cobaltstrike | c4bdfc955b420001bc385bbd37fabbc2f7c80ac998f8805d977ba67a62633445

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
Size

5.9MB
MD5

3d969de7f5c82111ed2bc8f3401c124a
SHA1

2c7c2146ea5bb8defc71605a7c5ad3300a6ffc21
SHA256

c4bdfc955b420001bc385bbd37fabbc2f7c80ac998f8805d977ba67a62633445
SHA512

dc2588b0e748071933ff751e69cd5573c1fc57b45ab43595e1d31957eaca7ffdfa03456898fc6884faff1baece07862b43788f7dde10e244cca4c25f002d1a32
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUn:T+q56utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234f3-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f5-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f6-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f8-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fb-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fc-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ff-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023500-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023501-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023503-103.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234f1-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023502-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fe-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fd-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fa-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f9-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f7-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023504-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023506-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023507-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2904-0-0x00007FF62C610000-0x00007FF62C964000-memory.dmp	xmrig
behavioral2/files/0x00080000000234f3-4.dat	xmrig
behavioral2/memory/3104-8-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f5-11.dat	xmrig
behavioral2/files/0x00070000000234f6-26.dat	xmrig
behavioral2/files/0x00070000000234f8-31.dat	xmrig
behavioral2/memory/1076-38-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	xmrig
behavioral2/memory/464-44-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234fb-53.dat	xmrig
behavioral2/files/0x00070000000234fc-59.dat	xmrig
behavioral2/files/0x00070000000234ff-73.dat	xmrig
behavioral2/files/0x0007000000023500-78.dat	xmrig
behavioral2/files/0x0007000000023501-82.dat	xmrig
behavioral2/memory/1444-92-0x00007FF686990000-0x00007FF686CE4000-memory.dmp	xmrig
behavioral2/memory/1804-97-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp	xmrig
behavioral2/memory/4460-105-0x00007FF67F8B0000-0x00007FF67FC04000-memory.dmp	xmrig
behavioral2/memory/2908-108-0x00007FF741190000-0x00007FF7414E4000-memory.dmp	xmrig
behavioral2/memory/1776-110-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp	xmrig
behavioral2/memory/700-109-0x00007FF7429A0000-0x00007FF742CF4000-memory.dmp	xmrig
behavioral2/memory/344-107-0x00007FF6780B0000-0x00007FF678404000-memory.dmp	xmrig
behavioral2/memory/4836-106-0x00007FF7219B0000-0x00007FF721D04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023503-103.dat	xmrig
behavioral2/files/0x00080000000234f1-101.dat	xmrig
behavioral2/files/0x0007000000023502-99.dat	xmrig
behavioral2/memory/1424-98-0x00007FF6B4C10000-0x00007FF6B4F64000-memory.dmp	xmrig
behavioral2/memory/1796-96-0x00007FF6264B0000-0x00007FF626804000-memory.dmp	xmrig
behavioral2/files/0x00070000000234fe-69.dat	xmrig
behavioral2/files/0x00070000000234fd-64.dat	xmrig
behavioral2/files/0x00070000000234fa-51.dat	xmrig
behavioral2/files/0x00070000000234f9-43.dat	xmrig
behavioral2/memory/4156-41-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f7-40.dat	xmrig
behavioral2/memory/3148-39-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	xmrig
behavioral2/memory/2184-34-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	xmrig
behavioral2/memory/764-27-0x00007FF753D10000-0x00007FF754064000-memory.dmp	xmrig
behavioral2/memory/3476-17-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234f4-12.dat	xmrig
behavioral2/files/0x0007000000023504-114.dat	xmrig
behavioral2/files/0x0007000000023506-119.dat	xmrig
behavioral2/memory/2904-120-0x00007FF62C610000-0x00007FF62C964000-memory.dmp	xmrig
behavioral2/files/0x0007000000023507-125.dat	xmrig
behavioral2/memory/4968-128-0x00007FF650FF0000-0x00007FF651344000-memory.dmp	xmrig
behavioral2/memory/3104-121-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	xmrig
behavioral2/memory/5036-116-0x00007FF686E90000-0x00007FF6871E4000-memory.dmp	xmrig
behavioral2/memory/2624-130-0x00007FF649200000-0x00007FF649554000-memory.dmp	xmrig
behavioral2/memory/3476-129-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	xmrig
behavioral2/memory/764-131-0x00007FF753D10000-0x00007FF754064000-memory.dmp	xmrig
behavioral2/memory/2184-132-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	xmrig
behavioral2/memory/1076-133-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	xmrig
behavioral2/memory/3148-134-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	xmrig
behavioral2/memory/464-136-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	xmrig
behavioral2/memory/4156-135-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	xmrig
behavioral2/memory/3104-137-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	xmrig
behavioral2/memory/3476-138-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	xmrig
behavioral2/memory/764-139-0x00007FF753D10000-0x00007FF754064000-memory.dmp	xmrig
