cobaltstrike | 29a33e3887fdc789cdfe3dd1a4837e255e2a0a940de6bbb89d6e40ffbaf504d7

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
Size

5.2MB
MD5

e5663f625bd8b59d4c5cdb852afd1ce6
SHA1

611f0bd5b1a67098b5d19362a031b67094dc47fe
SHA256

29a33e3887fdc789cdfe3dd1a4837e255e2a0a940de6bbb89d6e40ffbaf504d7
SHA512

569168075b90bb3ab804cabb08f1512dd1420058d94defd374652f5c25da2e658a0830a46830869788e5045a50189b2d787b5f6f4161609e31777ec63994a38e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUI

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002350b-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-32.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350f-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-53.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350c-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023517-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351c-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351b-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351d-108.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351e-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023520-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351f-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023521-135.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4224-39-0x00007FF7AA470000-0x00007FF7AA7C1000-memory.dmp	xmrig
behavioral2/memory/856-58-0x00007FF76F3B0000-0x00007FF76F701000-memory.dmp	xmrig
behavioral2/memory/1616-66-0x00007FF6ADF20000-0x00007FF6AE271000-memory.dmp	xmrig
behavioral2/memory/4484-74-0x00007FF6309D0000-0x00007FF630D21000-memory.dmp	xmrig
behavioral2/memory/4200-71-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	xmrig
behavioral2/memory/4744-92-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	xmrig
behavioral2/memory/1944-103-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp	xmrig
behavioral2/memory/1220-99-0x00007FF6765B0000-0x00007FF676901000-memory.dmp	xmrig
behavioral2/memory/2452-89-0x00007FF70D2E0000-0x00007FF70D631000-memory.dmp	xmrig
behavioral2/memory/5036-88-0x00007FF689D10000-0x00007FF68A061000-memory.dmp	xmrig
behavioral2/memory/4920-87-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp	xmrig
behavioral2/memory/2572-81-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp	xmrig
behavioral2/memory/1544-109-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp	xmrig
behavioral2/memory/1164-134-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp	xmrig
behavioral2/memory/4200-136-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	xmrig
behavioral2/memory/1196-147-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp	xmrig
behavioral2/memory/3180-148-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp	xmrig
behavioral2/memory/2932-154-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp	xmrig
behavioral2/memory/1140-157-0x00007FF6451B0000-0x00007FF645501000-memory.dmp	xmrig
behavioral2/memory/628-158-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp	xmrig
behavioral2/memory/3256-159-0x00007FF76D110000-0x00007FF76D461000-memory.dmp	xmrig
behavioral2/memory/2972-164-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp	xmrig
behavioral2/memory/4072-163-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp	xmrig
behavioral2/memory/4200-165-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	xmrig
behavioral2/memory/2572-220-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp	xmrig
behavioral2/memory/4920-222-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp	xmrig
behavioral2/memory/4224-225-0x00007FF7AA470000-0x00007FF7AA7C1000-memory.dmp	xmrig
behavioral2/memory/5036-226-0x00007FF689D10000-0x00007FF68A061000-memory.dmp	xmrig
behavioral2/memory/4744-228-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	xmrig
behavioral2/memory/1220-230-0x00007FF6765B0000-0x00007FF676901000-memory.dmp	xmrig
behavioral2/memory/1544-234-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp	xmrig
behavioral2/memory/1944-232-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp	xmrig
behavioral2/memory/856-244-0x00007FF76F3B0000-0x00007FF76F701000-memory.dmp	xmrig
behavioral2/memory/1616-246-0x00007FF6ADF20000-0x00007FF6AE271000-memory.dmp	xmrig
behavioral2/memory/4484-248-0x00007FF6309D0000-0x00007FF630D21000-memory.dmp	xmrig
behavioral2/memory/2452-250-0x00007FF70D2E0000-0x00007FF70D631000-memory.dmp	xmrig
behavioral2/memory/1164-252-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp	xmrig
behavioral2/memory/1196-254-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp	xmrig
behavioral2/memory/3180-256-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp	xmrig
behavioral2/memory/2932-258-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp	xmrig
behavioral2/memory/1140-262-0x00007FF6451B0000-0x00007FF645501000-memory.dmp	xmrig
behavioral2/memory/628-266-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp	xmrig
behavioral2/memory/3256-269-0x00007FF76D110000-0x00007FF76D461000-memory.dmp	xmrig
behavioral2/memory/2972-270-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp	xmrig
behavioral2/memory/4072-273-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2572	MjqOmCW.exe
4920	rtXKWwn.exe
5036	jBiWVyq.exe
4744	EwZjLCu.exe
4224	kgudkQF.exe
1220	MPgYZXw.exe
1944	hrRcJAR.exe
1544	rljGUmZ.exe
856	yiQtNwF.exe
1616	zOdaauI.exe
4484	HSsXLxI.exe
1164	gkceHNl.exe
2452	LacTtNp.exe
1196	avtYRuf.exe
3180	jTNFAZV.exe
2932	nhdCvDe.exe
1140	hMFxVlq.exe
628	fMHAeqs.exe
3256	acFsBXW.exe
2972	gOFJXRh.exe
4072	pkIdCFW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-0-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	upx
behavioral2/files/0x000800000002350b-6.dat	upx
behavioral2/memory/2572-8-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp	upx
behavioral2/files/0x0007000000023513-27.dat	upx
behavioral2/files/0x0007000000023511-36.dat	upx
behavioral2/memory/1544-46-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp	upx
behavioral2/files/0x0007000000023515-48.dat	upx
behavioral2/files/0x0007000000023514-47.dat	upx
behavioral2/memory/1944-45-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp	upx
behavioral2/memory/4224-39-0x00007FF7AA470000-0x00007FF7AA7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023510-33.dat	upx
behavioral2/files/0x0007000000023512-32.dat	upx
behavioral2/memory/1220-30-0x00007FF6765B0000-0x00007FF676901000-memory.dmp	upx
behavioral2/memory/5036-28-0x00007FF689D10000-0x00007FF68A061000-memory.dmp	upx
behavioral2/memory/4744-23-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	upx
behavioral2/memory/4920-22-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp	upx
behavioral2/files/0x000700000002350f-12.dat	upx
behavioral2/files/0x0007000000023516-53.dat	upx
behavioral2/memory/856-58-0x00007FF76F3B0000-0x00007FF76F701000-memory.dmp	upx
behavioral2/files/0x000800000002350c-59.dat	upx
behavioral2/files/0x0007000000023517-64.dat	upx
behavioral2/memory/1616-66-0x00007FF6ADF20000-0x00007FF6AE271000-memory.dmp	upx
behavioral2/memory/4484-74-0x00007FF6309D0000-0x00007FF630D21000-memory.dmp	upx
behavioral2/memory/4200-71-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	upx
behavioral2/files/0x0007000000023518-70.dat	upx
behavioral2/files/0x0007000000023519-77.dat	upx
behavioral2/files/0x000700000002351a-84.dat	upx
behavioral2/memory/4744-92-0x00007FF6375B0000-0x00007FF637901000-memory.dmp	upx
behavioral2/files/0x000700000002351c-97.dat	upx
behavioral2/files/0x000700000002351b-100.dat	upx
behavioral2/memory/1944-103-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp	upx
behavioral2/memory/2932-102-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp	upx
