cobaltstrike | 05e88cf91ef01b2cc9ea30084816e34d33081319188faab8bf8ac09ee00a697e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
Size

5.2MB
MD5

2f0d6cef399a874555144a83a5a846b4
SHA1

839e82afc307b14454287bb9d6711a88a335abdb
SHA256

05e88cf91ef01b2cc9ea30084816e34d33081319188faab8bf8ac09ee00a697e
SHA512

3576cbfa84c4fcb8172bbc2810397fcc6911967448afd13e661ceba226b7263d3701c0fc59fdb10638ccfd05e18a68b28a77fd0ffbc08834d7a4fa82ae8151ec
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6la:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235c4-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c8-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235c9-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ca-23.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235c5-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cb-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cc-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235ce-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cd-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235cf-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d1-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d4-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d7-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d8-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d9-125.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235db-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235da-134.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d6-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d5-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d3-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d2-80.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5024-54-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	xmrig
behavioral2/memory/5092-58-0x00007FF748650000-0x00007FF7489A1000-memory.dmp	xmrig
behavioral2/memory/1532-65-0x00007FF6EE780000-0x00007FF6EEAD1000-memory.dmp	xmrig
behavioral2/memory/1964-78-0x00007FF6453C0000-0x00007FF645711000-memory.dmp	xmrig
behavioral2/memory/912-90-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp	xmrig
behavioral2/memory/1524-94-0x00007FF76F640000-0x00007FF76F991000-memory.dmp	xmrig
behavioral2/memory/3212-121-0x00007FF70E110000-0x00007FF70E461000-memory.dmp	xmrig
behavioral2/memory/732-120-0x00007FF694EC0000-0x00007FF695211000-memory.dmp	xmrig
behavioral2/memory/1992-89-0x00007FF659D00000-0x00007FF65A051000-memory.dmp	xmrig
behavioral2/memory/3912-83-0x00007FF60F4C0000-0x00007FF60F811000-memory.dmp	xmrig
behavioral2/memory/4216-71-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp	xmrig
behavioral2/memory/5036-63-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp	xmrig
behavioral2/memory/5024-138-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	xmrig
behavioral2/memory/1208-151-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	xmrig
behavioral2/memory/1756-156-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp	xmrig
behavioral2/memory/2988-157-0x00007FF7925E0000-0x00007FF792931000-memory.dmp	xmrig
behavioral2/memory/3752-155-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	xmrig
behavioral2/memory/4748-154-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp	xmrig
behavioral2/memory/3180-153-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp	xmrig
behavioral2/memory/1556-152-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp	xmrig
behavioral2/memory/2972-149-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp	xmrig
behavioral2/memory/2500-159-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp	xmrig
behavioral2/memory/2224-158-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp	xmrig
behavioral2/memory/5024-160-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	xmrig
behavioral2/memory/5092-210-0x00007FF748650000-0x00007FF7489A1000-memory.dmp	xmrig
behavioral2/memory/5036-212-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp	xmrig
behavioral2/memory/4216-214-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp	xmrig
behavioral2/memory/1964-222-0x00007FF6453C0000-0x00007FF645711000-memory.dmp	xmrig
behavioral2/memory/1992-224-0x00007FF659D00000-0x00007FF65A051000-memory.dmp	xmrig
behavioral2/memory/912-228-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp	xmrig
behavioral2/memory/1524-227-0x00007FF76F640000-0x00007FF76F991000-memory.dmp	xmrig
behavioral2/memory/732-230-0x00007FF694EC0000-0x00007FF695211000-memory.dmp	xmrig
behavioral2/memory/3212-232-0x00007FF70E110000-0x00007FF70E461000-memory.dmp	xmrig
behavioral2/memory/1532-239-0x00007FF6EE780000-0x00007FF6EEAD1000-memory.dmp	xmrig
behavioral2/memory/2972-241-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp	xmrig
behavioral2/memory/3912-243-0x00007FF60F4C0000-0x00007FF60F811000-memory.dmp	xmrig
behavioral2/memory/1208-252-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	xmrig
behavioral2/memory/3180-253-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp	xmrig
behavioral2/memory/1556-255-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp	xmrig
behavioral2/memory/4748-257-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp	xmrig
behavioral2/memory/2224-266-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp	xmrig
behavioral2/memory/2500-267-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp	xmrig
behavioral2/memory/2988-264-0x00007FF7925E0000-0x00007FF792931000-memory.dmp	xmrig
behavioral2/memory/1756-261-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp	xmrig
behavioral2/memory/3752-260-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5092	ttEjEpa.exe
5036	lZStPMk.exe
4216	OSdpxYE.exe
1964	WfnNJpM.exe
1992	UIBGihB.exe
912	gpGwblg.exe
1524	pyEBjqh.exe
732	EDswDxv.exe
3212	HdrdUpK.exe
1532	pCuJzjr.exe
2972	wVJaPaC.exe
3912	jmoZxnD.exe
1208	YzvJmci.exe
1556	ClMfknX.exe
3180	cdsPAnB.exe
4748	UIIsvOT.exe
3752	Iirutxa.exe
1756	QBtLmRe.exe
2988	olTqGyV.exe
2224	ETPNhBY.exe
2500	PeHyKyS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5024-0-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	upx
behavioral2/files/0x00080000000235c4-4.dat	upx
behavioral2/memory/5092-7-0x00007FF748650000-0x00007FF7489A1000-memory.dmp	upx
behavioral2/files/0x00070000000235c8-11.dat	upx
behavioral2/files/0x00070000000235c9-9.dat	upx
behavioral2/memory/5036-12-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp	upx
behavioral2/memory/4216-18-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp	upx
behavioral2/files/0x00070000000235ca-23.dat	upx
behavioral2/files/0x00080000000235c5-26.dat	upx
behavioral2/files/0x00070000000235cb-31.dat	upx
behavioral2/files/0x00070000000235cc-39.dat	upx
behavioral2/memory/732-50-0x00007FF694EC0000-0x00007FF695211000-memory.dmp	upx
behavioral2/memory/5024-54-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	upx
behavioral2/files/0x00070000000235ce-56.dat	upx
behavioral2/memory/3212-55-0x00007FF70E110000-0x00007FF70E461000-memory.dmp	upx
behavioral2/files/0x00070000000235cd-48.dat	upx
behavioral2/memory/1524-47-0x00007FF76F640000-0x00007FF76F991000-memory.dmp	upx
behavioral2/memory/912-38-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp	upx
behavioral2/memory/1992-30-0x00007FF659D00000-0x00007FF65A051000-memory.dmp	upx
behavioral2/memory/1964-27-0x00007FF6453C0000-0x00007FF645711000-memory.dmp	upx
behavioral2/memory/5092-58-0x00007FF748650000-0x00007FF7489A1000-memory.dmp	upx
behavioral2/files/0x00070000000235cf-61.dat	upx
behavioral2/memory/1532-65-0x00007FF6EE780000-0x00007FF6EEAD1000-memory.dmp	upx
behavioral2/files/0x00070000000235d1-68.dat	upx
behavioral2/memory/1964-78-0x00007FF6453C0000-0x00007FF645711000-memory.dmp	upx
behavioral2/files/0x00070000000235d4-85.dat	upx
behavioral2/memory/912-90-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp	upx
behavioral2/memory/1524-94-0x00007FF76F640000-0x00007FF76F991000-memory.dmp	upx
