cobaltstrike | 53bde463243f5bea2a3589092f8edf6afedac375e50f432c123b7192e1020495

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
Size

5.2MB
MD5

35c8a93dbf93fd08120576a1e897aedd
SHA1

2fda979e31b8c182bfb8da8600c2c10ced858bae
SHA256

53bde463243f5bea2a3589092f8edf6afedac375e50f432c123b7192e1020495
SHA512

543a2dbc2408bf75f88144c16d92387adc6de9b296119c22f374755e56186a395b7b2d968a82500db0f652b2913aedad91b9b7c015c9c47369bbd45c56922c6a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a0-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a4-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ab-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-56.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a1-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-130.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-138.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1468-72-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	xmrig
behavioral2/memory/464-77-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp	xmrig
behavioral2/memory/2164-84-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp	xmrig
behavioral2/memory/1532-83-0x00007FF654810000-0x00007FF654B61000-memory.dmp	xmrig
behavioral2/memory/3140-92-0x00007FF779220000-0x00007FF779571000-memory.dmp	xmrig
behavioral2/memory/64-89-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp	xmrig
behavioral2/memory/1856-119-0x00007FF641070000-0x00007FF6413C1000-memory.dmp	xmrig
behavioral2/memory/2372-135-0x00007FF7590B0000-0x00007FF759401000-memory.dmp	xmrig
behavioral2/memory/3772-132-0x00007FF67FE10000-0x00007FF680161000-memory.dmp	xmrig
behavioral2/memory/1868-118-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp	xmrig
behavioral2/memory/2612-117-0x00007FF76EA00000-0x00007FF76ED51000-memory.dmp	xmrig
behavioral2/memory/3128-113-0x00007FF6A5780000-0x00007FF6A5AD1000-memory.dmp	xmrig
behavioral2/memory/468-112-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp	xmrig
behavioral2/memory/924-110-0x00007FF799240000-0x00007FF799591000-memory.dmp	xmrig
behavioral2/memory/1468-140-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	xmrig
behavioral2/memory/3276-154-0x00007FF745950000-0x00007FF745CA1000-memory.dmp	xmrig
behavioral2/memory/4448-155-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp	xmrig
behavioral2/memory/5068-153-0x00007FF661290000-0x00007FF6615E1000-memory.dmp	xmrig
behavioral2/memory/4040-156-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp	xmrig
behavioral2/memory/1876-160-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp	xmrig
behavioral2/memory/1832-163-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp	xmrig
behavioral2/memory/3116-164-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp	xmrig
behavioral2/memory/2864-162-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp	xmrig
behavioral2/memory/1468-165-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	xmrig
behavioral2/memory/464-219-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp	xmrig
behavioral2/memory/1532-221-0x00007FF654810000-0x00007FF654B61000-memory.dmp	xmrig
behavioral2/memory/2164-223-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp	xmrig
behavioral2/memory/64-225-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp	xmrig
behavioral2/memory/924-233-0x00007FF799240000-0x00007FF799591000-memory.dmp	xmrig
behavioral2/memory/468-235-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp	xmrig
behavioral2/memory/3140-237-0x00007FF779220000-0x00007FF779571000-memory.dmp	xmrig
behavioral2/memory/1868-239-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp	xmrig
behavioral2/memory/1856-241-0x00007FF641070000-0x00007FF6413C1000-memory.dmp	xmrig
behavioral2/memory/2372-244-0x00007FF7590B0000-0x00007FF759401000-memory.dmp	xmrig
behavioral2/memory/3772-245-0x00007FF67FE10000-0x00007FF680161000-memory.dmp	xmrig
behavioral2/memory/3276-248-0x00007FF745950000-0x00007FF745CA1000-memory.dmp	xmrig
behavioral2/memory/5068-249-0x00007FF661290000-0x00007FF6615E1000-memory.dmp	xmrig
behavioral2/memory/4448-258-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp	xmrig
behavioral2/memory/4040-260-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp	xmrig
behavioral2/memory/3128-262-0x00007FF6A5780000-0x00007FF6A5AD1000-memory.dmp	xmrig
behavioral2/memory/2612-264-0x00007FF76EA00000-0x00007FF76ED51000-memory.dmp	xmrig
behavioral2/memory/1876-266-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp	xmrig
behavioral2/memory/3116-268-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp	xmrig
behavioral2/memory/1832-271-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp	xmrig
behavioral2/memory/2864-272-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
464	uEHOqjW.exe
1532	ZWCOFvc.exe
2164	OnneFXq.exe
64	fSSaQja.exe
924	ZpFTscL.exe
3140	wVAUVoV.exe
468	snxrKuq.exe
1868	XyENCul.exe
1856	eqLVcKd.exe
3772	OjqHBjW.exe
2372	YWfjktm.exe
3276	YtVuDfE.exe
5068	yjytoTS.exe
4448	lXJWUYq.exe
4040	PAQLEvO.exe
3128	HQPqDAv.exe
2612	xMfoAqc.exe
1876	DkvBwHH.exe
3116	AYLvvDH.exe
2864	CfsYjHV.exe
1832	hbqUEuI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1468-0-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	upx
behavioral2/files/0x00080000000234a0-6.dat	upx
behavioral2/memory/464-7-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-10.dat	upx
behavioral2/files/0x00070000000234a5-11.dat	upx
behavioral2/memory/1532-13-0x00007FF654810000-0x00007FF654B61000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-26.dat	upx
behavioral2/files/0x00070000000234a9-36.dat	upx