behavioral2/memory/1220-99-0x00007FF6765B0000-0x00007FF676901000-memory.dmp	upx
behavioral2/memory/3180-98-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp	upx
behavioral2/memory/1196-93-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp	upx
behavioral2/memory/2452-89-0x00007FF70D2E0000-0x00007FF70D631000-memory.dmp	upx
behavioral2/memory/5036-88-0x00007FF689D10000-0x00007FF68A061000-memory.dmp	upx
behavioral2/memory/4920-87-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp	upx
behavioral2/memory/2572-81-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp	upx
behavioral2/memory/1164-76-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp	upx
behavioral2/files/0x000700000002351d-108.dat	upx
behavioral2/memory/1140-114-0x00007FF6451B0000-0x00007FF645501000-memory.dmp	upx
behavioral2/memory/1544-109-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp	upx
behavioral2/files/0x000700000002351e-115.dat	upx
behavioral2/files/0x0007000000023520-126.dat	upx
behavioral2/files/0x000700000002351f-124.dat	upx
behavioral2/memory/3256-122-0x00007FF76D110000-0x00007FF76D461000-memory.dmp	upx
behavioral2/memory/628-118-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp	upx
behavioral2/memory/4072-133-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp	upx
behavioral2/files/0x0007000000023521-135.dat	upx
behavioral2/memory/1164-134-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp	upx
behavioral2/memory/2972-131-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp	upx
behavioral2/memory/4200-136-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	upx
behavioral2/memory/1196-147-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp	upx
behavioral2/memory/3180-148-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp	upx
behavioral2/memory/2932-154-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp	upx
behavioral2/memory/1140-157-0x00007FF6451B0000-0x00007FF645501000-memory.dmp	upx
behavioral2/memory/628-158-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp	upx
behavioral2/memory/3256-159-0x00007FF76D110000-0x00007FF76D461000-memory.dmp	upx
behavioral2/memory/2972-164-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp	upx
behavioral2/memory/4072-163-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp	upx
behavioral2/memory/4200-165-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp	upx
behavioral2/memory/2572-220-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp	upx
behavioral2/memory/4920-222-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kgudkQF.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\MPgYZXw.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\fMHAeqs.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\pkIdCFW.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\hMFxVlq.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\acFsBXW.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\MjqOmCW.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\rtXKWwn.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\rljGUmZ.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\HSsXLxI.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\nhdCvDe.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\jBiWVyq.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\EwZjLCu.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\yiQtNwF.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LacTtNp.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\avtYRuf.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\hrRcJAR.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\zOdaauI.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\gkceHNl.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\jTNFAZV.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\gOFJXRh.exe	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 2572	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	85
PID 4200 wrote to memory of 2572	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	85
PID 4200 wrote to memory of 4920	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	86
PID 4200 wrote to memory of 4920	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	86
PID 4200 wrote to memory of 5036	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	87
PID 4200 wrote to memory of 5036	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	87
PID 4200 wrote to memory of 4744	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	88
PID 4200 wrote to memory of 4744	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	88
PID 4200 wrote to memory of 4224	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	89
PID 4200 wrote to memory of 4224	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	89
PID 4200 wrote to memory of 1220	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	90
PID 4200 wrote to memory of 1220	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	90
PID 4200 wrote to memory of 1944	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	91
PID 4200 wrote to memory of 1944	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	91
PID 4200 wrote to memory of 1544	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	92
PID 4200 wrote to memory of 1544	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	92
PID 4200 wrote to memory of 856	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	93
PID 4200 wrote to memory of 856	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	93
PID 4200 wrote to memory of 1616	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	94
PID 4200 wrote to memory of 1616	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	94
PID 4200 wrote to memory of 4484	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	95
PID 4200 wrote to memory of 4484	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	95
PID 4200 wrote to memory of 1164	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	96
PID 4200 wrote to memory of 1164	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	96
PID 4200 wrote to memory of 2452	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	97
PID 4200 wrote to memory of 2452	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	97
PID 4200 wrote to memory of 1196	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	98
PID 4200 wrote to memory of 1196	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	98
PID 4200 wrote to memory of 3180	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	99
PID 4200 wrote to memory of 3180	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	99
PID 4200 wrote to memory of 2932	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	100
PID 4200 wrote to memory of 2932	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	100
PID 4200 wrote to memory of 1140	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	101
PID 4200 wrote to memory of 1140	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	101
PID 4200 wrote to memory of 628	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	102
PID 4200 wrote to memory of 628	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	102
PID 4200 wrote to memory of 3256	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	103
PID 4200 wrote to memory of 3256	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	103
PID 4200 wrote to memory of 2972	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	104
PID 4200 wrote to memory of 2972	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	104
PID 4200 wrote to memory of 4072	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	105
PID 4200 wrote to memory of 4072	4200	20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe	105

