cobaltstrike | 1b39cb98557dfd97977da0b756f9ba672df999e827c05b9c9133c7f5ec96dfc5

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
Size

5.2MB
MD5

89a539d79afb60e67b195391dad2f449
SHA1

cda572ed4656f13e5cef204b562c2503c4bb5792
SHA256

1b39cb98557dfd97977da0b756f9ba672df999e827c05b9c9133c7f5ec96dfc5
SHA512

dfde9ad1a8c51da4b3871e13e65376e0d7ade92d1004979d84139d3095f043403e7c344dd61e869c60b6524e334daea30194db8cfb14d80f07102ee2f0cbe2bf
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002360d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023611-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023612-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023614-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023615-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023619-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361a-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361b-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361e-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023620-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023623-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023622-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023621-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361f-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-107.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002360e-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361c-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023618-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023617-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023616-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023613-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/936-79-0x00007FF63CF90000-0x00007FF63D2E1000-memory.dmp	xmrig
behavioral2/memory/3180-126-0x00007FF74E870000-0x00007FF74EBC1000-memory.dmp	xmrig
behavioral2/memory/3024-125-0x00007FF6FBFD0000-0x00007FF6FC321000-memory.dmp	xmrig
behavioral2/memory/2876-80-0x00007FF7E7290000-0x00007FF7E75E1000-memory.dmp	xmrig
behavioral2/memory/2908-76-0x00007FF6801D0000-0x00007FF680521000-memory.dmp	xmrig
behavioral2/memory/4660-75-0x00007FF691230000-0x00007FF691581000-memory.dmp	xmrig
behavioral2/memory/2200-70-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	xmrig
behavioral2/memory/4532-62-0x00007FF6025F0000-0x00007FF602941000-memory.dmp	xmrig
behavioral2/memory/1712-133-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp	xmrig
behavioral2/memory/3720-132-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp	xmrig
behavioral2/memory/3112-147-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp	xmrig
behavioral2/memory/3300-149-0x00007FF758FB0000-0x00007FF759301000-memory.dmp	xmrig
behavioral2/memory/704-146-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp	xmrig
behavioral2/memory/3144-144-0x00007FF730040000-0x00007FF730391000-memory.dmp	xmrig
behavioral2/memory/1444-142-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp	xmrig
behavioral2/memory/2452-140-0x00007FF767980000-0x00007FF767CD1000-memory.dmp	xmrig
behavioral2/memory/1348-138-0x00007FF646910000-0x00007FF646C61000-memory.dmp	xmrig
behavioral2/memory/4120-130-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp	xmrig
behavioral2/memory/3444-143-0x00007FF66D100000-0x00007FF66D451000-memory.dmp	xmrig
behavioral2/memory/516-135-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp	xmrig
behavioral2/memory/3980-129-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp	xmrig
behavioral2/memory/2888-128-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	xmrig
behavioral2/memory/2888-150-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	xmrig
behavioral2/memory/2888-154-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	xmrig
behavioral2/memory/3980-207-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp	xmrig
behavioral2/memory/4120-209-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp	xmrig
behavioral2/memory/2200-211-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	xmrig
behavioral2/memory/3720-213-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp	xmrig
behavioral2/memory/1712-215-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp	xmrig
behavioral2/memory/516-228-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp	xmrig
behavioral2/memory/4532-232-0x00007FF6025F0000-0x00007FF602941000-memory.dmp	xmrig
behavioral2/memory/2908-236-0x00007FF6801D0000-0x00007FF680521000-memory.dmp	xmrig
behavioral2/memory/1348-235-0x00007FF646910000-0x00007FF646C61000-memory.dmp	xmrig
behavioral2/memory/4660-230-0x00007FF691230000-0x00007FF691581000-memory.dmp	xmrig
behavioral2/memory/936-252-0x00007FF63CF90000-0x00007FF63D2E1000-memory.dmp	xmrig
behavioral2/memory/2452-250-0x00007FF767980000-0x00007FF767CD1000-memory.dmp	xmrig
behavioral2/memory/3024-256-0x00007FF6FBFD0000-0x00007FF6FC321000-memory.dmp	xmrig
behavioral2/memory/3144-254-0x00007FF730040000-0x00007FF730391000-memory.dmp	xmrig
behavioral2/memory/2876-249-0x00007FF7E7290000-0x00007FF7E75E1000-memory.dmp	xmrig
behavioral2/memory/704-244-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp	xmrig
behavioral2/memory/3112-243-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp	xmrig
behavioral2/memory/3180-241-0x00007FF74E870000-0x00007FF74EBC1000-memory.dmp	xmrig
behavioral2/memory/1444-246-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp	xmrig
behavioral2/memory/3300-239-0x00007FF758FB0000-0x00007FF759301000-memory.dmp	xmrig
behavioral2/memory/3444-258-0x00007FF66D100000-0x00007FF66D451000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3980	SzdnsuV.exe
4120	EbEkfpw.exe
2200	dzjHCCm.exe
3720	UlszJEF.exe
1712	jlsfhiy.exe
4660	oxXyxpV.exe
516	UiWWdZC.exe
4532	rKSMKLQ.exe
2908	poaxmnU.exe
1348	IVJGDpm.exe
936	uqFOCej.exe
2452	raewyUW.exe
2876	eIWCWNz.exe
1444	LXAlPOZ.exe
3444	QWJzlrx.exe
3144	IVMxNFv.exe
3024	tZeDzWl.exe
704	lelykgb.exe
3112	ouJeBNv.exe
3180	TIBGyCL.exe
3300	ETCrUaY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2888-0-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	upx
behavioral2/files/0x000800000002360d-5.dat	upx
behavioral2/memory/3980-8-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp	upx
behavioral2/files/0x0007000000023611-12.dat	upx
behavioral2/files/0x0007000000023612-19.dat	upx
behavioral2/memory/4120-24-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp	upx
behavioral2/files/0x0007000000023614-36.dat	upx
behavioral2/files/0x0007000000023615-40.dat	upx
behavioral2/files/0x0007000000023619-50.dat	upx
behavioral2/files/0x000700000002361a-60.dat	upx
behavioral2/files/0x000700000002361b-73.dat	upx
behavioral2/memory/936-79-0x00007FF63CF90000-0x00007FF63D2E1000-memory.dmp	upx
behavioral2/files/0x000700000002361e-91.dat	upx
behavioral2/files/0x0007000000023620-98.dat	upx
behavioral2/memory/3180-126-0x00007FF74E870000-0x00007FF74EBC1000-memory.dmp	upx
behavioral2/memory/3024-125-0x00007FF6FBFD0000-0x00007FF6FC321000-memory.dmp	upx
behavioral2/memory/3300-124-0x00007FF758FB0000-0x00007FF759301000-memory.dmp	upx
behavioral2/files/0x0007000000023623-122.dat	upx
behavioral2/files/0x0007000000023622-120.dat	upx
behavioral2/files/0x0007000000023621-118.dat	upx
behavioral2/files/0x000700000002361f-113.dat	upx
behavioral2/memory/3112-112-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp	upx
behavioral2/memory/704-111-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp	upx
behavioral2/files/0x000700000002361d-107.dat	upx
behavioral2/files/0x000800000002360e-105.dat	upx
behavioral2/memory/3144-104-0x00007FF730040000-0x00007FF730391000-memory.dmp	upx
behavioral2/memory/3444-103-0x00007FF66D100000-0x00007FF66D451000-memory.dmp	upx
behavioral2/memory/1444-96-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp	upx
behavioral2/memory/2876-80-0x00007FF7E7290000-0x00007FF7E75E1000-memory.dmp	upx