behavioral2/files/0x00070000000234ab-50.dat	upx
behavioral2/files/0x00070000000234ac-56.dat	upx
behavioral2/files/0x00080000000234a1-71.dat	upx
behavioral2/memory/1468-72-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-81.dat	upx
behavioral2/memory/5068-78-0x00007FF661290000-0x00007FF6615E1000-memory.dmp	upx
behavioral2/memory/464-77-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp	upx
behavioral2/memory/3276-75-0x00007FF745950000-0x00007FF745CA1000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-67.dat	upx
behavioral2/memory/2372-66-0x00007FF7590B0000-0x00007FF759401000-memory.dmp	upx
behavioral2/memory/3772-60-0x00007FF67FE10000-0x00007FF680161000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-55.dat	upx
behavioral2/memory/1856-54-0x00007FF641070000-0x00007FF6413C1000-memory.dmp	upx
behavioral2/memory/1868-51-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp	upx
behavioral2/files/0x00070000000234a8-43.dat	upx
behavioral2/memory/468-42-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp	upx
behavioral2/memory/924-41-0x00007FF799240000-0x00007FF799591000-memory.dmp	upx
behavioral2/memory/64-32-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp	upx
behavioral2/memory/3140-37-0x00007FF779220000-0x00007FF779571000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-27.dat	upx
behavioral2/memory/2164-25-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp	upx
behavioral2/memory/2164-84-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp	upx
behavioral2/memory/1532-83-0x00007FF654810000-0x00007FF654B61000-memory.dmp	upx
behavioral2/files/0x00070000000234af-87.dat	upx
behavioral2/memory/3140-92-0x00007FF779220000-0x00007FF779571000-memory.dmp	upx
behavioral2/memory/4040-98-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-100.dat	upx
behavioral2/files/0x00070000000234b3-107.dat	upx
behavioral2/files/0x00070000000234b2-104.dat	upx
behavioral2/memory/4448-95-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp	upx
behavioral2/memory/64-89-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp	upx
behavioral2/memory/1856-119-0x00007FF641070000-0x00007FF6413C1000-memory.dmp	upx
behavioral2/memory/1876-122-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-130.dat	upx
behavioral2/memory/2864-133-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-138.dat	upx
behavioral2/files/0x00070000000234b6-136.dat	upx
behavioral2/memory/2372-135-0x00007FF7590B0000-0x00007FF759401000-memory.dmp	upx
behavioral2/memory/1832-134-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp	upx
behavioral2/memory/3772-132-0x00007FF67FE10000-0x00007FF680161000-memory.dmp	upx
behavioral2/memory/3116-121-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-126.dat	upx
behavioral2/memory/1868-118-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp	upx
behavioral2/memory/2612-117-0x00007FF76EA00000-0x00007FF76ED51000-memory.dmp	upx
behavioral2/memory/3128-113-0x00007FF6A5780000-0x00007FF6A5AD1000-memory.dmp	upx
behavioral2/memory/468-112-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp	upx
behavioral2/memory/924-110-0x00007FF799240000-0x00007FF799591000-memory.dmp	upx
behavioral2/memory/1468-140-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp	upx
behavioral2/memory/3276-154-0x00007FF745950000-0x00007FF745CA1000-memory.dmp	upx
behavioral2/memory/4448-155-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp	upx
behavioral2/memory/5068-153-0x00007FF661290000-0x00007FF6615E1000-memory.dmp	upx
behavioral2/memory/4040-156-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp	upx
behavioral2/memory/1876-160-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp	upx
behavioral2/memory/1832-163-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp	upx
behavioral2/memory/3116-164-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp	upx
behavioral2/memory/2864-162-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZWCOFvc.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\yjytoTS.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\lXJWUYq.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\xMfoAqc.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\AYLvvDH.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\uEHOqjW.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\snxrKuq.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\CfsYjHV.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ZpFTscL.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\XyENCul.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YtVuDfE.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\PAQLEvO.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\DkvBwHH.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\wVAUVoV.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\fSSaQja.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\eqLVcKd.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\OjqHBjW.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YWfjktm.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\HQPqDAv.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\hbqUEuI.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\OnneFXq.exe	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 464	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	85
PID 1468 wrote to memory of 464	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	85
PID 1468 wrote to memory of 1532	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	86
PID 1468 wrote to memory of 1532	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	86
