cobaltstrike | 1006bf08fa76711dcfc5d651d31e90af2cfdb9b0fc38939995d9530c7e7bf98f

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
Size

5.9MB
MD5

082582edd44053bbf44279b2640b7bc1
SHA1

53b5c9f93c0bd15335e61d38d32d39db941a19c4
SHA256

1006bf08fa76711dcfc5d651d31e90af2cfdb9b0fc38939995d9530c7e7bf98f
SHA512

d303eb8a6c4f431a97b0db556f1046b003d3003a8372156d030ab2f4ad783d8a3c89ed0acd0f684e7b6ec1cef65cbfdffae7d1299a76fdc322cacff986fc93f2
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIlr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeq:oemTLkNdfE0pZr9/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023453-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-13.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-41.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234ae-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-62.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4184-0-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x0009000000023453-4.dat	xmrig
behavioral2/memory/3760-9-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b1-11.dat	xmrig
behavioral2/files/0x00070000000234b2-13.dat	xmrig
behavioral2/memory/2532-16-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1572-18-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3516-24-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b4-26.dat	xmrig
behavioral2/memory/4864-31-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2648-35-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b5-36.dat	xmrig
behavioral2/files/0x00070000000234b3-28.dat	xmrig
behavioral2/files/0x00070000000234b6-41.dat	xmrig
behavioral2/files/0x00080000000234ae-47.dat	xmrig
behavioral2/memory/1500-50-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/5104-44-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3760-52-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/4184-51-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b7-54.dat	xmrig
behavioral2/files/0x00070000000234b8-62.dat	xmrig
behavioral2/memory/2336-56-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ba-70.dat	xmrig
behavioral2/memory/1508-72-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bc-85.dat	xmrig
behavioral2/files/0x00070000000234bb-90.dat	xmrig
behavioral2/memory/3516-93-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2264-94-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/4864-101-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bf-107.dat	xmrig
behavioral2/memory/744-129-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3928-128-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c2-126.dat	xmrig
behavioral2/files/0x00070000000234c1-124.dat	xmrig
behavioral2/files/0x00070000000234c0-122.dat	xmrig
behavioral2/memory/3696-121-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1828-115-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2648-111-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234be-103.dat	xmrig
behavioral2/memory/3628-102-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bd-99.dat	xmrig
behavioral2/memory/2176-97-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1496-92-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1712-84-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1300-79-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1572-71-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b9-73.dat	xmrig
behavioral2/memory/1812-133-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c3-134.dat	xmrig
behavioral2/memory/1500-131-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2532-68-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2336-136-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1300-137-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2176-138-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3628-139-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1828-140-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3696-141-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3928-142-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1812-143-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3760-144-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/2532-145-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/1572-146-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/3516-147-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig
behavioral2/memory/4864-148-0x0000000140000000-0x0000000140354000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3760	lrMdpOZ.exe
2532	qHULTYZ.exe
1572	TbIHGrX.exe
3516	WhvxCCa.exe
4864	QdZUTnH.exe
2648	OBPMsfp.exe
5104	ywzewdM.exe
1500	WUHLOOm.exe
2336	OTmZHqq.exe
1508	JrpmsaX.exe
1712	bBxUlqx.exe
1300	JIBrMxm.exe
2264	ZkdCtMR.exe
1496	lFufSBD.exe
2176	xYAzknx.exe
3628	bSsQDQP.exe
1828	ToCFPuX.exe
3696	fgaKiIJ.exe
3928	smpVLrK.exe
744	ZFMCDqS.exe
1812	QChelkJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4184-0-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x0009000000023453-4.dat	upx
behavioral2/memory/3760-9-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-11.dat	upx
behavioral2/files/0x00070000000234b2-13.dat	upx
behavioral2/memory/2532-16-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1572-18-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3516-24-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-26.dat	upx
behavioral2/memory/4864-31-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2648-35-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-36.dat	upx
behavioral2/files/0x00070000000234b3-28.dat	upx
behavioral2/files/0x00070000000234b6-41.dat	upx
behavioral2/files/0x00080000000234ae-47.dat	upx
behavioral2/memory/1500-50-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/5104-44-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3760-52-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/4184-51-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-54.dat	upx
behavioral2/files/0x00070000000234b8-62.dat	upx
behavioral2/memory/2336-56-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-70.dat	upx
behavioral2/memory/1508-72-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-85.dat	upx
behavioral2/files/0x00070000000234bb-90.dat	upx
behavioral2/memory/3516-93-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2264-94-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/4864-101-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-107.dat	upx
behavioral2/memory/744-129-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3928-128-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-126.dat	upx
behavioral2/files/0x00070000000234c1-124.dat	upx
behavioral2/files/0x00070000000234c0-122.dat	upx