behavioral2/files/0x000700000002361c-77.dat	upx
behavioral2/memory/2908-76-0x00007FF6801D0000-0x00007FF680521000-memory.dmp	upx
behavioral2/memory/4660-75-0x00007FF691230000-0x00007FF691581000-memory.dmp	upx
behavioral2/memory/2200-70-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	upx
behavioral2/memory/2452-69-0x00007FF767980000-0x00007FF767CD1000-memory.dmp	upx
behavioral2/memory/1348-63-0x00007FF646910000-0x00007FF646C61000-memory.dmp	upx
behavioral2/memory/4532-62-0x00007FF6025F0000-0x00007FF602941000-memory.dmp	upx
behavioral2/files/0x0007000000023618-57.dat	upx
behavioral2/memory/516-55-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp	upx
behavioral2/files/0x0007000000023617-48.dat	upx
behavioral2/files/0x0007000000023616-43.dat	upx
behavioral2/memory/1712-42-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp	upx
behavioral2/files/0x0007000000023613-33.dat	upx
behavioral2/memory/3720-26-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp	upx
behavioral2/memory/1712-133-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp	upx
behavioral2/memory/3720-132-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp	upx
behavioral2/memory/3112-147-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp	upx
behavioral2/memory/3300-149-0x00007FF758FB0000-0x00007FF759301000-memory.dmp	upx
behavioral2/memory/704-146-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp	upx
behavioral2/memory/3144-144-0x00007FF730040000-0x00007FF730391000-memory.dmp	upx
behavioral2/memory/1444-142-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp	upx
behavioral2/memory/2452-140-0x00007FF767980000-0x00007FF767CD1000-memory.dmp	upx
behavioral2/memory/1348-138-0x00007FF646910000-0x00007FF646C61000-memory.dmp	upx
behavioral2/memory/4120-130-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp	upx
behavioral2/memory/3444-143-0x00007FF66D100000-0x00007FF66D451000-memory.dmp	upx
behavioral2/memory/516-135-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp	upx
behavioral2/memory/3980-129-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp	upx
behavioral2/memory/2888-128-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	upx
behavioral2/memory/2888-150-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	upx
behavioral2/memory/2888-154-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp	upx
behavioral2/memory/3980-207-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp	upx
behavioral2/memory/4120-209-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp	upx
behavioral2/memory/2200-211-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp	upx
behavioral2/memory/3720-213-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp	upx
behavioral2/memory/1712-215-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jlsfhiy.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\oxXyxpV.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\poaxmnU.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\uqFOCej.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\eIWCWNz.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\LXAlPOZ.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\dzjHCCm.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\tZeDzWl.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ETCrUaY.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\SzdnsuV.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\EbEkfpw.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\UiWWdZC.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\rKSMKLQ.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\IVJGDpm.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\raewyUW.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\QWJzlrx.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\IVMxNFv.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\TIBGyCL.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\UlszJEF.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\lelykgb.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
File created	C:\Windows\System\ouJeBNv.exe	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3980	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	92
PID 2888 wrote to memory of 3980	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	92
PID 2888 wrote to memory of 4120	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	93
PID 2888 wrote to memory of 4120	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	93
PID 2888 wrote to memory of 2200	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	94
PID 2888 wrote to memory of 2200	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	94
PID 2888 wrote to memory of 3720	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	95
PID 2888 wrote to memory of 3720	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	95
PID 2888 wrote to memory of 1712	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	96
PID 2888 wrote to memory of 1712	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	96
PID 2888 wrote to memory of 4660	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	97
PID 2888 wrote to memory of 4660	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	97
PID 2888 wrote to memory of 516	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	98
PID 2888 wrote to memory of 516	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	98
PID 2888 wrote to memory of 4532	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	99
PID 2888 wrote to memory of 4532	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	99
PID 2888 wrote to memory of 2908	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	100
PID 2888 wrote to memory of 2908	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	100
PID 2888 wrote to memory of 1348	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	101
PID 2888 wrote to memory of 1348	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	101
PID 2888 wrote to memory of 936	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	102
PID 2888 wrote to memory of 936	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	102
PID 2888 wrote to memory of 2452	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	103
PID 2888 wrote to memory of 2452	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	103
PID 2888 wrote to memory of 2876	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	104
PID 2888 wrote to memory of 2876	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	104
PID 2888 wrote to memory of 1444	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	105
PID 2888 wrote to memory of 1444	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	105
PID 2888 wrote to memory of 3444	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	106
PID 2888 wrote to memory of 3444	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	106
PID 2888 wrote to memory of 3144	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	107
PID 2888 wrote to memory of 3144	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	107
PID 2888 wrote to memory of 3024	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	108
PID 2888 wrote to memory of 3024	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	108
PID 2888 wrote to memory of 704	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	109
PID 2888 wrote to memory of 704	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	109
PID 2888 wrote to memory of 3112	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	110
PID 2888 wrote to memory of 3112	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	110
PID 2888 wrote to memory of 3180	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	111
PID 2888 wrote to memory of 3180	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	111
PID 2888 wrote to memory of 3300	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	112
PID 2888 wrote to memory of 3300	2888	2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe	112