PID 1468 wrote to memory of 2164	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	87
PID 1468 wrote to memory of 2164	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	87
PID 1468 wrote to memory of 64	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	88
PID 1468 wrote to memory of 64	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	88
PID 1468 wrote to memory of 924	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	89
PID 1468 wrote to memory of 924	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	89
PID 1468 wrote to memory of 3140	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	90
PID 1468 wrote to memory of 3140	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	90
PID 1468 wrote to memory of 468	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	91
PID 1468 wrote to memory of 468	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	91
PID 1468 wrote to memory of 1868	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	92
PID 1468 wrote to memory of 1868	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	92
PID 1468 wrote to memory of 1856	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	93
PID 1468 wrote to memory of 1856	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	93
PID 1468 wrote to memory of 3772	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	94
PID 1468 wrote to memory of 3772	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	94
PID 1468 wrote to memory of 2372	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	95
PID 1468 wrote to memory of 2372	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	95
PID 1468 wrote to memory of 3276	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	96
PID 1468 wrote to memory of 3276	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	96
PID 1468 wrote to memory of 5068	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	97
PID 1468 wrote to memory of 5068	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	97
PID 1468 wrote to memory of 4448	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	98
PID 1468 wrote to memory of 4448	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	98
PID 1468 wrote to memory of 4040	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	99
PID 1468 wrote to memory of 4040	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	99
PID 1468 wrote to memory of 3128	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	100
PID 1468 wrote to memory of 3128	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	100
PID 1468 wrote to memory of 2612	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	101
PID 1468 wrote to memory of 2612	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	101
PID 1468 wrote to memory of 1876	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	102
PID 1468 wrote to memory of 1876	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	102
PID 1468 wrote to memory of 3116	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	103
PID 1468 wrote to memory of 3116	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	103
PID 1468 wrote to memory of 2864	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	104
PID 1468 wrote to memory of 2864	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	104
PID 1468 wrote to memory of 1832	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	105
PID 1468 wrote to memory of 1832	1468	2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024082535c8a93dbf93fd08120576a1e897aeddcobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System\uEHOqjW.exe
  C:\Windows\System\uEHOqjW.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\ZWCOFvc.exe
  C:\Windows\System\ZWCOFvc.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\OnneFXq.exe
  C:\Windows\System\OnneFXq.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\fSSaQja.exe
  C:\Windows\System\fSSaQja.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\ZpFTscL.exe
  C:\Windows\System\ZpFTscL.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\wVAUVoV.exe
  C:\Windows\System\wVAUVoV.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\snxrKuq.exe
  C:\Windows\System\snxrKuq.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\XyENCul.exe
  C:\Windows\System\XyENCul.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\eqLVcKd.exe
  C:\Windows\System\eqLVcKd.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\OjqHBjW.exe
  C:\Windows\System\OjqHBjW.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\YWfjktm.exe
  C:\Windows\System\YWfjktm.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\YtVuDfE.exe
  C:\Windows\System\YtVuDfE.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\yjytoTS.exe
  C:\Windows\System\yjytoTS.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\lXJWUYq.exe
  C:\Windows\System\lXJWUYq.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\PAQLEvO.exe
  C:\Windows\System\PAQLEvO.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\HQPqDAv.exe
  C:\Windows\System\HQPqDAv.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\xMfoAqc.exe
  C:\Windows\System\xMfoAqc.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\DkvBwHH.exe
  C:\Windows\System\DkvBwHH.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\AYLvvDH.exe
  C:\Windows\System\AYLvvDH.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\CfsYjHV.exe
  C:\Windows\System\CfsYjHV.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\hbqUEuI.exe
  C:\Windows\System\hbqUEuI.exe
  2⤵
  - Executes dropped EXE
  PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYLvvDH.exe

