windows\System\XGNzVDo.exe	upx
behavioral2/memory/3976-52-0x00007FF64CBC0000-0x00007FF64CF14000-memory.dmp	upx
C:\Windows\System\IjYSNrL.exe	upx
C:\Windows\System\NtrFIRx.exe	upx
C:\Windows\System\USHqSrm.exe	upx
behavioral2/memory/1492-72-0x00007FF6E35F0000-0x00007FF6E3944000-memory.dmp	upx
behavioral2/memory/1712-75-0x00007FF747EF0000-0x00007FF748244000-memory.dmp	upx
C:\Windows\System\LQFfJMt.exe	upx
behavioral2/memory/5388-78-0x00007FF676980000-0x00007FF676CD4000-memory.dmp	upx
behavioral2/memory/4840-65-0x00007FF64C620000-0x00007FF64C974000-memory.dmp	upx
behavioral2/memory/432-62-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	upx
behavioral2/memory/1196-57-0x00007FF6354D0000-0x00007FF635824000-memory.dmp	upx
behavioral2/memory/4500-82-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp	upx
behavioral2/memory/4984-83-0x00007FF728420000-0x00007FF728774000-memory.dmp	upx
C:\Windows\System\RVTPvJq.exe	upx
C:\Windows\System\FoYYcYV.exe	upx
behavioral2/memory/3816-108-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	upx
C:\Windows\System\kIKZTNS.exe	upx
C:\Windows\System\RXePwSb.exe	upx
behavioral2/memory/1900-116-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	upx
behavioral2/memory/4572-112-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp	upx
behavioral2/memory/3916-110-0x00007FF608060000-0x00007FF6083B4000-memory.dmp	upx
behavioral2/memory/4812-109-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp	upx
behavioral2/memory/4380-100-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp	upx
C:\Windows\System\OefMECT.exe	upx
behavioral2/memory/2052-94-0x00007FF654E00000-0x00007FF655154000-memory.dmp	upx
behavioral2/memory/3928-93-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp	upx
behavioral2/memory/3904-92-0x00007FF782100000-0x00007FF782454000-memory.dmp	upx
C:\Windows\System\nOTuAdo.exe	upx
behavioral2/memory/5208-121-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp	upx
C:\Windows\System\oxisiwB.exe	upx
C:\Windows\System\PfqBGVu.exe	upx
behavioral2/memory/1712-134-0x00007FF747EF0000-0x00007FF748244000-memory.dmp	upx
behavioral2/memory/1232-135-0x00007FF64BD00000-0x00007FF64C054000-memory.dmp	upx
behavioral2/memory/2932-132-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp	upx
behavioral2/memory/2052-136-0x00007FF654E00000-0x00007FF655154000-memory.dmp	upx
behavioral2/memory/3816-137-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	upx
behavioral2/memory/4572-138-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp	upx
behavioral2/memory/1900-141-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp	upx
behavioral2/memory/5208-140-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp	upx
behavioral2/memory/2932-139-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp	upx
behavioral2/memory/432-142-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\TtROpCz.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aasuYNv.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XGNzVDo.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NtrFIRx.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kIKZTNS.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aqHxGUe.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\USHqSrm.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RVTPvJq.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RXePwSb.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oxisiwB.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PfqBGVu.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CZiydiA.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LKoheel.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OUBGmpU.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LQFfJMt.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nOTuAdo.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eLGQkLl.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dSUIXvf.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IjYSNrL.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FoYYcYV.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OefMECT.exe	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 432 wrote to memory of 4840	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	CZiydiA.exe
PID 432 wrote to memory of 4840	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	CZiydiA.exe
PID 432 wrote to memory of 4500	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	TtROpCz.exe
PID 432 wrote to memory of 4500	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	TtROpCz.exe
PID 432 wrote to memory of 3588	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aasuYNv.exe
PID 432 wrote to memory of 3588	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aasuYNv.exe
PID 432 wrote to memory of 3928	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LKoheel.exe
PID 432 wrote to memory of 3928	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LKoheel.exe
PID 432 wrote to memory of 4380	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OUBGmpU.exe
PID 432 wrote to memory of 4380	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OUBGmpU.exe
PID 432 wrote to memory of 4812	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	eLGQkLl.exe
PID 432 wrote to memory of 4812	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	eLGQkLl.exe
PID 432 wrote to memory of 3916	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aqHxGUe.exe
PID 432 wrote to memory of 3916	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	aqHxGUe.exe
PID 432 wrote to memory of 3976	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	dSUIXvf.exe
PID 432 wrote to memory of 3976	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	dSUIXvf.exe
PID 432 wrote to memory of 1196	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XGNzVDo.exe
PID 432 wrote to memory of 1196	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	XGNzVDo.exe
PID 432 wrote to memory of 1492	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	IjYSNrL.exe
PID 432 wrote to memory of 1492	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	IjYSNrL.exe
PID 432 wrote to memory of 5388	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	NtrFIRx.exe
PID 432 wrote to memory of 5388	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	NtrFIRx.exe
PID 432 wrote to memory of 1712	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	USHqSrm.exe
PID 432 wrote to memory of 1712	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	USHqSrm.exe
PID 432 wrote to memory of 4984	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LQFfJMt.exe
PID 432 wrote to memory of 4984	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	LQFfJMt.exe
PID 432 wrote to memory of 3904	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	RVTPvJq.exe
PID 432 wrote to memory of 3904	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	RVTPvJq.exe
PID 432 wrote to memory of 2052	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	FoYYcYV.exe
PID 432 wrote to memory of 2052	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	FoYYcYV.exe
PID 432 wrote to memory of 3816	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OefMECT.exe
PID 432 wrote to memory of 3816	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	OefMECT.exe
PID 432 wrote to memory of 4572	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	RXePwSb.exe
PID 432 wrote to memory of 4572	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	RXePwSb.exe
PID 432 wrote to memory of 1900	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	kIKZTNS.exe
PID 432 wrote to memory of 1900	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	kIKZTNS.exe
PID 432 wrote to memory of 5208	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	nOTuAdo.exe
PID 432 wrote to memory of 5208	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	nOTuAdo.exe
PID 432 wrote to memory of 2932	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	oxisiwB.exe
PID 432 wrote to memory of 2932	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	oxisiwB.exe
PID 432 wrote to memory of 1232	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	PfqBGVu.exe
PID 432 wrote to memory of 1232	432	2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe	PfqBGVu.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\System\CZiydiA.exe
C:\Windows\System\CZiydiA.exe
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\System\TtROpCz.exe
C:\Windows\System\TtROpCz.exe
2⤵
- Executes dropped EXE
PID:4500