C:\Users\Admin\AppData\Local\Temp\20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\20240822e5663f625bd8b59d4c5cdb852afd1ce6cobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System\MjqOmCW.exe
  C:\Windows\System\MjqOmCW.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\rtXKWwn.exe
  C:\Windows\System\rtXKWwn.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\jBiWVyq.exe
  C:\Windows\System\jBiWVyq.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\EwZjLCu.exe
  C:\Windows\System\EwZjLCu.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\kgudkQF.exe
  C:\Windows\System\kgudkQF.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\MPgYZXw.exe
  C:\Windows\System\MPgYZXw.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\hrRcJAR.exe
  C:\Windows\System\hrRcJAR.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\rljGUmZ.exe
  C:\Windows\System\rljGUmZ.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\yiQtNwF.exe
  C:\Windows\System\yiQtNwF.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\zOdaauI.exe
  C:\Windows\System\zOdaauI.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\HSsXLxI.exe
  C:\Windows\System\HSsXLxI.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\gkceHNl.exe
  C:\Windows\System\gkceHNl.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\LacTtNp.exe
  C:\Windows\System\LacTtNp.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\avtYRuf.exe
  C:\Windows\System\avtYRuf.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\jTNFAZV.exe
  C:\Windows\System\jTNFAZV.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\nhdCvDe.exe
  C:\Windows\System\nhdCvDe.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\hMFxVlq.exe
  C:\Windows\System\hMFxVlq.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\fMHAeqs.exe
  C:\Windows\System\fMHAeqs.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\acFsBXW.exe
  C:\Windows\System\acFsBXW.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\gOFJXRh.exe
  C:\Windows\System\gOFJXRh.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\pkIdCFW.exe
  C:\Windows\System\pkIdCFW.exe
  2⤵
  - Executes dropped EXE
  PID:4072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EwZjLCu.exe