Filesize
5.2MB

MD5
cb41e6e020dd329b2ce1edba8b75fa9d

SHA1
a99cd8dd21bdbbdf510d5b7707a816a3f306819f

SHA256
ed88d4a8c80d46e55b5431a7958414f71ab19a0f5784bce88385c156f98a5ac3

SHA512
779bd47f901e9468d71e78cb7be53c9cb636d171cfcf30f1f724810fe9abe2553d6b40b53925d02de2496bb08a59d37fa4c525281db7d2f783d8a90f38bcebbb

Download Submit
C:\Windows\System\CfsYjHV.exe

Filesize
5.2MB

MD5
8f7244977107e5ba04b0f4f9f6178b93

SHA1
753eb036d46cb4321543aa6c5b912a3b7791ae57

SHA256
1f278265ab41a924dac517621c3734b7d5db7f840b8a9aede7d59712cd93ad2e

SHA512
0c78dffeff21f01a4a31924e43df1955c7bb7d13110a61ba47bbb16e93804e36d0141d07d565255ebc7cd5bc72719f44d8a867b125767d5fa079a699f33981af

Download Submit
C:\Windows\System\DkvBwHH.exe

Filesize
5.2MB

MD5
eb01fc456ac6807bcc1be4e68a4af5f2

SHA1
452295ca1d047b08fa857aa8f5f9f28aa3b14fa0

SHA256
5bce19c651e26e9a9fd5f00271dfe09d1e61431b4d966dac318d837c4c52ce91

SHA512
57124467edefee84a798782cb68f8b5c9ab8f187d312b626e395af28d57357ac40380ea1d95deb2efeb03b449f989c79d6b2b269fe724b36987fbfaa91ffe469