C:\Windows\System\aasuYNv.exe
C:\Windows\System\aasuYNv.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System\LKoheel.exe
C:\Windows\System\LKoheel.exe
2⤵
- Executes dropped EXE
PID:3928

C:\Windows\System\OUBGmpU.exe
C:\Windows\System\OUBGmpU.exe
2⤵
- Executes dropped EXE
PID:4380

C:\Windows\System\eLGQkLl.exe
C:\Windows\System\eLGQkLl.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\System\aqHxGUe.exe
C:\Windows\System\aqHxGUe.exe
2⤵
- Executes dropped EXE
PID:3916

C:\Windows\System\dSUIXvf.exe
C:\Windows\System\dSUIXvf.exe
2⤵
- Executes dropped EXE
PID:3976

C:\Windows\System\XGNzVDo.exe
C:\Windows\System\XGNzVDo.exe
2⤵
- Executes dropped EXE
PID:1196

C:\Windows\System\IjYSNrL.exe
C:\Windows\System\IjYSNrL.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System\NtrFIRx.exe
C:\Windows\System\NtrFIRx.exe
2⤵
- Executes dropped EXE
PID:5388

C:\Windows\System\USHqSrm.exe
C:\Windows\System\USHqSrm.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\LQFfJMt.exe
C:\Windows\System\LQFfJMt.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\System\RVTPvJq.exe
C:\Windows\System\RVTPvJq.exe
2⤵
- Executes dropped EXE
PID:3904

C:\Windows\System\FoYYcYV.exe
C:\Windows\System\FoYYcYV.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System\OefMECT.exe
C:\Windows\System\OefMECT.exe
2⤵
- Executes dropped EXE
PID:3816