behavioral2/memory/2184-140-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	xmrig
behavioral2/memory/464-141-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	xmrig
behavioral2/memory/4156-142-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	xmrig
behavioral2/memory/1076-143-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	xmrig
behavioral2/memory/1444-145-0x00007FF686990000-0x00007FF686CE4000-memory.dmp	xmrig
behavioral2/memory/1776-144-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp	xmrig
behavioral2/memory/3148-147-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	xmrig
behavioral2/memory/1804-148-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp	xmrig
behavioral2/memory/1796-146-0x00007FF6264B0000-0x00007FF626804000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3104	LOalbtL.exe
3476	kZqFxmT.exe
764	PGbFWTs.exe
2184	zSroRFm.exe
1076	kdEbSEc.exe
4156	uVHadAf.exe
464	wTYNcZB.exe
3148	iLqyoOb.exe
1444	kMlnbQd.exe
1776	XCoRJdJ.exe
1796	BBwSKMG.exe
1804	KMFQxob.exe
1424	BYxKRdR.exe
4460	tBMyEhl.exe
4836	GfPvJlv.exe
344	TRsPIpd.exe
2908	YAVzCvY.exe
700	ZcYXNLv.exe
5036	bAOoLqy.exe
4968	YpJSfpK.exe
2624	mlXrUzH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2904-0-0x00007FF62C610000-0x00007FF62C964000-memory.dmp	upx
behavioral2/files/0x00080000000234f3-4.dat	upx
behavioral2/memory/3104-8-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	upx
behavioral2/files/0x00070000000234f5-11.dat	upx
behavioral2/files/0x00070000000234f6-26.dat	upx
behavioral2/files/0x00070000000234f8-31.dat	upx
behavioral2/memory/1076-38-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	upx
behavioral2/memory/464-44-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	upx
behavioral2/files/0x00070000000234fb-53.dat	upx
behavioral2/files/0x00070000000234fc-59.dat	upx
behavioral2/files/0x00070000000234ff-73.dat	upx
behavioral2/files/0x0007000000023500-78.dat	upx
behavioral2/files/0x0007000000023501-82.dat	upx
behavioral2/memory/1444-92-0x00007FF686990000-0x00007FF686CE4000-memory.dmp	upx
behavioral2/memory/1804-97-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp	upx
behavioral2/memory/4460-105-0x00007FF67F8B0000-0x00007FF67FC04000-memory.dmp	upx
behavioral2/memory/2908-108-0x00007FF741190000-0x00007FF7414E4000-memory.dmp	upx
behavioral2/memory/1776-110-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp	upx
behavioral2/memory/700-109-0x00007FF7429A0000-0x00007FF742CF4000-memory.dmp	upx
behavioral2/memory/344-107-0x00007FF6780B0000-0x00007FF678404000-memory.dmp	upx
behavioral2/memory/4836-106-0x00007FF7219B0000-0x00007FF721D04000-memory.dmp	upx
behavioral2/files/0x0007000000023503-103.dat	upx
behavioral2/files/0x00080000000234f1-101.dat	upx
behavioral2/files/0x0007000000023502-99.dat	upx
behavioral2/memory/1424-98-0x00007FF6B4C10000-0x00007FF6B4F64000-memory.dmp	upx
behavioral2/memory/1796-96-0x00007FF6264B0000-0x00007FF626804000-memory.dmp	upx
behavioral2/files/0x00070000000234fe-69.dat	upx
behavioral2/files/0x00070000000234fd-64.dat	upx
behavioral2/files/0x00070000000234fa-51.dat	upx
behavioral2/files/0x00070000000234f9-43.dat	upx
behavioral2/memory/4156-41-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	upx
behavioral2/files/0x00070000000234f7-40.dat	upx
behavioral2/memory/3148-39-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	upx
behavioral2/memory/2184-34-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	upx
behavioral2/memory/764-27-0x00007FF753D10000-0x00007FF754064000-memory.dmp	upx
behavioral2/memory/3476-17-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-12.dat	upx
behavioral2/files/0x0007000000023504-114.dat	upx
behavioral2/files/0x0007000000023506-119.dat	upx
behavioral2/memory/2904-120-0x00007FF62C610000-0x00007FF62C964000-memory.dmp	upx
behavioral2/files/0x0007000000023507-125.dat	upx
behavioral2/memory/4968-128-0x00007FF650FF0000-0x00007FF651344000-memory.dmp	upx
behavioral2/memory/3104-121-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	upx
behavioral2/memory/5036-116-0x00007FF686E90000-0x00007FF6871E4000-memory.dmp	upx
behavioral2/memory/2624-130-0x00007FF649200000-0x00007FF649554000-memory.dmp	upx
behavioral2/memory/3476-129-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	upx
behavioral2/memory/764-131-0x00007FF753D10000-0x00007FF754064000-memory.dmp	upx
behavioral2/memory/2184-132-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	upx
behavioral2/memory/1076-133-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	upx
behavioral2/memory/3148-134-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	upx
behavioral2/memory/464-136-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	upx
behavioral2/memory/4156-135-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	upx
behavioral2/memory/3104-137-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp	upx
behavioral2/memory/3476-138-0x00007FF685190000-0x00007FF6854E4000-memory.dmp	upx
behavioral2/memory/764-139-0x00007FF753D10000-0x00007FF754064000-memory.dmp	upx
behavioral2/memory/2184-140-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp	upx
behavioral2/memory/464-141-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	upx
behavioral2/memory/4156-142-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp	upx
behavioral2/memory/1076-143-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp	upx
behavioral2/memory/1444-145-0x00007FF686990000-0x00007FF686CE4000-memory.dmp	upx