Filesize
5.2MB

MD5
cfc8a5b3ba2d4cb1609250ef1e5ee43a

SHA1
4eb3355ff2ec20d52b8dc5c782ff25a126ce50c7

SHA256
fb5faead5c0b725f129e9cc39c9e719acaed4433cbcbab515af9788520982fc3

SHA512
dd7f8d72677b8b044aadb5aa99836ec7b85fa87b839e96a719f0861c166fd6a4e8a2f9a01432cf4d0c5562999c0927bbf232676258681474f8b38f56f135e107

Download Submit
C:\Windows\System\HSsXLxI.exe

Filesize
5.2MB

MD5
2d4e85b78c1dc5f7fae455b50d937a86

SHA1
5053212e142aa264eb0d30ffb6cb2092e0257920

SHA256
d0815a24c62b9c2cb23836564f1d982dd85d4704e7fdef14102dc40d4aff6310

SHA512
bbba8ca8073c0e425c8c703b89e462c94b7ff991dcd9afd2c7547c0bc1d999b1bc45354b673d1239e1d32c2dc0690911fdc8bcda1f8ce92e518470436668e3c4

Download Submit
C:\Windows\System\LacTtNp.exe

Filesize
5.2MB

MD5
e5e6b33b7f1e145a63ba05da0b55096d

SHA1
83fe2af1a9a6f1dcf7463c3b501e1aff1676da1c

SHA256
1a636344fcfc9dbe5f1c656d7c7f50f64418515c6ea99a901849a1de134bfc0b

SHA512
c8a826c21e96b3d61321102d1d755a28b31ef4c958f1d081dad5cc280dd6274fb7c13359f84f41c03e0e4c45819381e1227716070ba291ac7ddf826030231afe