behavioral2/memory/3180-98-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp	upx
behavioral2/files/0x00070000000235d7-107.dat	upx
behavioral2/memory/3752-116-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	upx
behavioral2/files/0x00070000000235d8-123.dat	upx
behavioral2/files/0x00070000000235d9-125.dat	upx
behavioral2/files/0x00070000000235db-136.dat	upx
behavioral2/files/0x00070000000235da-134.dat	upx
behavioral2/memory/2500-133-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp	upx
behavioral2/memory/2224-132-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp	upx
behavioral2/memory/1756-122-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp	upx
behavioral2/memory/3212-121-0x00007FF70E110000-0x00007FF70E461000-memory.dmp	upx
behavioral2/memory/732-120-0x00007FF694EC0000-0x00007FF695211000-memory.dmp	upx
behavioral2/memory/2988-117-0x00007FF7925E0000-0x00007FF792931000-memory.dmp	upx
behavioral2/files/0x00070000000235d6-113.dat	upx
behavioral2/memory/4748-108-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp	upx
behavioral2/files/0x00070000000235d5-105.dat	upx
behavioral2/memory/1556-93-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp	upx
behavioral2/memory/1992-89-0x00007FF659D00000-0x00007FF65A051000-memory.dmp	upx
behavioral2/memory/1208-88-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	upx
behavioral2/files/0x00070000000235d3-86.dat	upx
behavioral2/memory/3912-83-0x00007FF60F4C0000-0x00007FF60F811000-memory.dmp	upx
behavioral2/files/0x00070000000235d2-80.dat	upx
behavioral2/memory/2972-73-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp	upx
behavioral2/memory/4216-71-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp	upx
behavioral2/memory/5036-63-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp	upx
behavioral2/memory/5024-138-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp	upx
behavioral2/memory/1208-151-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp	upx
behavioral2/memory/1756-156-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp	upx
behavioral2/memory/2988-157-0x00007FF7925E0000-0x00007FF792931000-memory.dmp	upx
behavioral2/memory/3752-155-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	upx
behavioral2/memory/4748-154-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp	upx
behavioral2/memory/3180-153-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp	upx
behavioral2/memory/1556-152-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp	upx
behavioral2/memory/2972-149-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp	upx
behavioral2/memory/2500-159-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp	upx
behavioral2/memory/2224-158-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pyEBjqh.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\wVJaPaC.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\jmoZxnD.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\cdsPAnB.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\Iirutxa.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\lZStPMk.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\OSdpxYE.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\gpGwblg.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\olTqGyV.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ttEjEpa.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\YzvJmci.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\UIIsvOT.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ETPNhBY.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\WfnNJpM.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\UIBGihB.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\pCuJzjr.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\QBtLmRe.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\PeHyKyS.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\EDswDxv.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\HdrdUpK.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ClMfknX.exe	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 5092	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	92
PID 5024 wrote to memory of 5092	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	92
PID 5024 wrote to memory of 5036	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	93
PID 5024 wrote to memory of 5036	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	93
PID 5024 wrote to memory of 4216	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	94
PID 5024 wrote to memory of 4216	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	94
PID 5024 wrote to memory of 1964	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	95
PID 5024 wrote to memory of 1964	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	95
PID 5024 wrote to memory of 1992	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	96
PID 5024 wrote to memory of 1992	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	96
PID 5024 wrote to memory of 912	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	97
PID 5024 wrote to memory of 912	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	97
PID 5024 wrote to memory of 1524	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	98
PID 5024 wrote to memory of 1524	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	98
PID 5024 wrote to memory of 732	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	99
PID 5024 wrote to memory of 732	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	99
PID 5024 wrote to memory of 3212	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	100
PID 5024 wrote to memory of 3212	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	100
PID 5024 wrote to memory of 1532	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	102
PID 5024 wrote to memory of 1532	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	102
PID 5024 wrote to memory of 2972	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	104
PID 5024 wrote to memory of 2972	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	104
PID 5024 wrote to memory of 3912	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	105
PID 5024 wrote to memory of 3912	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	105
PID 5024 wrote to memory of 1208	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	106
PID 5024 wrote to memory of 1208	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	106
PID 5024 wrote to memory of 1556	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	107
PID 5024 wrote to memory of 1556	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	107
PID 5024 wrote to memory of 3180	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	108
PID 5024 wrote to memory of 3180	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	108
PID 5024 wrote to memory of 4748	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	109
PID 5024 wrote to memory of 4748	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	109
PID 5024 wrote to memory of 3752	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	110
PID 5024 wrote to memory of 3752	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	110
PID 5024 wrote to memory of 1756	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	111
PID 5024 wrote to memory of 1756	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	111
PID 5024 wrote to memory of 2988	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	112
PID 5024 wrote to memory of 2988	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	112
PID 5024 wrote to memory of 2224	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	113
PID 5024 wrote to memory of 2224	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	113
PID 5024 wrote to memory of 2500	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	114
PID 5024 wrote to memory of 2500	5024	202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe	114