behavioral2/memory/1776-144-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp	upx
behavioral2/memory/3148-147-0x00007FF68A620000-0x00007FF68A974000-memory.dmp	upx
behavioral2/memory/1804-148-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp	upx
behavioral2/memory/1796-146-0x00007FF6264B0000-0x00007FF626804000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GfPvJlv.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YpJSfpK.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\uVHadAf.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\BYxKRdR.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\XCoRJdJ.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ZcYXNLv.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\mlXrUzH.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\kZqFxmT.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\kdEbSEc.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\zSroRFm.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\wTYNcZB.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\kMlnbQd.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\BBwSKMG.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\KMFQxob.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\TRsPIpd.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LOalbtL.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\PGbFWTs.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YAVzCvY.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\bAOoLqy.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\iLqyoOb.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\tBMyEhl.exe	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3104	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	85
PID 2904 wrote to memory of 3104	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	85
PID 2904 wrote to memory of 3476	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	86
PID 2904 wrote to memory of 3476	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	86
PID 2904 wrote to memory of 764	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	87
PID 2904 wrote to memory of 764	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	87
PID 2904 wrote to memory of 2184	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	88
PID 2904 wrote to memory of 2184	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	88
PID 2904 wrote to memory of 1076	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	89
PID 2904 wrote to memory of 1076	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	89
PID 2904 wrote to memory of 4156	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	90
PID 2904 wrote to memory of 4156	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	90
PID 2904 wrote to memory of 464	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	91
PID 2904 wrote to memory of 464	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	91
PID 2904 wrote to memory of 3148	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	92
PID 2904 wrote to memory of 3148	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	92
PID 2904 wrote to memory of 1444	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	93
PID 2904 wrote to memory of 1444	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	93
PID 2904 wrote to memory of 1776	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	94
PID 2904 wrote to memory of 1776	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	94
PID 2904 wrote to memory of 1796	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	95
PID 2904 wrote to memory of 1796	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	95
PID 2904 wrote to memory of 1804	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	96
PID 2904 wrote to memory of 1804	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	96
PID 2904 wrote to memory of 1424	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	97
PID 2904 wrote to memory of 1424	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	97
PID 2904 wrote to memory of 4460	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	98
PID 2904 wrote to memory of 4460	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	98
PID 2904 wrote to memory of 4836	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	99
PID 2904 wrote to memory of 4836	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	99
PID 2904 wrote to memory of 344	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	101
PID 2904 wrote to memory of 344	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	101
PID 2904 wrote to memory of 2908	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	102
PID 2904 wrote to memory of 2908	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	102
PID 2904 wrote to memory of 700	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	103
PID 2904 wrote to memory of 700	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	103
PID 2904 wrote to memory of 5036	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	104
PID 2904 wrote to memory of 5036	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	104
PID 2904 wrote to memory of 4968	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	106
PID 2904 wrote to memory of 4968	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	106
PID 2904 wrote to memory of 2624	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	107
PID 2904 wrote to memory of 2624	2904	202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe	107