C:\Windows\System\RXePwSb.exe
C:\Windows\System\RXePwSb.exe
2⤵
- Executes dropped EXE
PID:4572

C:\Windows\System\kIKZTNS.exe
C:\Windows\System\kIKZTNS.exe
2⤵
- Executes dropped EXE
PID:1900

C:\Windows\System\nOTuAdo.exe
C:\Windows\System\nOTuAdo.exe
2⤵
- Executes dropped EXE
PID:5208

C:\Windows\System\oxisiwB.exe
C:\Windows\System\oxisiwB.exe
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System\PfqBGVu.exe
C:\Windows\System\PfqBGVu.exe
2⤵
- Executes dropped EXE
PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CZiydiA.exe
Filesize
5.9MB

MD5
6297a49057d4675d581f8bbd70ea1e5f

SHA1
41fe622e441f7e5614b182ce7eaa51f2704737a2

SHA256
0a626ac2c5c517c03426663694fecfa65c57fbd9670e7ea566f635701b460dac

SHA512
7a038a41e558e9181ca76dad7298156928366637a7f1bdbd2d511944a6b96b79e647898e745a0e3e18a0cc712b88ccec8b77ecbb97081e38afdd2d11d17b1c3c

Download Submit
C:\Windows\System\FoYYcYV.exe
Filesize
5.9MB

MD5
1de61e91ce4bb062227baaaf745b83fa

SHA1
a24fe48c1d4080b0a6a4d436b80eaed69694ba66

SHA256
caf5cfbce2293d19314bf4fc2867f3259f75d5ffc5623deaccbb98e232ecfb02

SHA512
7c0a0a9ce4dd65fa965b6a91091cf593cdb5b5a1988f998e432c951a2d965453ec2b899f8ae17568681264758afb5a860f47a2ca9c69fab4eafaf41bf492e0c6

Download Submit
C:\Windows\System\IjYSNrL.exe
Filesize
5.9MB

MD5
564c93b0b808653088ce25f11f43bb98

SHA1
d04ccb978c1a3a2c79ed0c51d0e8f5af479a9bc0

SHA256
3d1f3c9c1497266a86b75829e83300b380a5a9ff76fffbc5264974c6900f1662

SHA512
441e5059bf2008ff6ea230ff05a15f8c2cfc0baff9eefe68cbba23058649f16460f23ce232256ad3ad0f6c46285f890db97ee8bbb752a59f81685bb63a6be918

Download Submit
C:\Windows\System\LKoheel.exe
Filesize
5.9MB

MD5
6ac061917e9c91a914733a840801cc48

SHA1
13dc14e8a178f99d9dddb11642159a4740f81062

SHA256
459abe7be5e50594e6b093b1d7c8aa5ee6549f422a5710f94c2970b52e742183

SHA512
fd376eeba9eda21dbf523819d70757ed59fe0de6f71e738bfe0006f5ac29f8233ba5195cc65241131801fe8cc35859a55995f0f56a56daa6befab87cd0513411

Download Submit
C:\Windows\System\LQFfJMt.exe
Filesize
5.9MB

MD5
38c58a49792c95b45b80241e1ec1e192

SHA1
08579100e9608a573b7fb160bd5b69b785579b23

SHA256
180810ca5b3b0378685c0b7a4ef2feafe198a705f474f3a25b21742f21d63b22

SHA512
adddf4c01ae6ef32ac5417487ef830c849aa65afd2ad0998f89e9569c145b19b5dc21ff15afe32f8d39774b73d0179a64c0f32c80846d7d875bdcf007e1f95ad

Download Submit
C:\Windows\System\NtrFIRx.exe
Filesize
5.9MB

MD5
0d17b67a58af11606dd9a399133725ba

SHA1
ec46a85ed5d28dcebe83a1cb62c1b182e3afe882

SHA256
7ad061a7f3fa3c27baa4243227af70eb425e00202383e6cb9cf20d6ee930c764

SHA512
591624717c456c5650aff6b9e8c8d7d30b6075636c4eaa067015a6057f4986e0618bad8cb3a45e037ea03c50f3b3331f85b52ce44a382e68fc20c8830cd47d8f