behavioral2/memory/3696-121-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1828-115-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2648-111-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234be-103.dat	upx
behavioral2/memory/3628-102-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-99.dat	upx
behavioral2/memory/2176-97-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1496-92-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1712-84-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1300-79-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1572-71-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-73.dat	upx
behavioral2/memory/1812-133-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-134.dat	upx
behavioral2/memory/1500-131-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2532-68-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2336-136-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1300-137-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2176-138-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3628-139-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1828-140-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3696-141-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3928-142-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1812-143-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3760-144-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/2532-145-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/1572-146-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/3516-147-0x0000000140000000-0x0000000140354000-memory.dmp	upx
behavioral2/memory/4864-148-0x0000000140000000-0x0000000140354000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ToCFPuX.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\QChelkJ.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\WhvxCCa.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\OTmZHqq.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\bBxUlqx.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\JIBrMxm.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\xYAzknx.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\lrMdpOZ.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\QdZUTnH.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\OBPMsfp.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ywzewdM.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\lFufSBD.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\JrpmsaX.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ZkdCtMR.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\smpVLrK.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ZFMCDqS.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\qHULTYZ.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\TbIHGrX.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\WUHLOOm.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\bSsQDQP.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\fgaKiIJ.exe	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3760	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	84
PID 4184 wrote to memory of 3760	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	84
PID 4184 wrote to memory of 2532	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	85
PID 4184 wrote to memory of 2532	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	85
PID 4184 wrote to memory of 1572	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	86
PID 4184 wrote to memory of 1572	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	86
PID 4184 wrote to memory of 3516	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	87
PID 4184 wrote to memory of 3516	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	87
PID 4184 wrote to memory of 4864	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	88
PID 4184 wrote to memory of 4864	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	88
PID 4184 wrote to memory of 2648	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	89
PID 4184 wrote to memory of 2648	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	89
PID 4184 wrote to memory of 5104	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	91
PID 4184 wrote to memory of 5104	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	91
PID 4184 wrote to memory of 1500	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	92
PID 4184 wrote to memory of 1500	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	92
PID 4184 wrote to memory of 2336	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	93
PID 4184 wrote to memory of 2336	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	93
PID 4184 wrote to memory of 1508	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	95
PID 4184 wrote to memory of 1508	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	95
PID 4184 wrote to memory of 1712	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	96
PID 4184 wrote to memory of 1712	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	96
PID 4184 wrote to memory of 1300	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	97
PID 4184 wrote to memory of 1300	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	97
PID 4184 wrote to memory of 2264	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	98
PID 4184 wrote to memory of 2264	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	98
PID 4184 wrote to memory of 1496	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	99
PID 4184 wrote to memory of 1496	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	99
PID 4184 wrote to memory of 2176	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	100
PID 4184 wrote to memory of 2176	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	100
PID 4184 wrote to memory of 3628	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	101
PID 4184 wrote to memory of 3628	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	101
PID 4184 wrote to memory of 1828	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	102
PID 4184 wrote to memory of 1828	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	102
PID 4184 wrote to memory of 3696	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	103
PID 4184 wrote to memory of 3696	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	103
PID 4184 wrote to memory of 3928	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	104
PID 4184 wrote to memory of 3928	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	104
PID 4184 wrote to memory of 744	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	105
PID 4184 wrote to memory of 744	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	105
PID 4184 wrote to memory of 1812	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	106
PID 4184 wrote to memory of 1812	4184	20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe	106