C:\Users\Admin\AppData\Local\Temp\202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\202408243d969de7f5c82111ed2bc8f3401c124acobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System\LOalbtL.exe
  C:\Windows\System\LOalbtL.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\kZqFxmT.exe
  C:\Windows\System\kZqFxmT.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\PGbFWTs.exe
  C:\Windows\System\PGbFWTs.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\zSroRFm.exe
  C:\Windows\System\zSroRFm.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\kdEbSEc.exe
  C:\Windows\System\kdEbSEc.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\uVHadAf.exe
  C:\Windows\System\uVHadAf.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\wTYNcZB.exe
  C:\Windows\System\wTYNcZB.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\iLqyoOb.exe
  C:\Windows\System\iLqyoOb.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\kMlnbQd.exe
  C:\Windows\System\kMlnbQd.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\XCoRJdJ.exe
  C:\Windows\System\XCoRJdJ.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\BBwSKMG.exe
  C:\Windows\System\BBwSKMG.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\KMFQxob.exe
  C:\Windows\System\KMFQxob.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\BYxKRdR.exe
  C:\Windows\System\BYxKRdR.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\tBMyEhl.exe
  C:\Windows\System\tBMyEhl.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\GfPvJlv.exe
  C:\Windows\System\GfPvJlv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\TRsPIpd.exe
  C:\Windows\System\TRsPIpd.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System\YAVzCvY.exe
  C:\Windows\System\YAVzCvY.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\ZcYXNLv.exe
  C:\Windows\System\ZcYXNLv.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\bAOoLqy.exe
  C:\Windows\System\bAOoLqy.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\YpJSfpK.exe
  C:\Windows\System\YpJSfpK.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\mlXrUzH.exe
  C:\Windows\System\mlXrUzH.exe
  2⤵
  - Executes dropped EXE
  PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BBwSKMG.exe