Download Submit
C:\Windows\System\MPgYZXw.exe

Filesize
5.2MB

MD5
6dbdbbe99fdab32992787fd4bb9d4298

SHA1
96bf7d83887428ee69606e19497f07804a54590a

SHA256
40565a2aedbacdb4f681b7e783015a4d5fb0ef1da511ab3855773e3b40e1f327

SHA512
71b6ff038943204737becbac478622556fa4f91d80cb1c5aad52331c61008527931c4bef8f5bf9df1281833c023829d98667d16f3ec32f3930198af9219fd0d2

Download Submit
C:\Windows\System\MjqOmCW.exe

Filesize
5.2MB

MD5
f909eb135e991ec36bd7d8810fbdacc7

SHA1
2add1be90e588957180d93656ac0ae985cedbeb4

SHA256
72ec555d3a260211c6d3398e8ae87b2eaed3c29598d94f03bc092c54d831764c

SHA512
4e97a53d677966025bc7fd4922f68d4d87a375755ce610ad0cac2548c4e02e630b00735108fb924dca627761dc24357cccfa6c8590a952de1e19cb9c12786a84

Download Submit
C:\Windows\System\acFsBXW.exe

Filesize
5.2MB

MD5
b2983daddc019448be5923ef34e11d28

SHA1
4d1c3280143e3154fd74b91bd218581d059e3199

SHA256
e70036eab3a20b4c9707145cb004a289c9d52e0d478178c5a816af3ccffa9798

SHA512
d67a7684f6b9784bc68fa96465dacfadbe9a8958270cbe6bdeaaeea1a2ba4010ff1f2a55f178eeecbc15adf7f4c34d985d6713df6f223a6935fe3f19e5f191a1

Download Submit
C:\Windows\System\avtYRuf.exe

Filesize
5.2MB

MD5
deae819c99896f08a349cccfdfd68855

SHA1
48e1ac0d0ee663d5156d55e30f80f2c1c207d025

SHA256
e098bb89b2fd59e243796f7a10d7c0edb8d579f4eb7ad4f34f4ee511bd067421

SHA512
1df14f17e678a816ab3d360ca6df6eacb7667c4ab9385191f15f28efbb2c8957b72c61ee343e7f5df3007e311b8e720aaa1fc5f3ab3fcd774e7adf171cdb4a83

Download Submit
C:\Windows\System\fMHAeqs.exe

Filesize
5.2MB

MD5
64f4850746a11ba6c5fd2085deec69f5

SHA1
c300b0417970288aa3e14e404f1b4d6f26b87fe3

SHA256
6b30b7696a433b026270a6af1acca90f7afd2891c20b9aed0106995742ef3056

SHA512
0a0e84581928fff5109d69143a873649831d834815bf79ba461f195b83d5014f7eb3574ecee649c2b8170440646bf21fb71414b01eaed576d4e79e4d933b4219

Download Submit
C:\Windows\System\gOFJXRh.exe

Filesize
5.2MB

MD5
d77b95b45d81862b9ada228b0ff9e0c2

SHA1
b0e55862157cbf2ca33358534ac948dffef5ad3d

SHA256
9240fba807ffef200228204beaceb4df9a0d1e865faaa7cb9d8e6e13ad17661b

SHA512
1f03c33ca64119292874278d64dccd404b7de9c58a16ea9fecc4398254fe2e99792ed77b2d9ddc8c1703c96591dd1854cee9d725c19cc4747eb4afcdc354cff7