C:\Users\Admin\AppData\Local\Temp\20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\20240901082582edd44053bbf44279b2640b7bc1cobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\System\lrMdpOZ.exe
  C:\Windows\System\lrMdpOZ.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\qHULTYZ.exe
  C:\Windows\System\qHULTYZ.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\TbIHGrX.exe
  C:\Windows\System\TbIHGrX.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\WhvxCCa.exe
  C:\Windows\System\WhvxCCa.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\QdZUTnH.exe
  C:\Windows\System\QdZUTnH.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\OBPMsfp.exe
  C:\Windows\System\OBPMsfp.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\ywzewdM.exe
  C:\Windows\System\ywzewdM.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\WUHLOOm.exe
  C:\Windows\System\WUHLOOm.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\OTmZHqq.exe
  C:\Windows\System\OTmZHqq.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\JrpmsaX.exe
  C:\Windows\System\JrpmsaX.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\bBxUlqx.exe
  C:\Windows\System\bBxUlqx.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\JIBrMxm.exe
  C:\Windows\System\JIBrMxm.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\ZkdCtMR.exe
  C:\Windows\System\ZkdCtMR.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\lFufSBD.exe
  C:\Windows\System\lFufSBD.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\xYAzknx.exe
  C:\Windows\System\xYAzknx.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\bSsQDQP.exe
  C:\Windows\System\bSsQDQP.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\ToCFPuX.exe
  C:\Windows\System\ToCFPuX.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\fgaKiIJ.exe
  C:\Windows\System\fgaKiIJ.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\smpVLrK.exe
  C:\Windows\System\smpVLrK.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\ZFMCDqS.exe
  C:\Windows\System\ZFMCDqS.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\QChelkJ.exe
  C:\Windows\System\QChelkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JIBrMxm.exe

Filesize
5.9MB

MD5
8226f6136944f24db834b896c1417698

SHA1
1d001d575424287112fdd22c24385a4acf3256c6

SHA256
e12d6d3019ce5b3e0beeca08b57b5fbfc47b66256eabbf5d59e1ae695aaf9777

SHA512
7be355279d8d7a3c974c051b5c417b2411b97dc820966ee5e6632c82181c57eb5e6b9fe97452789756d6fb275ab69a6839ccae2ff298971b6572299731355c20

Download Submit
C:\Windows\System\JrpmsaX.exe

Filesize
5.9MB

MD5
28dd637ee0979039dd61d34a8d0a5639

SHA1
8dde4c922dc6f6440fa1a8e2a7a32b13d9200d6e

SHA256
dfcde52f510e9d3364a7e476947dda166f2cbb41c9c918066cb8a1f8fd367b6d

SHA512
046754aad6da9d1e733c82fbc5b0fb3561ed3e423fdbb87ebf5ed689c3b65fa71891a1400455157d04fbf9a6c9f4aff40856eb4ee1fb8886786a405d241727f4

Download Submit
C:\Windows\System\OBPMsfp.exe

Filesize
5.9MB

MD5
7933c1f102d4a234fe698079505ec3c6

SHA1
890352da08c544bcfc3c33ddfcc56b29135ce7ab

SHA256
da5d41b89974bb2dd5852cb8703f40da92b0175ad69ef8b32297157f101dd6dc

SHA512
0fd1fae3707421f96846d8fbac43048363847d76720431bcceec0d1a9dd36587d345a746e1d67180bd70b415ebea31c530a615a6d6bdd0d9699999d087e63b60