Filesize
5.9MB

MD5
a0d30a5ee1e905d76b9b056839b891ec

SHA1
154079e775d41b5060f12fe9efe27965b5643772

SHA256
b380237e6fdffa757c0db1a95498d2eedb216d3fc3e3ffeacb69c2f93561a0b4

SHA512
06b8ff82489cb323bc38b9dca63396d5554f5697ed208d60eca6d38a6efdb6b13c75cf094c086747030b75272335e509502b108919128a36e3d9a7f3f869ad0e

Download Submit
C:\Windows\System\BYxKRdR.exe

Filesize
5.9MB

MD5
113346c2e0b01c0b41aec7f73a5ad080

SHA1
894505ebc23dca098659f5d4dc5ef48272fe28b2

SHA256
12cf4de61842ae4476ee4c38bddc904193882d24d4c98486b5ec77813104db67

SHA512
b0afadcf658978da1fe09908d2eb45c25b96fb4b93444bfd6704589ba903bdb0e2aadfcf5020a13f39555c068e406bac31dd0965281d537bc3712251fc866536

Download Submit
C:\Windows\System\GfPvJlv.exe

Filesize
5.9MB

MD5
5c713601a0fbcbfc6865be296d0ff594

SHA1
a4ba538e6dc612f74a9b279c186e7370ec6df8ee

SHA256
be55397dd66ba4c106784eecf0e8e62526c033055e294c9e02e889f93234ae7d

SHA512
ccf0a43fb923901b85320d33824e6444f974a38ba5c504aa6b42605f5fac791491d6a0ad6c0c78a4c52de4b126f934e8f7a8f41b61d406ab75f306c21d0f0d2e

Download Submit
C:\Windows\System\KMFQxob.exe

Filesize
5.9MB

MD5
91de053fa7c3ca4623aab5bd77a7df3e

SHA1
130cb7a3c53b3e18533a6139a6b0b8bf7fd97de5

SHA256
5e48f677e4b588feda099f9c2e95d1a2825c6daa5f3923408c7bf0773c971941

SHA512
6f2e850df274cb88b226e38e40564827c6883a2d05dde6ebedded87af4daeab2a83fddb4401c6d90f0068b21fa1de378d10a4e59207f71d92b9ae96748fe9f48

Download Submit
C:\Windows\System\LOalbtL.exe

Filesize
5.9MB

MD5
703546d036005f4436ce9b10946a0d38

SHA1
60579a2c92a16703236b3529f87db0a70f6185d4

SHA256
68b1b4bb9f7dbbdfaa92bf8501911f8b516473dfa6641c489432138fc16278b9

SHA512
0a58ea7702ab513d968f4c6559487a4e0d4a8c8904e13a5039209c7a7c4503192ed0eb4af97ac9d536a4561984c1e1c5b63363f0b350f9d24dc279fa822b8193

Download Submit
C:\Windows\System\PGbFWTs.exe

Filesize
5.9MB

MD5
2ca32ce632ed311845b99e4b8ce92794

SHA1
b60e35aa50586185df2ec153c543dea743b369b7

SHA256
436555a2d3c8cb89e1ef6ba0e771cf995284dd494bda7297ef143bbf4977fa93

SHA512
3d85370c09988140a04157601b71feb5a39d22643603e076340302adaf505912224723e663c38c80383ed263d0e4852775051d72d7cd6ab44483c0cb17e5ccae

Download Submit
C:\Windows\System\TRsPIpd.exe

Filesize
5.9MB

MD5
2d2ea6ee70be2d2d00e5866437f7f314

SHA1
75c055aceebbaa73da4ce654d47d50a0b4b04b25

SHA256
93cf53b0fa8e0921272c3100a096fd343e145d17c1a9ed7e58433143ff432859

SHA512
13b8890032e6fa2bd363441878c1dfd6e25d6ad72646928d42b9bec3513c1512281a072283d40a45cf333427a9ecde386de201b18d5272fe78dec73efb05c700

Download Submit
C:\Windows\System\XCoRJdJ.exe

Filesize
5.9MB

MD5
2440378f102132c5720615868573aaf7

SHA1
0253604f4ad747b932971e6301c742f5de6e965d

SHA256
a14cf0507614ecb0385ca31e3c12ee25d949382714d7625621c1b67f6922dbee

SHA512
f25faa036c8eee5a3d242ecddf0757b64aaced9c34b3eb39f63bc3f488b8e2b0180b2cd7d6a0db2f1d9d9fa5cf9a415df823187ac43ebf02fab2f9ba1c31dc6b

Download Submit
C:\Windows\System\YAVzCvY.exe

Filesize
5.9MB

MD5
3af539bba9934f6525f6ff5928fa7a3a

SHA1
1a8448accdd4dec7dc0f8b9ed087fd67a585e8da

SHA256
59096c8e67839af9941e82b5e0bafe8f967c269f2d991618d22bc95eeb82bc0c

SHA512
7c6c60ba55e7acced4b28482a774f7bb1f102711c3dd911c7323c4b8ae0a07f65501d109c02101568c1ff4f7e78911c3e1544e9a4f8022d041935d313281d5c8