Download Submit
C:\Windows\System\HQPqDAv.exe

Filesize
5.2MB

MD5
c33d3f2fa24aef54b2630461a27a628a

SHA1
d4ee301a8233a086728ef1c6f09ae99ea57cbd2e

SHA256
792ef38c34bd9bcc6edbca901716ce39f5bdfc42213bd0b08f4d378f71cded27

SHA512
6078cdc3b9d51cb6bf9495a67c41a0e130605ba52688574122123c9a3a6fa1d92d91ea748384c1f0a7c2774069b70ca277981f6d65debaae8b1f0d121b1d4f16

Download Submit
C:\Windows\System\OjqHBjW.exe

Filesize
5.2MB

MD5
fc83894a274387699eeb8ef86aa2879a

SHA1
3c7d0bb6c0b9111680329317b4bbea47b055b8eb

SHA256
8b175bc75aab3ac09fbd7a67bfc74a6c7e3c659ee97eacdc91784e2fc2f3755b

SHA512
2284652e3a98ceec95bddc4fdb90493471fb2555f77e1b97d7361e985290897ec8cf98eae158db3756f8e4c1a7b6ff84eecee8bb6d6fb31e907845601054f857

Download Submit
C:\Windows\System\OnneFXq.exe

Filesize
5.2MB

MD5
6110844d2785aa943b56cd6f07f10076

SHA1
3262dd2fec98920c54b2a45b5c561a33e6ecae07

SHA256
4fa372a083c04d47693219ab90f419c59d9b3e085a2fa5faa576145f7a8a3687

SHA512
cf848b87b15e580b864e610cf6b57a88f24c3af5dbf4a7a22aa8d63a978e83fb19d5f7a8173daf4ecb28da2a28a2a9a9fced6727b7bf733b9062d7895b770820

Download Submit
C:\Windows\System\PAQLEvO.exe

Filesize
5.2MB

MD5
3438bc7f14983e17c3018fdce1a389da

SHA1
796d1866d2e621e343909549cd9c705589f3db62

SHA256
783765b5c579892a1403249d32d53327e984b8565428e9b309a759b01350e3bb

SHA512
564487194b42e90481cb604627de2374c95f8fd51457dfd0e583535c3c7769f4478ca32cc7df1940f91ff53bf20a0a3e44488c2d59c35b48f84741039434f9b9

Download Submit
C:\Windows\System\XyENCul.exe

Filesize
5.2MB

MD5
d8adea2c0d70b252bf56b8c89968ea7b

SHA1
05e7365365d8594328367d0e21d7f0b57a97e556

SHA256
5c19e6643220568e1cf60475669e82e4db8bc9bd0f572bab743486cc9a6c6f51

SHA512
611f30e655f636fa00a680ebbfa9872626798c1bafb70d11fe169bfbcbad7103f298b7e53759c50056f9f53ac011dc14a4792b3ea4440fcc5721c395dc059589

Download Submit
C:\Windows\System\YWfjktm.exe

Filesize
5.2MB

MD5
bc1d43ee1e59a392c28e2b8f38ffa159

SHA1
bc35e45b4d6c023cbb02240266fa3aba8f9b4c8e

SHA256
c998c3d5c8f258cd92aae9d2380f9c7fe1cf0880cde9d8cea957c938075c85c0

SHA512
d4db460b9e9cb686284d3a2a6498bfe97511df9d38feabe2f9a6132cdd48a94c577359b367b1249651a8befb806185ea94a0a7cf9ea0c480f32a488735f1ddcc

Download Submit
C:\Windows\System\YtVuDfE.exe

Filesize
5.2MB

MD5
6e621839239c869a6ebbc0ebfc09bf4d

SHA1
7f3ae0cdd41d8b9180048b6fb91199e11cd6f139

SHA256
c09705caa64e66395206ac3ce7034fc8cfc88a0f14a503dc799cf2c98aa788f7

SHA512
86ae0ba87ec7db2a65e4b26fc1c3576c5ed0cad776828e8971367dc8f42c204e22b030c643e6dd9a21e2da6e404a8028c1158dc346e163862f40b20cde3e6c02