C:\Users\Admin\AppData\Local\Temp\202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\202408232f0d6cef399a874555144a83a5a846b4cobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\System\ttEjEpa.exe
  C:\Windows\System\ttEjEpa.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\lZStPMk.exe
  C:\Windows\System\lZStPMk.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\OSdpxYE.exe
  C:\Windows\System\OSdpxYE.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\WfnNJpM.exe
  C:\Windows\System\WfnNJpM.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\UIBGihB.exe
  C:\Windows\System\UIBGihB.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\gpGwblg.exe
  C:\Windows\System\gpGwblg.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\pyEBjqh.exe
  C:\Windows\System\pyEBjqh.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\EDswDxv.exe
  C:\Windows\System\EDswDxv.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\HdrdUpK.exe
  C:\Windows\System\HdrdUpK.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\pCuJzjr.exe
  C:\Windows\System\pCuJzjr.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\wVJaPaC.exe
  C:\Windows\System\wVJaPaC.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\jmoZxnD.exe
  C:\Windows\System\jmoZxnD.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\YzvJmci.exe
  C:\Windows\System\YzvJmci.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\ClMfknX.exe
  C:\Windows\System\ClMfknX.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\cdsPAnB.exe
  C:\Windows\System\cdsPAnB.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\UIIsvOT.exe
  C:\Windows\System\UIIsvOT.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\Iirutxa.exe
  C:\Windows\System\Iirutxa.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\QBtLmRe.exe
  C:\Windows\System\QBtLmRe.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\olTqGyV.exe
  C:\Windows\System\olTqGyV.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\ETPNhBY.exe
  C:\Windows\System\ETPNhBY.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\PeHyKyS.exe
  C:\Windows\System\PeHyKyS.exe
  2⤵
  - Executes dropped EXE
  PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
1⤵
PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ClMfknX.exe