Download Submit
C:\Windows\System\YpJSfpK.exe

Filesize
5.9MB

MD5
f6f5e6f5599ce7420032d569dfdb8f58

SHA1
6ade2e4203257a7ac51c43b22c03914bc679d5ae

SHA256
2602ce5a2bead8262798064ba0fa873ef2bd39d1553ecda0289731fcd48fd1d3

SHA512
c63982dd9b8ab3a00a39729bf3ba16f9c43bdce64a2f464cf9a80e7d2766e3d5da2fae110fc16671e05ae9a78df42db049c16e5f8da655a62665735b5ea197ce

Download Submit
C:\Windows\System\ZcYXNLv.exe

Filesize
5.9MB

MD5
079e05c9f8e2f45c937fb069625a9410

SHA1
56b598095d5cb1800df44560d0b9e8f3bec0b767

SHA256
dd5fae058a576d46e0f865706cee465a5fc654547ab92c712b3b5860573457b3

SHA512
9678b1b9226ee0a6fa08b213cd65d831bf627c472dc554212dba02ecf96913543b994740c7e1a516fa19202f75c30b204f1375a6b1e4aa4885f9b4dd41b4a2dc

Download Submit
C:\Windows\System\bAOoLqy.exe

Filesize
5.9MB

MD5
5f7637161e4372bf0e666bc6805c00a2

SHA1
b3ce7e7a945aa9410078613df0fc5af0ce84606d

SHA256
1cc1b189ad5a4dab251ad48eecb737ca2b09e820680100412e4ba2b9bf5da8af

SHA512
9e60505e9837bc308d8fceea24889a6aeeb5eb633244ae16f706be657dc3bac534329a2c596db29c4ce0e406a54a220b5d1f6f9203618e6d07f87718b60e8822

Download Submit
C:\Windows\System\iLqyoOb.exe

Filesize
5.9MB

MD5
5db865f2433a3ac12a8467f5e246e91f

SHA1
2a4077e44b2d57dad886f2c85e085d7af8a525ad

SHA256
59241f58b155f186142c4531b27f2d068e379c4c76d0752acf18688dcd609169

SHA512
1ddf36265e634c8d1ba5514db72a0bbbf97baa86d6070c9f2363e97bcdebc276d05a7c54436d374bf9d9df0c71559593bc7d9fed4323f8ef2a583bfd205a4aed

Download Submit
C:\Windows\System\kMlnbQd.exe

Filesize
5.9MB

MD5
fa1ae8ae3e639193827df7ddbb6715b6

SHA1
5ee78c45623e06d7cc4b810483c08847bb1412f0

SHA256
7d9398c19f0bf219d27fa933cc0c1cd907cd3fd382d1e4fc543f05a9b1d701e3

SHA512
2cfb05bdfc1db6f0ed116681f42b6f802c48ebc3d67cdb3dcabed4df8605c89d611b10db9e571c48d871012879f18852e763d9dec59212a33175aabe0b62f171

Download Submit
C:\Windows\System\kZqFxmT.exe

Filesize
5.9MB

MD5
755ebce51ea0a064f3629b4de52744c6

SHA1
23288d7696f82111d87ad49ff9e9b1335c9181b0

SHA256
4ac1e137a0ba2b97f17a59b7009a6adc596fc9dbc40f2c62335ce528854a1545

SHA512
b3e4e8c20f75947287c9888ce850f63e41ce882c82a4849f8ce2057b82431e76185b1f1fba0e699ce8c7e7290d2f85ed1bbf8cca885a881f0d2531c4c4dabc7d

Download Submit
C:\Windows\System\kdEbSEc.exe

Filesize
5.9MB

MD5
f84e66e53796602e9208ec56caba54ea

SHA1
a2901431a1959bbce5fb7fada0daaac1d51d68bb

SHA256
5075e73846bfb5a75999634e47a8e996552fdb93aabc00bd901766ce5273af4c

SHA512
0e4d7187077910a0fb6b2794eaa38d165f5684f9981c42e94b894d4e70f9ad704fc9e6a42d7acc9ae15652a2cb3771ae4ab175c25418126d403d75e413f775f2