Download Submit
C:\Windows\System\ZWCOFvc.exe

Filesize
5.2MB

MD5
b8c9432052f4174e6facc11cf8e01697

SHA1
25e45a222b76688c9fe48120bc29fdfd4b61282c

SHA256
0a5af52afc96b681fa737487d1c3e747afd9043d41eaf8291fcdf7fe1566743d

SHA512
398576a9c4bb7ce2c8dc7f1e358d9d84588db9fb9485e3c665bab1d19c5fa1be3ece6ae69a37f177bccda46685022efe85c9b39bd61e04c2b622299c1066831c

Download Submit
C:\Windows\System\ZpFTscL.exe

Filesize
5.2MB

MD5
c0a8d0c66df829c9f36542ee23eaab5b

SHA1
3fd24bfa4ea65695fde04c9d8fcbf41e58e548d6

SHA256
450a938aba879852fdd7353ef2b5a2ee4d7842c074103f2954be290eee7ff943

SHA512
921a7c74b4207f2637b00507f4c343e3659af2fa1ac5cb4cf67f26f17b6f3c055ee9422c636e99fa1ce4e43e0e2cfa40d05fa2873432882538053308303d1c2b

Download Submit
C:\Windows\System\eqLVcKd.exe

Filesize
5.2MB

MD5
cf8ff2db64546cfc1b7a0cfd662d4bb8

SHA1
d66588fe82640a12716ad0f8aac788ac8db37561

SHA256
b43b2535e78c81832086740c51902d5fecbd30ac67ee0d569a33dd45ed7ef31f

SHA512
8deeffbd6bad169cf5c751d0a1a74d6c5a74aaf0728f7892a0d0d3f2bd3c1e2156400d1d27a81d874a001ee3aa192be58623e8c80fb275fd411cbcf0701e8dbb

Download Submit
C:\Windows\System\fSSaQja.exe

Filesize
5.2MB

MD5
a36f4562ddc773ae69bb81a3d26d8e8f

SHA1
ff69d6b254e404ff48c52e48ac15ae31799adeee

SHA256
82b29de94cbe3f77a0560e10b651816c2d2be2a7461e6247739dbda59affac27

SHA512
995d47c74b8ae597c865eb27b61eea5b80294c5d8e4324bbfec2dfda4fdcd2528dffbde01dd0c0d10eb4dc654f35c3ccbb84f161bb55a2f0227001392ce89962

Download Submit
C:\Windows\System\hbqUEuI.exe

Filesize
5.2MB

MD5
48bbfc878dc4e0a6e39bdf26908fe176

SHA1
cdd2d7930d3527bca035aa163562d3de16a9acf2

SHA256
d42ed6cc5bf3764ac848245f9cf6a211080bd142b63284266dde88a95fbd185c

SHA512
9f65c29f83acbb3b403ca3b0c6ba1068a308b3d1efde682620f35043822e2483bd85f4dbcbba0fdc1a3ddb8b1c4acdf08c2f42fc4205ff9562daab344d30703f

Download Submit
C:\Windows\System\lXJWUYq.exe

Filesize
5.2MB

MD5
8bfbe88e855ddff82c944ca11c7914f4

SHA1
c8f4292caddd2e8c5db73635a10a4b650214d7b1

SHA256
60be31e0f612a92ac7435abe2df61c042907396827f048d630833ec2ac9dfe3c

SHA512
49b02febf2b931b19ecb03bce7304efbf9010c18a93c70114dd8008e486b3faff62ffa88347b72dd027072c9e65d0b977f7a3f58b43580ac8a08dca65dbcf7ae

Download Submit
C:\Windows\System\snxrKuq.exe

Filesize
5.2MB

MD5
3b9a5055eba436c70d9504fbfa1e5f14

SHA1
404e753cc228f53a79f76b586d1ef9dd40421502

SHA256
1e323a69767e769d5d1d9676b98b41ec7977c0dc744cc72135e2dfda04664acf

SHA512
0717337a01f77383a3a38c41109c6c3d5f2e62e4a80a43a21cb9b09fbf8325cc7ef197b614f896936bea139f96f87f7d30b176cbe799a56e553b059fd41f9c34