Filesize
5.2MB

MD5
94dfe395153a0d227c82b6835c8752e5

SHA1
896eb30e9425adf6f0a36d0bf630c60bdad9f7f7

SHA256
3e1f921cd4de98d055de0d3b240bc7e0fa16df6847d7f8ed98e445cdc08d528b

SHA512
b2145411af7d675c88f7c98edb9b74f6195264dafbe4016390397cc91ada1d183b67c8000670fb3eebeb78e2908e9c24f3732919673d43136b4232db71502ffd

Download Submit
C:\Windows\System\EDswDxv.exe

Filesize
5.2MB

MD5
026015e55ce54823d079a4cdf5a68d58

SHA1
35540583d0eb2f3e232a14a018f61680e3682205

SHA256
e21a4ddc1a9155df11fb14fc604e60a86db9b10aafefadca03007f6f4eb0c344

SHA512
7bd4de2d31af299bef774170da5a181c3f4cadb8da24bff13b7a960e10a5aacb2aee42df8b7921349caa1da4eec2adce3b8d00d01ac1108af3e638617b88bf64

Download Submit
C:\Windows\System\ETPNhBY.exe

Filesize
5.2MB

MD5
60a2c6c8cb6a9bd728ef30bcb515ea38

SHA1
94f26d91977b99e0293f4e09d46800834a78e904

SHA256
a98989393e3e1ba2e9a512c0f92b11227546e96fe7e5ad39a174da078bf11934

SHA512
6e072f193033bc90a80bd6ad43b1a3d665c085a8307890faf7b3876ead0f5ea484010eb3654a38bcdeac44df54fb1bbd0a49b1a064fa82c89b063e6bb3840320