Download Submit
C:\Windows\System\OUBGmpU.exe
Filesize
5.9MB

MD5
e4bf1f4f43f9fd41b7a0a640f8f74adf

SHA1
cea912bc48608ed9cceca6d5cf4aa2c433ab0535

SHA256
9f318d42f2d6773fc4d70421c11171e187d3826d8febe878645365b74d28073e

SHA512
3550027db0a1689943a761351bd92bc442807645c20e1e3d6118c3e8d0b81117ccb2726488eeefd0583a5e05160b03f910df44a8ac269d437f0f5d0cdd15aef6

Download Submit
C:\Windows\System\OefMECT.exe
Filesize
5.9MB

MD5
cd132004629b1457970484e066139bcf

SHA1
5ba7e978fcee261f22d958d68f08887dd797db6d

SHA256
3e21b0e8d7ba2ea7f569d71ba1edec29a30ff8490dfa66f72f64cdc5187e6cc2

SHA512
17639947d950d779c9a81ef6a12e3d2b8d56aff8121534549350a52dbc63ae6bb2b11d157b405d9249eb0d85fe63776b5a0dcea17280231a81a6559c2fcd3542

Download Submit
C:\Windows\System\PfqBGVu.exe
Filesize
5.9MB

MD5
f08813988d0b663d6a946936b6cb9e56

SHA1
2caf4fe9af40c7f6a79ba8a1bbefe3042da30345

SHA256
7f9265a842f08caca6e5772592a62414b3f557ce5a875d0f84b1d1b268559d84

SHA512
df6cf6e86f88400154c1e3227201b52990264a1c9152fff53234fbe5e62b01af5f14c3fe34d40fc3031f59e9a54805503a9e87923eaf2321674de4aeadd2826b

Download Submit
C:\Windows\System\RVTPvJq.exe
Filesize
5.9MB

MD5
e034851e2588f9f8f7957a23a03d5469

SHA1
783776a5098c76edd4630865f7cfb99c330e6c25

SHA256
6425f50b9da7b7069472bb039b5640d37bb364bc73e8b50b0bc32e067f5d672d

SHA512
a2134489ca5197f197c3c41c2d959f348bd74a68a86ff8cc94e708f5013c2bb5c5370cfeb921f1dc4b94f12af27325d1515a0069a9585a1d48398d42e8016b9f

Download Submit
C:\Windows\System\RXePwSb.exe
Filesize
5.9MB

MD5
e3187403586c18e67d7e050edeaaefaf

SHA1
4c0ad72abe1ce9541aadfc4c7e3074a4089d5fc5

SHA256
b1195237b72b2676d2952f6010051ff9502699085c2db74832e5e4acee03e515

SHA512
046f38ab11cceb3e90061bde6403e2634b47ec194389e3581c1bda24dcceda476ba00a8ea64fabf841c10534e16a003ddee40b1d415b037e2ea9c76340a63e53

Download Submit
C:\Windows\System\TtROpCz.exe
Filesize
5.9MB

MD5
23348ed5bd9d1239031a602ac5c89ccf

SHA1
a98b1d4c0d49a79b52ee3884a5e3bc2bd107e462

SHA256
fd54a17aa3631f0f46100f1686157d1db466f87e89d10f2fe3ccae0e80740cd0

SHA512
768d3b18d15aca589e88d214d2f5554290ee2411ad8f6d98cc656e3be29c631faf662b952113105b64c19e0a392825db77c5886915645e2abcbad4f4212e95c7

Download Submit
C:\Windows\System\USHqSrm.exe
Filesize
5.9MB

MD5
34a152b6ccfaff86f06314e37f82d538

SHA1
24ebb5bd77553bc42c9b4a0e703ceb46d6da4d3c

SHA256
4ac8d3fcc18c6509f99653f8a8ead54982afd5aaa8027a7b97db4afacc7e7598

SHA512
32f5832ebdf56527f28aa6fc217f2eddef70fa1e7475f7f2f23ee57467f040b7480c5c66e2e0d1c94309c1dd7bbc389a4ccb08e49af8243c1bb284c27d71e4eb