Download Submit
C:\Windows\System\gkceHNl.exe

Filesize
5.2MB

MD5
1712daab0ccc9cb5299bf132c845c713

SHA1
81166de3cab0d0df655315c75f0dced2ed9022bb

SHA256
9b2ec6edbf11883f8c570103d4618e54af7794361c419246b4c8fad3dccc5be6

SHA512
f1517fc5054d222d9f9eb410e4887132a45cb04c44782e91075867994aac9b4d092ae2e75a7c1a1fd83306170518157412e91f284b4e196307707e4a4b958004

Download Submit
C:\Windows\System\hMFxVlq.exe

Filesize
5.2MB

MD5
2cea30dd05eec4769c02b42580db806d

SHA1
5fb2070405cd509f7097f8025d91722491c4f4cb

SHA256
514ccad9feda15fc01a90ff9e0e44b9e7f61c5ca46990120effc828acedb3b67

SHA512
6fe75d18637fbe9535e294a09639ab20fef12469b1dd43f3ca3d0c1da38417839b293308763ae2dff066d57ac92b6cb2f4167b40de417ba5a8aaa606bc36104f

Download Submit
C:\Windows\System\hrRcJAR.exe

Filesize
5.2MB

MD5
8d86dc73dbdc9ca54d713a6f575a7aa6

SHA1
9864539a442ccc0d52cde299aeab6c8c407442ca

SHA256
1bdfa3e3324d7e6f3f594b3ed9c27ca73ec5ab41d319e3009bdf98068bfeaa40

SHA512
56c655a267af67a1ee26204b45db6d1f03523cd1a9f15a9f03a45e63e626a9a6a96c111aed0c9e4f4ae3477882fefba22151ce9239065c430b52b2d4f587c661

Download Submit
C:\Windows\System\jBiWVyq.exe

Filesize
5.2MB

MD5
4df37ab76a3e3fd4d87a7feaa2491615

SHA1
ea2de533fec265b4c5d2b07d35d8d3b75a66f780

SHA256
da89ec296afd1e36605768200e6f22c2ec5e5d45bcbc5a0a41b2e5766be87e51

SHA512
0ded21adf296f37b07dcf91a864a5dc6dc5c2e0626088aec0d948e942365cc337c4b3ff689a3220e793b7a74d410f1b0f96a8530c52816267be7973f40511342

Download Submit
C:\Windows\System\jTNFAZV.exe

Filesize
5.2MB

MD5
49baa2c5ecf5b0b50c1c91432aef2b68

SHA1
6b9d63b14388023b7b6f5e7d289fab60d6c8cb29

SHA256
b0250d43c71889c828411d741d3c77ca9f49f5f4add27793a343cd4bacad78d8

SHA512
88f6cbfbd1282766eead8600127410a3190c57af7bd5265b2210eedc9009d16b7202ef9b3b8a71329af2a68acda08a60f320a1fa1cb5305f0b49296b2ba1f06b

Download Submit
C:\Windows\System\kgudkQF.exe

Filesize
5.2MB

MD5
4ded76fdf80f27cc0b20f62f9a0af6b4

SHA1
6b9950ab8ad98f7d83c92b667e5c70302eb283f4

SHA256
0e501312109aaab180c67f23733f6003adf2fad14bfe8a765a5d5412dd69866f

SHA512
f961e4e2d207e8b802a07b3403f378880cb91dc3dbb7e3e782ae78cbeea530462222c6cd2a89403436fc5175c50a8fd724501e754a7254b7a9dc3859b788c462

Download Submit
C:\Windows\System\nhdCvDe.exe

Filesize
5.2MB

MD5
06045aa8fefd80cec3980b4b3441bd79

SHA1
64008a1aaf3ae7c964c5638638c7074557f6fd57

SHA256
6e48ac722eb72f3463c989e0132d316c5e04f73bee3f69068430935939abb97a

SHA512
73c3090018496e9774a43c9418ea75cc370bf804e75b52b9713f8fe49a8de8c536d6d1c418401607c71fbf14fa52522d36eace28b8fe4463782ce5b207c3acbf