Download Submit
C:\Windows\System\HdrdUpK.exe

Filesize
5.2MB

MD5
2d85ae1983569802fc1d72d54a5d9ec4

SHA1
1a33f1ae87c263dd8aadb7bfcdf4bacc40b19b69

SHA256
c25320b8124a5a84b8647275de3d75310fdc3a82e0e0415fef9ea33c9ca231ec

SHA512
4850df2db12842a43f7105b2a2a30eb7bbfabf3e4a0588d0bb43da44ce17c62e793cab91c3fd9a8db7c2f3340b6e634da5582679362b08a1be435fd469fc080b

Download Submit
C:\Windows\System\Iirutxa.exe

Filesize
5.2MB

MD5
e41b6da78866ce2cc213d4e9e16e0841

SHA1
c1e97cfe74f3ae665d0c3bdff7b5c990ab5046e4

SHA256
c5087864fb667dd1041595e6f592ea6c814cc3be7b06e6b9b87623e43c66f468

SHA512
66310dd4609d757ff34a85fb0131f637bde47f75851096fba19e9f247adf252ce18bdd2777a32d57ceb3766cf5ed0d1a41e59bf6cf85f7847a6dac41f8196902

Download Submit
C:\Windows\System\OSdpxYE.exe

Filesize
5.2MB

MD5
055f917d4e98e1e6eecb1becaec97f55

SHA1
f9af2895c12532eb1a536018fd148e08d4746f3d

SHA256
21d7367350e27c399a0a8717ca4a956581b85103a989f67bc2fd351dc843cdd3

SHA512
b5de2e53e108aed76da9de0f0143e7c8f178681848a88172f1719f8cf617fddeeea584efb290cd127519ae43c48fa13115558ba3c562958923e641502a8f4703

Download Submit
C:\Windows\System\PeHyKyS.exe

Filesize
5.2MB

MD5
e6d6c61d49940171f5b64e0cab64b030

SHA1
1eb9d3dffb9868d443e73fbac644e996c5382764

SHA256
756c9aea741f82ffc9baea2962d3d4cfc00556c2f2d86b053eb9e7b851db6028

SHA512
fa3f9d9f2814b6a940b1019693ea316a98d6b6b61bea12cef23a66e825bd1aabbc275710c8cd746223e41c3459ba1915763e89c39b9cfb4648d162bf976c9a68

Download Submit
C:\Windows\System\QBtLmRe.exe

Filesize
5.2MB

MD5
1e3dd46dab33c3a4a69dc1f8cfd4fabf

SHA1
1dfaccb7b9e9039ac31812ec03f5b5b7a73a3fc2

SHA256
c0520ab59d383e32074f730345edd6844d2774afd6929705c37deb86a99ab430

SHA512
1221b4fecc24bc6a75f1db424f6147878ea86456cb9a46d49d4b33596195d2dc194046837fe5d403ee917d36329266c2643b189dce443dd414ea515cbf6981c2

Download Submit
C:\Windows\System\UIBGihB.exe

Filesize
5.2MB

MD5
bbeec9e5e245fc64c2e4de88a4309193

SHA1
74fda43cbde57ac9d0274564883536d65f571f59

SHA256
d4d3cf36b974479b50a2021dd9a84be4d0e61a243fadc73ec456b8af9b1233fc

SHA512
ae792fa8746f6e1f1933120685f3c7c6d9801737680ca6c1c04406daac1a9a6a53cf987fff0f10a46d37d8d01502d281f4b02273140dd2e55bb1825c77e7854f

Download Submit
C:\Windows\System\UIIsvOT.exe

Filesize
5.2MB

MD5
76f7d5ec92adee980fae1b8d010686a4

SHA1
c218435b73986658529e21ff7d0261bb806eff78

SHA256
d2e361f68529a4e65d0fb6e00359178985554ed08cf51f4a93478f51580d8b23

SHA512
ffe979f956d8acd0fc6a1a7ed56d3cb48a18e99276e7fedae236805130cfcbc0bf4c033b9a889cbe60b60107de943d6d1e526533f8c8df3fad256f8a2a65d45f