Download Submit
C:\Windows\System\mlXrUzH.exe

Filesize
5.9MB

MD5
fe1b4127d94cb88c6fc41caa7ebe2f4e

SHA1
a49e71b6308dbeacfcad7bb94a5d93e198a1875d

SHA256
2c877478f46c53199241b9d1512d9f7f88b6d5f57d54f12525255c72c932c436

SHA512
715c0a159f03ba58e886529b13b9191b871bd39a439f615c96f70ce255b4835c7c4395ed18b02ed32ba563adf9ff9b8c7829f4ea4b2e22619d485fa7d5813c8c

Download Submit
C:\Windows\System\tBMyEhl.exe

Filesize
5.9MB

MD5
58dcdfd8badb948d3c7d474121645746

SHA1
3ce49beeacc1fe5bd5d5be177f723e72986008b0

SHA256
e2f56094e6a97edceb237971870f5ffea3301d4fb09e44529d9a9526e2d6dcdf

SHA512
b4dc72d9ce826ead4b3cb51bdc54a63c984803809062057de177655a55bb2ce8f2343acac02ae89e68b078e4618bd204678bd20bff7cf77e36cc0eab71395517

Download Submit
C:\Windows\System\uVHadAf.exe

Filesize
5.9MB

MD5
a1ae6035a6d8fd6b50324be0f3eccc7b

SHA1
41bff1df71c335f4c03a45eb72eb8286138346dc

SHA256
383ed9ca730f096e971a3d2382a7457934cc73f2cad76dce8003b90c99262dbc

SHA512
a9fe2058fd24f46e0a324edf3416877387396689393eb0144b3d9122f2483e0c5a95a30d9d8b4c75e0d79f1adb69f44037c49d1635c15c94d0ab67a0ef5220ce

Download Submit
C:\Windows\System\wTYNcZB.exe

Filesize
5.9MB

MD5
883c90ae831e1b73fa20b45ad94f2176

SHA1
27bef9ef833aac2688b6e847f238d1a770f36950

SHA256
f69573bb7217d7360175138b946c56fb162c8b6befee3fe261c2f5f266506b1d

SHA512
6790c7643d8536957b2635486b27d8d9d867de5bd8f155bda028aaf75dbb48add62049ba8ff28d2e615732b51f997415cec9cdee4926f97a5a409ce3634d2d8d

Download Submit
C:\Windows\System\zSroRFm.exe

Filesize
5.9MB

MD5
f663082b125de3eb11b7361796b814f9

SHA1
ccaac1eddf8aaaa8e852b25c1cf123c4ead70847

SHA256
cdda7cf48c4f20f814787a00479ddfd33d0401deade8631fa78c34d60caeb649

SHA512
1788bb20723dccc4c156da398e3739382270c53793919bf61571a567eaf8b2560629debe64a6e6519945bb05d4181fefa0657732f4ce50f4b5d3f3eadd3bbe4f

Download Submit
memory/344-107-0x00007FF6780B0000-0x00007FF678404000-memory.dmp

Filesize
3.3MB

Download
memory/344-153-0x00007FF6780B0000-0x00007FF678404000-memory.dmp

Filesize
3.3MB

Download
memory/464-141-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/464-136-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/464-44-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/700-109-0x00007FF7429A0000-0x00007FF742CF4000-memory.dmp

Filesize
3.3MB

Download
memory/700-150-0x00007FF7429A0000-0x00007FF742CF4000-memory.dmp

Filesize
3.3MB

Download
memory/764-139-0x00007FF753D10000-0x00007FF754064000-memory.dmp

Filesize
3.3MB

Download
memory/764-131-0x00007FF753D10000-0x00007FF754064000-memory.dmp

Filesize
3.3MB

Download
memory/764-27-0x00007FF753D10000-0x00007FF754064000-memory.dmp

Filesize
3.3MB

Download
memory/1076-38-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp

Filesize
3.3MB

Download
memory/1076-143-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp

Filesize
3.3MB

Download
memory/1076-133-0x00007FF7873A0000-0x00007FF7876F4000-memory.dmp

Filesize
3.3MB

Download
memory/1424-98-0x00007FF6B4C10000-0x00007FF6B4F64000-memory.dmp

Filesize
3.3MB

Download
memory/1424-154-0x00007FF6B4C10000-0x00007FF6B4F64000-memory.dmp

Filesize
3.3MB

Download
memory/1444-92-0x00007FF686990000-0x00007FF686CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1444-145-0x00007FF686990000-0x00007FF686CE4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-110-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp

Filesize
3.3MB

Download
memory/1776-144-0x00007FF73D8F0000-0x00007FF73DC44000-memory.dmp

Filesize
3.3MB

Download
memory/1796-96-0x00007FF6264B0000-0x00007FF626804000-memory.dmp

Filesize
3.3MB

Download
memory/1796-146-0x00007FF6264B0000-0x00007FF626804000-memory.dmp

Filesize
3.3MB

Download
memory/1804-148-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp

Filesize
3.3MB

Download
memory/1804-97-0x00007FF64A1B0000-0x00007FF64A504000-memory.dmp

Filesize
3.3MB

Download
memory/2184-140-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp

Filesize
3.3MB

Download
memory/2184-34-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp

Filesize
3.3MB

Download
memory/2184-132-0x00007FF6B9AE0000-0x00007FF6B9E34000-memory.dmp

Filesize
3.3MB

Download
memory/2624-157-0x00007FF649200000-0x00007FF649554000-memory.dmp

Filesize
3.3MB

Download
memory/2624-130-0x00007FF649200000-0x00007FF649554000-memory.dmp

Filesize
3.3MB

Download
memory/2904-1-0x00000257528B0000-0x00000257528C0000-memory.dmp

Filesize
64KB

Download
memory/2904-0-0x00007FF62C610000-0x00007FF62C964000-memory.dmp

Filesize
3.3MB

Download
memory/2904-120-0x00007FF62C610000-0x00007FF62C964000-memory.dmp

Filesize
3.3MB

Download
memory/2908-151-0x00007FF741190000-0x00007FF7414E4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-108-0x00007FF741190000-0x00007FF7414E4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-121-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp

Filesize
3.3MB

Download
memory/3104-137-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp

Filesize
3.3MB

Download
memory/3104-8-0x00007FF7A6440000-0x00007FF7A6794000-memory.dmp

Filesize
3.3MB

Download
memory/3148-39-0x00007FF68A620000-0x00007FF68A974000-memory.dmp

Filesize
3.3MB

Download
memory/3148-147-0x00007FF68A620000-0x00007FF68A974000-memory.dmp

Filesize
3.3MB

Download
memory/3148-134-0x00007FF68A620000-0x00007FF68A974000-memory.dmp

Filesize
3.3MB

Download
memory/3476-17-0x00007FF685190000-0x00007FF6854E4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-129-0x00007FF685190000-0x00007FF6854E4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-138-0x00007FF685190000-0x00007FF6854E4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-135-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-142-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-41-0x00007FF72AE80000-0x00007FF72B1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4460-105-0x00007FF67F8B0000-0x00007FF67FC04000-memory.dmp

Filesize
3.3MB

Download
memory/4460-149-0x00007FF67F8B0000-0x00007FF67FC04000-memory.dmp

Filesize
3.3MB

Download
memory/4836-152-0x00007FF7219B0000-0x00007FF721D04000-memory.dmp

Filesize
3.3MB

Download
memory/4836-106-0x00007FF7219B0000-0x00007FF721D04000-memory.dmp

Filesize
3.3MB

Download
memory/4968-156-0x00007FF650FF0000-0x00007FF651344000-memory.dmp

Filesize
3.3MB

Download
memory/4968-128-0x00007FF650FF0000-0x00007FF651344000-memory.dmp

Filesize
3.3MB

Download
memory/5036-116-0x00007FF686E90000-0x00007FF6871E4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-155-0x00007FF686E90000-0x00007FF6871E4000-memory.dmp

Filesize
3.3MB

Download