Download Submit
C:\Windows\System\OTmZHqq.exe

Filesize
5.9MB

MD5
5a7100e20102ade20a83aad54b7b13c1

SHA1
7c60f0a8065941d915b10baa45968478d7a4fa84

SHA256
0c4079ec0b8688699b2b22ab0bf78564928a6c6d2b89f711dc558d0271fda06b

SHA512
465408fbf0fff7191969e96f7eba5e58febb91c162cc64e559d99b462fb2d6cef59c793af1d8aa2d54bbfcdf89de26e77d726ee6239a2ac2260382c231232d1d

Download Submit
C:\Windows\System\QChelkJ.exe

Filesize
5.9MB

MD5
96785858f229e94d5708ac259e10342d

SHA1
bee1af0d652e6ce0a57f78c4e1798f2135a006ed

SHA256
d83204af58d0ccf33f4f5df2076253e02d92005c964ca9e33ae6b8dd3dcc6d81

SHA512
6c9df239e01900d2dd89b9342479dcb829a6afb51ed88e5b930c72ac92801e39b6188c6e56c73c13ee2f7c8413eaa6abd81c935c84af0e51887cf50dd0871c0e

Download Submit
C:\Windows\System\QdZUTnH.exe

Filesize
5.9MB

MD5
c335ba399278c050e74bb048085083fa

SHA1
98d94d3965d3eee8f70ff21033215bcbc4b845e0

SHA256
cdaa2940483d82853ecdf4853ff71962e4be1181f7fa1972da29febbe888ee54

SHA512
3ab4f2486bcce1523d3900855ee86b175c7ce2c872373ba43dc5a380a7a4a7a990026436ef754584d3e5aa2b21fd0e350672d39db694f4028e2aeb331d2f76c6

Download Submit
C:\Windows\System\TbIHGrX.exe

Filesize
5.9MB

MD5
e1b45da1ec0732b9370bb70c097c0f7e

SHA1
944d40b32bbbe2548bc1125f7e8f932ef979df03

SHA256
ff8ed3ba2c6c601e92ec49e8a1c18115bd9c1406ec8262be9ba68e12e32a13e6

SHA512
9fb4f1f66729f6845031b77f60ed20f3f873c2844e27d1c4f9f848aabce5f39e3c1b3ba01a8cabdac256c48160f0c677ea1dcc91b24cedd0464b563d109b6887

Download Submit
C:\Windows\System\ToCFPuX.exe

Filesize
5.9MB

MD5
df5ac9858de78f2f8d5ceaa250cd046f

SHA1
02962f1cf888a49ffd0db45f254a94fe52af3b4b

SHA256
85cba7c592add9b2ddbe51fb0cf5d03638aa5a19504585210a5c45445f08f04f

SHA512
46b96a7116d183db42da9d4313647799aa45b7ff4ef4d15a21b2e013cb49282ac82e7a8e970a98c7699a97f3d795eb69c68002ed4f7192584de284f66f317679

Download Submit
C:\Windows\System\WUHLOOm.exe

Filesize
5.9MB

MD5
8854167fd0d1609c8c8777309626e424

SHA1
3101f6ff092dacb8dbf47acc2ab71a5fba72550e

SHA256
32be7d667cd77501b7ba97971acc9b02d3c71eb0a82d750234e89ee8b147e440

SHA512
4237647ae6ab0199a2c0606fc061cfbd88866b5ade0ec4587c35649715e3ea00cda9fb90d95cc5a1520089466491f09eb24a4c7acbe5f80cb2ec0c0051f299f9

Download Submit
C:\Windows\System\WhvxCCa.exe

Filesize
5.9MB

MD5
f4cf783b1aa6ca975ec509b29e461230

SHA1
1e5d2c76d3d2df47b4817dab836ff955aa0b7470

SHA256
f07f4ac0431ee3685afba985613917c8cb8be4d490f5279c84d6ed26fc993795

SHA512
94d42eedd21a5e254fc4a305c77ba5feb256edaebb80d7add6f909646b95fd9d951f89fd6db91fd8fb6af1d862e3c45c1d7cf26ee63a4a5a2fb6d7a7eb63d988