Download Submit
C:\Windows\System\uEHOqjW.exe

Filesize
5.2MB

MD5
aaf9b5dde005c72efc6af4153042aff2

SHA1
5e5d478ccce83acd38fdffd4d8bc29960dcf1c37

SHA256
f84f394a15ceb31755a25bcd6422ebf0d21377190ed4de750f73b01943ebe4d3

SHA512
2e997dbb48efd13df13ba5737aad3e715e1a87d34e2dc8f700d3a8d6320a979706d7fc8dbfc9ada0674a80a1efe01166d26527183c532e6bb58619d45edfc425

Download Submit
C:\Windows\System\wVAUVoV.exe

Filesize
5.2MB

MD5
1a8f44847ba2de439d6a2cf3e294daed

SHA1
9db1abb76ab90d8248ffdc481e9478b04b2c852f

SHA256
727d0cb438984e342fa707769d998dffc1ad5f63fcb4705eed0301321f0d85cc

SHA512
572ca595e6f9063cef533f70df466c63536fc0e9e3688da1ac778af08d030bb6a8c35aba7bf45b9a1d787fa03b01d40d839b6fc4ba158104a5ce0f804f98f5d1

Download Submit
C:\Windows\System\xMfoAqc.exe

Filesize
5.2MB

MD5
01f2829854695c53edcbaef304694d5c

SHA1
05ec2d1f522ddd938c8ea99db006dc831bab3471

SHA256
9e8be3601ce5288fbec86498b044c69b64e54099f41065085a3de8ba1e774201

SHA512
58d88da6ec483100bbf39fe53635c432d3f002af813b66d019980879359a5739f954f4e893ca6da3f83b36c42b5a7418c5a571f60a731864976b11734f460794

Download Submit
C:\Windows\System\yjytoTS.exe

Filesize
5.2MB

MD5
90f1b51f93e8a687093330970132ac89

SHA1
930bf341ad1802480e4535faec810fdd99960930

SHA256
34bd28ffe31421abebeef5b3cd18445cffa3246bc34283b244c4dddea19ee45b

SHA512
4843bc112794bd9004df5520c76de7570a6c353ba929e7b380f1d2ff942cb709bf69441cc9a98aa76124ad4c77114a14214497022713202d6152d33934185531

Download Submit
memory/64-32-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp

Filesize
3.3MB

Download
memory/64-89-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp

Filesize
3.3MB

Download
memory/64-225-0x00007FF7A9A40000-0x00007FF7A9D91000-memory.dmp

Filesize
3.3MB

Download
memory/464-219-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp

Filesize
3.3MB

Download
memory/464-7-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp

Filesize
3.3MB

Download
memory/464-77-0x00007FF748AD0000-0x00007FF748E21000-memory.dmp

Filesize
3.3MB

Download
memory/468-42-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-112-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/468-235-0x00007FF69C480000-0x00007FF69C7D1000-memory.dmp

Filesize
3.3MB

Download
memory/924-110-0x00007FF799240000-0x00007FF799591000-memory.dmp

Filesize
3.3MB

Download
memory/924-41-0x00007FF799240000-0x00007FF799591000-memory.dmp

Filesize
3.3MB

Download
memory/924-233-0x00007FF799240000-0x00007FF799591000-memory.dmp

Filesize
3.3MB

Download
memory/1468-1-0x0000020188A40000-0x0000020188A50000-memory.dmp

Filesize
64KB

Download
memory/1468-140-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-165-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-0-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-72-0x00007FF7F1E60000-0x00007FF7F21B1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-13-0x00007FF654810000-0x00007FF654B61000-memory.dmp