Download Submit
C:\Windows\System\WfnNJpM.exe

Filesize
5.2MB

MD5
f55c9474881746f9b3969c73100619c6

SHA1
e3260f37ebb39a2d4e67a9e00f7220fd18b45f45

SHA256
244479b2467b1af31a86a73fe359c4c8cf665770ec56f7bda3a377c8b52b0d02

SHA512
a35b4cd438e87709a61caf9537424418cd168d2c1af965ce410a4f0f42df93c5f507cd05cd9506c8bfd1b41532f453334efd1695348c7f658bdb815596a3f28e

Download Submit
C:\Windows\System\YzvJmci.exe

Filesize
5.2MB

MD5
8390a53cea8035dc18b97a3d5890ea7f

SHA1
002fc9ab4a65a0ddaaf77943f623d83ddd5f5005

SHA256
ef7fe56c7b8effefec818a82d5a8eae8b5233b54e8f34c9649a894112a443732

SHA512
93e2fd793ce3494d5a8dbd32a677f1111a031b617a362a0fcc9f3c4520826f0ebfedfb2d8155d0d13d21347bca8fbb87a50c59e6fba8af749c6972de442e5fa1

Download Submit
C:\Windows\System\cdsPAnB.exe

Filesize
5.2MB

MD5
b5ba41eeff7f8176c7d14068def3dd0b

SHA1
c9dff95698f017a5e90e71af3517f3276e5a748f

SHA256
fcfc806348b6aaf11644c617ef4088e284fc41736b8dc3aa167ffeba38aa27bc

SHA512
c6a577ad43bdd3a26d3fcfb7d4825bb1e69bf56e128f95125985caf758faba7e3b529fff6125d5d80a5ea00c89a1f6dc9d9f005b01cf888c06d8c12cf6e9817c

Download Submit
C:\Windows\System\gpGwblg.exe

Filesize
5.2MB

MD5
c9130931db55d6f81de2ef1b9118fed8

SHA1
7dc06b0cfba1244e774d24f4e5c3c871e8a54bed

SHA256
08c38dcc529ae5139bae1679d580feac7dd997fab270abf20d748257163e21e8

SHA512
dd8985dde9923b1b8cb88f80d3a9b097a488393327b2278c4f33ca2fad7cd004ba3026530f9e8dda87f756ff6f67465d925a247cb1ec769caa2cf647373ecf68

Download Submit
C:\Windows\System\jmoZxnD.exe

Filesize
5.2MB

MD5
da7e0faeda24223f164ecc33d9d1d3dc

SHA1
4bcb244178117c9a77eefea17cef2f9d8ef97356

SHA256
0812e19c9b1e02da47f61fdd421ae08cdf36e8900d3f0b167088dd87db6c0c03

SHA512
8998f5e7552d000447b36b3978381c27968dfc7c24c8ef72a3d43af65e253a68ec5c95cb67afd091184b4fdb36d5ee5300de7481e4db8202da9cb440fc2e569a

Download Submit
C:\Windows\System\lZStPMk.exe

Filesize
5.2MB

MD5
631e2440aa774ae3f526fcba784ce149

SHA1
fb89682279d7bc529c1fce42520a767a25d393b9

SHA256
b7a2392ed1ab7246dae1fa11a57e6942d77c9d79710d200734cfac14c2779db5

SHA512
f0a75a0c250790827b7f5333a4bf70d3aa4fade17f3d53ea9afe17c90a56cdd1cae9b08175d0f94f0ae4f8c883b2bacc551b0cdd81497dda642453d9933eadc4