Download Submit
C:\Windows\System\ZFMCDqS.exe

Filesize
5.9MB

MD5
bcf1142865182efef0bb27da63ac3038

SHA1
7fa7aca797769c56566617f17f6f4ede33698fb7

SHA256
39936108ff154aa54fe84a01ef27368ca9ff54ae7bc281f2855d5f26c1a17390

SHA512
99ec881b36cbaf9460de3aecd99c0fed21719954ca50a3900abbf74816ac976c0a47b5c5314457690e9e4953633fd6cf9943f2e3d3566b4cbe6f39e6d124ac88

Download Submit
C:\Windows\System\ZkdCtMR.exe

Filesize
5.9MB

MD5
cdd50a07344d17b9601809c684044dd1

SHA1
efc942bc00c61dbd91f9a94ea0d52a5f54350d1a

SHA256
8bf064bf860b7f2dbab956ce2271a5027a76425e844e27645ecdbcafc8066490

SHA512
8c3a67cb3ed1b62f4aeef08b8518aeb48f1b63c47b560ea27823c0c70dc2ba6a41324f8bdd17462dd771073786eee1e9c48164a1d8b3e1bf9cebb75c2b1d8779

Download Submit
C:\Windows\System\bBxUlqx.exe

Filesize
5.9MB

MD5
36d7d5cefab48ce8e57cbddbd1a6333c

SHA1
56d0dddd4895c95a3f248a80a93947e2a389db8a

SHA256
2250a0cdd1c129061f88619074a23e6e6541eb9198df8618d737b7ce964ec1e6

SHA512
8e2de60aa206ddd0c4db7bece9235eee5c1d28d908fc520e0b8322d40dcbe471c5d13f27f8b3d5647f06c5287f32c3efc8cc75506a01d11e1df05ac5727e0a61

Download Submit
C:\Windows\System\bSsQDQP.exe

Filesize
5.9MB

MD5
e5690e1963a05d51903c0d17c4612d60

SHA1
28364c356e3486b8533b28c0118a1bfaa987ae31

SHA256
73823c74faa1cb4fe1cb93887597699fbbfa7743c521adfe15c8a049f2753daa

SHA512
e85f001d7c25a5b2aa82d34cf264e417d6f77e01017ecf780d1140a38348a4572addf7c6ba0003254ceae9bad5c18dc24878ee77b2bb48e6a11cf9b54440a18b

Download Submit
C:\Windows\System\fgaKiIJ.exe

Filesize
5.9MB

MD5
7d1dac0d5420e63ab32edcbaa6dff31c

SHA1
86a923819f2551b32d373b85c1c4f46e0fb7b95c

SHA256
c957bc05f5966386ea14d53b5629a4f616de5f267b5f6abe7285a2bbc3e447ca

SHA512
96211594e6c08f9740142a129fe9a2b0b2260a4301956acc639c632f130b6f2784e7eb5a1ea746fa38eef5e756e430074baee4138b10d6a6da625942d576eddd

Download Submit
C:\Windows\System\lFufSBD.exe

Filesize
5.9MB

MD5
726e3a662e55b0eba867868de7ad6121

SHA1
71b9611e32f7954a3bf6e1aada5664da5098e7ad

SHA256
96f3e2cdb5d4e62e27f4bbff95b8582dd6b13a327ee1f5699385ab56d0c4d602

SHA512
2067b0cddf5f12071bc73a4bd6c7aec843ab2b7b3dcce51685adff88c29d56bdc6d07273cb941b9b1992a3d718f311f1aa147e31620b247deb4dcc4f62172d89