Download Submit
C:\Windows\System\XGNzVDo.exe
Filesize
5.9MB

MD5
b1caab1f80275fcf5c2c3d67b7d1cb77

SHA1
3ab3db0f363b0e6cac1ab5cece4a1f18e633edcb

SHA256
694fe0cc54c2a6a2b7c000003fe58fce20eed5d4446e529d056f5f311e35365b

SHA512
05e710822869679005c5f6b37a4ed8c608c429031a1689a2766951b0a003cbf785a5c6c405b73a21086f960bcdbb958f58d3ef7ae8605596ed27036f3b977a08

Download Submit
C:\Windows\System\aasuYNv.exe
Filesize
5.9MB

MD5
0f4353c71002a58c5802643d840a8282

SHA1
bb3fbb79194d9e3029859ab38ef2ee4abfb47b26

SHA256
ee464261378697e4023999ba3181d662825c4bb57d1ce13214a8c5de104f7bdb

SHA512
adfab5e7349e22eed80a0ce7f3c946b67369d9c5c384a691fe60c697eed3e67b5d3197724ef22230f49892578839a48975f440733ee18241a7443571088d970c

Download Submit
C:\Windows\System\aqHxGUe.exe
Filesize
5.9MB

MD5
3968f3aec3cdde74e740864e0250a8b4

SHA1
b7b8e2df7d06993824709d1e6719f845014f5958

SHA256
703733055f0e073cf676966ad247b2275bd0cbe74fc711095b797aa87af77539

SHA512
019a2834e9bbb207261a0cf473b4b8157a954cbfa25e0baa53f7bf7e84ad7e0b4f4b0fabb3b4ee887f8338858ca6964f753fa481dac5e3f10b33c753e2838d0d

Download Submit
C:\Windows\System\dSUIXvf.exe
Filesize
5.9MB

MD5
a19ac11af70ed5314bb9acf3b2a02764

SHA1
52be4fe594efa4966245eac41818599b3c8e630f

SHA256
9a873a6bac68827ae0e13ea672455384371423239c1a246aadf30462fa0ed55c

SHA512
06bbad29cee7f67951c2d6c60b614447014666191d7b0fe25922a74206995763f0ab0a6d66a1f6d686a139fb5d2fcaa892c7edc260de16e67353f56c40744d15

Download Submit
C:\Windows\System\eLGQkLl.exe
Filesize
5.9MB

MD5
4e447a70a8e5d26da7db3ca4ec4fbdfb

SHA1
5b376e351782558d97d1068f68da53a922e72f26

SHA256
4290b59c03dfc425c06d254062bf8aae99a77dac6dcf43a411e88896c565e93b

SHA512
df585be2382bff5058d129c074a436f6ad9955607d279c2ea77d22b5ed1651c8f91e9520b30770f197383f9f0c3f86069d91ce269cdae775d3dfe09c47c915a4

Download Submit
C:\Windows\System\kIKZTNS.exe
Filesize
5.9MB

MD5
8cccf80dab2de66aab2f6ef304069090

SHA1
14d4f3bf70916f6b259775f9c638e59488446940

SHA256
ba313ea7190d3491d11dae91ae5983cb835af2b8442fcff34302dd88b9b9abb0

SHA512
94abdc9147a4ef3b4a11f9da280a3cd53d7a92c5ea807d28e8359e0d68fca65755a3326cacfef682c449c7bf1371b36c9a6ce42f5297735672230466ce79e21e

Download Submit
C:\Windows\System\nOTuAdo.exe
Filesize
5.9MB

MD5
3050ffb5ec991bae6bf47b22287a3771

SHA1
c89b0aceac23e09c367fade383c01109aab2cb0a

SHA256
482605298b4c576f137711542cb6bffe967c109cf1e407b8579b84dab88ec6db

SHA512
8238bc3347c78eeb8fa85caba929d30594b451a1d9626a09b563e69c7341f10b18d3c4cec70d845d469a2bc32242dd469976bd5870e03ad83136c96c4e4f6223