Filesize
3.3MB

Download
memory/1532-83-0x00007FF654810000-0x00007FF654B61000-memory.dmp

Filesize
3.3MB

Download
memory/1532-221-0x00007FF654810000-0x00007FF654B61000-memory.dmp

Filesize
3.3MB

Download
memory/1832-163-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-271-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-134-0x00007FF76B780000-0x00007FF76BAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-119-0x00007FF641070000-0x00007FF6413C1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-54-0x00007FF641070000-0x00007FF6413C1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-241-0x00007FF641070000-0x00007FF6413C1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-239-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp

Filesize
3.3MB

Download
memory/1868-51-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp

Filesize
3.3MB

Download
memory/1868-118-0x00007FF7CED30000-0x00007FF7CF081000-memory.dmp

Filesize
3.3MB

Download
memory/1876-122-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-160-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-266-0x00007FF7A3780000-0x00007FF7A3AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-84-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-25-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-223-0x00007FF7B6B60000-0x00007FF7B6EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-66-0x00007FF7590B0000-0x00007FF759401000-memory.dmp

Filesize
3.3MB

Download
memory/2372-135-0x00007FF7590B0000-0x00007FF759401000-memory.dmp

Filesize
3.3MB

Download
memory/2372-244-0x00007FF7590B0000-0x00007FF759401000-memory.dmp

Filesize
3.3MB

Download
memory/2612-117-0x00007FF76EA00000-0x00007FF76ED51000-memory.dmp

Filesize
3.3MB

Download
memory/2612-264-0x00007FF76EA00000-0x00007FF76ED51000-memory.dmp

Filesize
3.3MB

Download
memory/2864-133-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/2864-272-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/2864-162-0x00007FF7C5C30000-0x00007FF7C5F81000-memory.dmp

Filesize
3.3MB

Download
memory/3116-164-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp

Filesize
3.3MB

Download
memory/3116-121-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp

Filesize
3.3MB

Download
memory/3116-268-0x00007FF7D3680000-0x00007FF7D39D1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-113-0x00007FF6A5780000-0x00007FF6A5AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-262-0x00007FF6A5780000-0x00007FF6A5AD1000-memory.dmp

Filesize
3.3MB

Download
memory/3140-237-0x00007FF779220000-0x00007FF779571000-memory.dmp

Filesize
3.3MB

Download
memory/3140-92-0x00007FF779220000-0x00007FF779571000-memory.dmp

Filesize
3.3MB

Download
memory/3140-37-0x00007FF779220000-0x00007FF779571000-memory.dmp

Filesize
3.3MB

Download
memory/3276-75-0x00007FF745950000-0x00007FF745CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-154-0x00007FF745950000-0x00007FF745CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3276-248-0x00007FF745950000-0x00007FF745CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-132-0x00007FF67FE10000-0x00007FF680161000-memory.dmp

Filesize
3.3MB

Download
memory/3772-60-0x00007FF67FE10000-0x00007FF680161000-memory.dmp

Filesize
3.3MB

Download
memory/3772-245-0x00007FF67FE10000-0x00007FF680161000-memory.dmp

Filesize
3.3MB

Download
memory/4040-156-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp

Filesize
3.3MB

Download
memory/4040-260-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp

Filesize
3.3MB

Download
memory/4040-98-0x00007FF74F1E0000-0x00007FF74F531000-memory.dmp

Filesize
3.3MB

Download
memory/4448-258-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp

Filesize
3.3MB

Download
memory/4448-95-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp

Filesize
3.3MB

Download
memory/4448-155-0x00007FF624AF0000-0x00007FF624E41000-memory.dmp

Filesize
3.3MB

Download
memory/5068-249-0x00007FF661290000-0x00007FF6615E1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-153-0x00007FF661290000-0x00007FF6615E1000-memory.dmp

Filesize
3.3MB

Download
memory/5068-78-0x00007FF661290000-0x00007FF6615E1000-memory.dmp

Filesize
3.3MB

Download