Download Submit
C:\Windows\System\lrMdpOZ.exe

Filesize
5.9MB

MD5
57e6b7f0118de564239461e50a25db21

SHA1
3a8b8a49541ba66bad331bc1aa5fdaca4db349d2

SHA256
25d5a0978abf442963b920c72d84d1dc04f9ce7c6a03fbe34e4d542e471198aa

SHA512
207640edf7c53b125448f904e7fce3d7f4c25d4dade92018650e514467ddafc10fc08f162ca9f1ff02d4381b5864b4bec1433be95ca0fe6b77d03f3b6c7c060d

Download Submit
C:\Windows\System\qHULTYZ.exe

Filesize
5.9MB

MD5
9590b21d6842ae417d2b36355d570d58

SHA1
a5898cde6efc2795aee853ad410d0033a1ca8209

SHA256
fd58e9df9bdb802799be94b49e3242383ec62ed60a1a9707bb2838531ea3e255

SHA512
e1eb97375d276cf245e9c6e9488e4ce0b6f65eb778481d8a871fc78fc3c0fb5f122cc26483c1ab155d830f8ff16072e04d0815edfe3bde0be23c86830f2b8058

Download Submit
C:\Windows\System\smpVLrK.exe

Filesize
5.9MB

MD5
3d847a1cef4179660a556872c2476426

SHA1
67ab3f701b7ab6097bab6772d821a0c90c6e061a

SHA256
d6cc63f11fbbe81c96cba6d209bb7f09da6956705939f37bc29be65bf85ee2bf

SHA512
398a3f9e9de96a1d3dec649d5ab838f99d8ae0907d4bb80a040b2eec78653abe2feec751566a74f876053f61bbb1434037a52ed91bab75dd2164278099c6a48d

Download Submit
C:\Windows\System\xYAzknx.exe

Filesize
5.9MB

MD5
0374397e348892dbc048d7deb3bb3f46

SHA1
aa21488ef5c8d226d2ceeda9b94a8371a7e50208

SHA256
131dd604d9fe5d65f0d790488d0aa308287bf01fa64f88723291b124364e4281

SHA512
205d3e7abfd1a585551d801ead3f8b834e41753a98183aa8387aeed8a9183e192b63374c1c5ff7ef9868ccc68b86926f290961660e58b9e36ca82f48ade4c12f

Download Submit
C:\Windows\System\ywzewdM.exe

Filesize
5.9MB

MD5
5dffa75b288039a67e10dbf8549b34e1

SHA1
b839890ed8981ba49710e8b752f406f6a25e3603

SHA256
adc7ce07d55b9ea14d98cfa409696914bdcc30b8bd2e5f811bf15595152f63a2

SHA512
71fd6c2fc21b6e4d1a79adafefa97e9407d21e15def95ad4aa54d2bb3cc61286d5244001d74cdb197aace564d0587e21e9660c08df490eeb1c9aabbcb4bfef22

Download Submit
memory/744-163-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/744-129-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1300-137-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1300-79-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1300-155-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1496-92-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1496-156-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1500-131-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1500-151-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1500-50-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1508-153-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1508-72-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1572-146-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1572-71-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1572-18-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1712-84-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1712-154-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1812-133-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1812-143-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1812-164-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1828-115-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1828-160-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/1828-140-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2176-158-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2176-138-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2176-97-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2264-94-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2264-157-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2336-136-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2336-152-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2336-56-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2532-68-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2532-16-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2532-145-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2648-35-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2648-149-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/2648-111-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3516-24-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3516-93-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3516-147-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3628-159-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3628-139-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3628-102-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3696-141-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3696-161-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3696-121-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3760-9-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3760-52-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3760-144-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3928-142-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3928-128-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/3928-162-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/4184-0-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/4184-1-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/4184-51-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/4864-148-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/4864-101-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/4864-31-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/5104-44-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download
memory/5104-150-0x0000000140000000-0x0000000140354000-memory.dmp

Filesize
3.3MB

Download