Download Submit
C:\Windows\System\oxisiwB.exe
Filesize
5.9MB

MD5
f601fc9d978f240f8cb8060a51b1154a

SHA1
0a700cf8d71aebf8b1423c2109f6e7aaee97379f

SHA256
40b81dc4ca72d11890a1b5135985a376bcc47a97f05acea30abfa8a92b3dc240

SHA512
41fb45a78e2dd2229c26507241f5af5d1324720d0574411a646972720234496e9aa15985e3395cd8ab8bc15f2b47327c8101920867d571015d6d8122a3da2f8c

Download Submit
memory/432-1-0x0000019F3D180000-0x0000019F3D190000-memory.dmp

Filesize
64KB

Download
memory/432-0-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp

Filesize
3.3MB

Download
memory/432-142-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp

Filesize
3.3MB

Download
memory/432-62-0x00007FF72E710000-0x00007FF72EA64000-memory.dmp

Filesize
3.3MB

Download
memory/1196-57-0x00007FF6354D0000-0x00007FF635824000-memory.dmp

Filesize
3.3MB

Download
memory/1232-135-0x00007FF64BD00000-0x00007FF64C054000-memory.dmp

Filesize
3.3MB

Download
memory/1492-72-0x00007FF6E35F0000-0x00007FF6E3944000-memory.dmp

Filesize
3.3MB

Download
memory/1712-134-0x00007FF747EF0000-0x00007FF748244000-memory.dmp

Filesize
3.3MB

Download
memory/1712-75-0x00007FF747EF0000-0x00007FF748244000-memory.dmp

Filesize
3.3MB

Download
memory/1900-141-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/1900-116-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-94-0x00007FF654E00000-0x00007FF655154000-memory.dmp

Filesize
3.3MB

Download
memory/2052-136-0x00007FF654E00000-0x00007FF655154000-memory.dmp

Filesize
3.3MB

Download
memory/2932-139-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-132-0x00007FF607AA0000-0x00007FF607DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3588-20-0x00007FF7F5950000-0x00007FF7F5CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3816-137-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp

Filesize
3.3MB

Download
memory/3816-108-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp

Filesize
3.3MB

Download
memory/3904-92-0x00007FF782100000-0x00007FF782454000-memory.dmp

Filesize
3.3MB

Download
memory/3916-110-0x00007FF608060000-0x00007FF6083B4000-memory.dmp

Filesize
3.3MB

Download
memory/3916-44-0x00007FF608060000-0x00007FF6083B4000-memory.dmp

Filesize
3.3MB

Download
memory/3928-93-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp

Filesize
3.3MB

Download
memory/3928-24-0x00007FF7C6530000-0x00007FF7C6884000-memory.dmp

Filesize
3.3MB

Download
memory/3976-52-0x00007FF64CBC0000-0x00007FF64CF14000-memory.dmp

Filesize
3.3MB

Download
memory/4380-31-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-100-0x00007FF6FF990000-0x00007FF6FFCE4000-memory.dmp

Filesize
3.3MB

Download
memory/4500-13-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp

Filesize
3.3MB

Download
memory/4500-82-0x00007FF6F4170000-0x00007FF6F44C4000-memory.dmp

Filesize
3.3MB

Download
memory/4572-138-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp

Filesize
3.3MB

Download
memory/4572-112-0x00007FF7BC130000-0x00007FF7BC484000-memory.dmp

Filesize
3.3MB

Download
memory/4812-38-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp

Filesize
3.3MB

Download
memory/4812-109-0x00007FF6C7AD0000-0x00007FF6C7E24000-memory.dmp

Filesize
3.3MB

Download
memory/4840-7-0x00007FF64C620000-0x00007FF64C974000-memory.dmp

Filesize
3.3MB

Download
memory/4840-65-0x00007FF64C620000-0x00007FF64C974000-memory.dmp

Filesize
3.3MB

Download
memory/4984-83-0x00007FF728420000-0x00007FF728774000-memory.dmp

Filesize
3.3MB

Download
memory/5208-121-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp

Filesize
3.3MB

Download
memory/5208-140-0x00007FF69ECF0000-0x00007FF69F044000-memory.dmp

Filesize
3.3MB

Download
memory/5388-78-0x00007FF676980000-0x00007FF676CD4000-memory.dmp

Filesize
3.3MB

Download