Download Submit
C:\Windows\System\pkIdCFW.exe

Filesize
5.2MB

MD5
e35d725dcf492273f4a02846c802ffbc

SHA1
82011901334f20de8882fd9e8d76e87eef9882b2

SHA256
8dc54465169e2a9b4fb9c2237c4ca2f489dc3f8f6e432635432f8b9784005232

SHA512
1a0777164bb80433e50baa9e88abeea836830cfd88a2043fefd731a9eb209bfd3ecaf5b1181c1cf2b01502c073229c93bf45ab3bb67dcd9f234dd30a5274bf68

Download Submit
C:\Windows\System\rljGUmZ.exe

Filesize
5.2MB

MD5
53a992481045548d3505e37fc4bd5913

SHA1
7013b0a65c2a3c270be49dd92d34fe952557cc59

SHA256
2d108560d4a0f8dad0a39b351d6c5005b1c503aa97b84f6a5bc4606408d29554

SHA512
281baba50903859cc04efcf31172334324fde5df8cede16ba921eb1e4dc2ae8e5a63e66d59ba6a9285a65614bf5cb67b0f2f8c4180212f0418dd97bd2d266be4

Download Submit
C:\Windows\System\rtXKWwn.exe

Filesize
5.2MB

MD5
202f011b1ae2910e4d1a46a58d3208f8

SHA1
a6d7f1fd0bbf8cc00fefa7cb0dfce1f6fd54e6df

SHA256
7e65dcd3d8e6bc7c7f5ab059438aec9ddf3451b4aa42af0976008d08b6719523

SHA512
f89a1cee59e00a9fe1b6bd2c9df6970042acc981d65276f0dc52baec8d2e761c161436a8555d31bbd2edc37014eb6c7e1d61644d6f5cebbae6a04474b93564a8

Download Submit
C:\Windows\System\yiQtNwF.exe

Filesize
5.2MB

MD5
38b050bf616eb400ce41b738637b6d7d

SHA1
7d9a66e22d382ac2e58d1362d8e557672e1c17e7

SHA256
dfb125f758aaa54008d1d5b56ccf08556e7ee13e33be171fa25399f89622307f

SHA512
4474cfc36f3b13a33a2bc83a82839e66e64509d92f1928f9e01f02a2c398aef6be9ba41da896c5a08fb94abd86f50aa0925564dc1ad00ad4b6988a6e060a93ee

Download Submit
C:\Windows\System\zOdaauI.exe

Filesize
5.2MB

MD5
f2660b31d82e4a8bda03f5df269451f2

SHA1
3a408990fa5454a47706b0a3b931991f80d5255f

SHA256
e71c10208a87623a7c0b5793d4b1d3ac606db452e0483e31afc30985a9b78178

SHA512
4d8fc972bd6db8671c64e7edf05b7b37c9705e946d77d891ecfd12da88a101b7ddee1ab1e9dda23042289d8d221739fbe4e2f3923e429b0792f8fb54f443acf7

Download Submit
memory/628-118-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp

Filesize
3.3MB

Download
memory/628-158-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp

Filesize
3.3MB

Download
memory/628-266-0x00007FF71F1F0000-0x00007FF71F541000-memory.dmp

Filesize
3.3MB

Download
memory/856-58-0x00007FF76F3B0000-0x00007FF76F701000-memory.dmp

Filesize
3.3MB

Download
memory/856-244-0x00007FF76F3B0000-0x00007FF76F701000-memory.dmp

Filesize
3.3MB

Download
memory/1140-114-0x00007FF6451B0000-0x00007FF645501000-memory.dmp

Filesize
3.3MB

Download
memory/1140-262-0x00007FF6451B0000-0x00007FF645501000-memory.dmp

Filesize
3.3MB

Download
memory/1140-157-0x00007FF6451B0000-0x00007FF645501000-memory.dmp

Filesize
3.3MB

Download
memory/1164-134-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-252-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1164-76-0x00007FF7A9790000-0x00007FF7A9AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-254-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp

Filesize
3.3MB

Download
memory/1196-147-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp

Filesize
3.3MB

Download
memory/1196-93-0x00007FF6306D0000-0x00007FF630A21000-memory.dmp

Filesize
3.3MB

Download
memory/1220-30-0x00007FF6765B0000-0x00007FF676901000-memory.dmp

Filesize
3.3MB

Download
memory/1220-99-0x00007FF6765B0000-0x00007FF676901000-memory.dmp

Filesize
3.3MB

Download
memory/1220-230-0x00007FF6765B0000-0x00007FF676901000-memory.dmp

Filesize
3.3MB

Download
memory/1544-234-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp

Filesize
3.3MB

Download
memory/1544-109-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp

Filesize
3.3MB

Download
memory/1544-46-0x00007FF7DC430000-0x00007FF7DC781000-memory.dmp

Filesize
3.3MB

Download
memory/1616-246-0x00007FF6ADF20000-0x00007FF6AE271000-memory.dmp

Filesize
3.3MB

Download
memory/1616-66-0x00007FF6ADF20000-0x00007FF6AE271000-memory.dmp

Filesize
3.3MB

Download
memory/1944-45-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-232-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1944-103-0x00007FF66C560000-0x00007FF66C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-89-0x00007FF70D2E0000-0x00007FF70D631000-memory.dmp

Filesize
3.3MB

Download
memory/2452-250-0x00007FF70D2E0000-0x00007FF70D631000-memory.dmp

Filesize
3.3MB

Download
memory/2572-81-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-220-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-8-0x00007FF63F590000-0x00007FF63F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-154-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-102-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-258-0x00007FF7EBD80000-0x00007FF7EC0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-164-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-131-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-270-0x00007FF7D5330000-0x00007FF7D5681000-memory.dmp

Filesize
3.3MB

Download
memory/3180-98-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-148-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-256-0x00007FF6FA990000-0x00007FF6FACE1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-122-0x00007FF76D110000-0x00007FF76D461000-memory.dmp

Filesize
3.3MB

Download
memory/3256-159-0x00007FF76D110000-0x00007FF76D461000-memory.dmp

Filesize
3.3MB

Download
memory/3256-269-0x00007FF76D110000-0x00007FF76D461000-memory.dmp

Filesize
3.3MB

Download
memory/4072-163-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-273-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-133-0x00007FF629B80000-0x00007FF629ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-1-0x00000192BC470000-0x00000192BC480000-memory.dmp

Filesize
64KB

Download
memory/4200-165-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-0-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-71-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-136-0x00007FF6E2990000-0x00007FF6E2CE1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-225-0x00007FF7AA470000-0x00007FF7AA7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-39-0x00007FF7AA470000-0x00007FF7AA7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-74-0x00007FF6309D0000-0x00007FF630D21000-memory.dmp

Filesize
3.3MB

Download
memory/4484-248-0x00007FF6309D0000-0x00007FF630D21000-memory.dmp

Filesize
3.3MB

Download
memory/4744-23-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/4744-92-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/4744-228-0x00007FF6375B0000-0x00007FF637901000-memory.dmp

Filesize
3.3MB

Download
memory/4920-87-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp

Filesize
3.3MB

Download
memory/4920-22-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp

Filesize
3.3MB

Download
memory/4920-222-0x00007FF6D26F0000-0x00007FF6D2A41000-memory.dmp

Filesize
3.3MB

Download
memory/5036-88-0x00007FF689D10000-0x00007FF68A061000-memory.dmp

Filesize
3.3MB

Download
memory/5036-226-0x00007FF689D10000-0x00007FF68A061000-memory.dmp

Filesize
3.3MB

Download
memory/5036-28-0x00007FF689D10000-0x00007FF68A061000-memory.dmp

Filesize
3.3MB

Download