Download Submit
C:\Windows\System\olTqGyV.exe

Filesize
5.2MB

MD5
599bb957f92d73c928f56c3cefc40366

SHA1
a5adef57607ed6d715508af8ed3504f53d99397e

SHA256
aa0a210d9503c58cf2805fddb97588182f67fd611cfcbae5ed99feee72d65738

SHA512
5aacede1a2942c9a19fab5ff3f25207b37d4abbfa246429117a1514b621342cfc71d16d13dda43e9425d2a6de44143c18a1bb05f95695f8f7faec12972283613

Download Submit
C:\Windows\System\pCuJzjr.exe

Filesize
5.2MB

MD5
e332ba29baf0a9a54924ce6780a540fc

SHA1
a81b918f8a29ba32cb4064836ac16ed0edb91e4e

SHA256
78b96b87194d5481e6223078c8b7282aaee4b9ec278353a1969cf4443c00b818

SHA512
3ec96c7e6f5fbfff3cd79d8f8aff11ab5158714f08045e600a9dc8b25c5770a6828a8767264ba8009c547d9daadb87c1d8949de1e945ac40151f88b1e4258690

Download Submit
C:\Windows\System\pyEBjqh.exe

Filesize
5.2MB

MD5
4650f7b786411b3782049989b0ca4302

SHA1
3f25c0b83c82f62085bfc34cbc58b8eb193f30af

SHA256
c8d8fe0c8180701412bd0bbc197f9c623d0dbbfdae32c6b07511af586b1929ed

SHA512
6ba2223e3e66643f3e53579ac79049d600b9f315faf810391db2fca980cbb2a106ea4240ebfa934c5bdb4c406de0cd4b29defb26544d623b9f99554666b46816

Download Submit
C:\Windows\System\ttEjEpa.exe

Filesize
5.2MB

MD5
a93e76b6a36c4e5eb4e147eed880be08

SHA1
bd885bb77e87352b65115138556199cfdf49ed9c

SHA256
876f5d1e1198f1e68deab182af635806c20ab3d8c7f4de02ccccbb68b1a95c5b

SHA512
87a6f1e699cad6671bc163fd7363b1becc0de205e17504218077707e97ea360fcdcaaade457f0899ecc44d6458502f6328643f400afea5466cb23c455d368e87

Download Submit
C:\Windows\System\wVJaPaC.exe

Filesize
5.2MB

MD5
bdb3d4eb338859b0828ba71ce2ea42b6

SHA1
08c0c4b2ddbe76d73a80ddb937b83d9fe82a45e0

SHA256
75c85aa2cf57a5ad4514788443422d265c32b46cd6b5759610028430319313dd

SHA512
e60b0b292958a5366b358b882431d5d78e013fbb0cf744a04a7f3a9244577b6b922bc87e82796078fca6c6c02406ec5c6d79f5e5848e84a640b78fbe2cf6fb8a

Download Submit
memory/732-120-0x00007FF694EC0000-0x00007FF695211000-memory.dmp

Filesize
3.3MB

Download
memory/732-50-0x00007FF694EC0000-0x00007FF695211000-memory.dmp

Filesize
3.3MB

Download
memory/732-230-0x00007FF694EC0000-0x00007FF695211000-memory.dmp

Filesize
3.3MB

Download
memory/912-90-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp

Filesize
3.3MB

Download
memory/912-38-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp

Filesize
3.3MB

Download
memory/912-228-0x00007FF78F6F0000-0x00007FF78FA41000-memory.dmp

Filesize
3.3MB

Download
memory/1208-88-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp

Filesize
3.3MB

Download
memory/1208-252-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp

Filesize
3.3MB

Download
memory/1208-151-0x00007FF7CE610000-0x00007FF7CE961000-memory.dmp

Filesize
3.3MB

Download
memory/1524-94-0x00007FF76F640000-0x00007FF76F991000-memory.dmp

Filesize
3.3MB

Download
memory/1524-47-0x00007FF76F640000-0x00007FF76F991000-memory.dmp

Filesize
3.3MB

Download
memory/1524-227-0x00007FF76F640000-0x00007FF76F991000-memory.dmp

Filesize
3.3MB

Download
memory/1532-65-0x00007FF6EE780000-0x00007FF6EEAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-239-0x00007FF6EE780000-0x00007FF6EEAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-255-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-152-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-93-0x00007FF7D9F60000-0x00007FF7DA2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-261-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp

Filesize
3.3MB

Download
memory/1756-122-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp

Filesize
3.3MB

Download
memory/1756-156-0x00007FF66F1F0000-0x00007FF66F541000-memory.dmp

Filesize
3.3MB

Download
memory/1964-78-0x00007FF6453C0000-0x00007FF645711000-memory.dmp

Filesize
3.3MB

Download
memory/1964-222-0x00007FF6453C0000-0x00007FF645711000-memory.dmp

Filesize
3.3MB

Download
memory/1964-27-0x00007FF6453C0000-0x00007FF645711000-memory.dmp

Filesize
3.3MB

Download
memory/1992-30-0x00007FF659D00000-0x00007FF65A051000-memory.dmp

Filesize
3.3MB

Download
memory/1992-224-0x00007FF659D00000-0x00007FF65A051000-memory.dmp

Filesize
3.3MB

Download
memory/1992-89-0x00007FF659D00000-0x00007FF65A051000-memory.dmp

Filesize
3.3MB

Download
memory/2224-158-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-266-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-132-0x00007FF728F70000-0x00007FF7292C1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-159-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-267-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-133-0x00007FF7CC770000-0x00007FF7CCAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-73-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-241-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-149-0x00007FF70B6A0000-0x00007FF70B9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-264-0x00007FF7925E0000-0x00007FF792931000-memory.dmp

Filesize
3.3MB

Download
memory/2988-157-0x00007FF7925E0000-0x00007FF792931000-memory.dmp

Filesize
3.3MB

Download
memory/2988-117-0x00007FF7925E0000-0x00007FF792931000-memory.dmp

Filesize
3.3MB

Download
memory/3180-153-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp

Filesize
3.3MB

Download
memory/3180-253-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp

Filesize
3.3MB

Download
memory/3180-98-0x00007FF6F99B0000-0x00007FF6F9D01000-memory.dmp

Filesize
3.3MB

Download
memory/3212-121-0x00007FF70E110000-0x00007FF70E461000-memory.dmp

Filesize
3.3MB

Download
memory/3212-232-0x00007FF70E110000-0x00007FF70E461000-memory.dmp

Filesize
3.3MB

Download
memory/3212-55-0x00007FF70E110000-0x00007FF70E461000-memory.dmp

Filesize
3.3MB

Download
memory/3752-116-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-155-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-260-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3912-243-0x00007FF60F4C0000-0x00007FF60F811000-memory.dmp

Filesize
3.3MB

Download
memory/3912-83-0x00007FF60F4C0000-0x00007FF60F811000-memory.dmp

Filesize
3.3MB

Download
memory/4216-18-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-214-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-71-0x00007FF639CA0000-0x00007FF639FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-257-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-154-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp

Filesize
3.3MB

Download
memory/4748-108-0x00007FF685E90000-0x00007FF6861E1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-0-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp

Filesize
3.3MB

Download
memory/5024-138-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp

Filesize
3.3MB

Download
memory/5024-54-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp

Filesize
3.3MB

Download
memory/5024-160-0x00007FF6C8530000-0x00007FF6C8881000-memory.dmp

Filesize
3.3MB

Download
memory/5024-1-0x00000218D3C30000-0x00000218D3C40000-memory.dmp

Filesize
64KB

Download
memory/5036-12-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp

Filesize
3.3MB

Download
memory/5036-212-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp

Filesize
3.3MB

Download
memory/5036-63-0x00007FF6FEFC0000-0x00007FF6FF311000-memory.dmp

Filesize
3.3MB

Download
memory/5092-210-0x00007FF748650000-0x00007FF7489A1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-7-0x00007FF748650000-0x00007FF7489A1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-58-0x00007FF748650000-0x00007FF7489A1000-memory.dmp

Filesize
3.3MB

Download