C:\Users\Admin\AppData\Local\Temp\2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024090689a539d79afb60e67b195391dad2f449cobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\System\SzdnsuV.exe
  C:\Windows\System\SzdnsuV.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\EbEkfpw.exe
  C:\Windows\System\EbEkfpw.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\dzjHCCm.exe
  C:\Windows\System\dzjHCCm.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\UlszJEF.exe
  C:\Windows\System\UlszJEF.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\jlsfhiy.exe
  C:\Windows\System\jlsfhiy.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\oxXyxpV.exe
  C:\Windows\System\oxXyxpV.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\UiWWdZC.exe
  C:\Windows\System\UiWWdZC.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\rKSMKLQ.exe
  C:\Windows\System\rKSMKLQ.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\poaxmnU.exe
  C:\Windows\System\poaxmnU.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\IVJGDpm.exe
  C:\Windows\System\IVJGDpm.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\uqFOCej.exe
  C:\Windows\System\uqFOCej.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\raewyUW.exe
  C:\Windows\System\raewyUW.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\eIWCWNz.exe
  C:\Windows\System\eIWCWNz.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\LXAlPOZ.exe
  C:\Windows\System\LXAlPOZ.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\QWJzlrx.exe
  C:\Windows\System\QWJzlrx.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\IVMxNFv.exe
  C:\Windows\System\IVMxNFv.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\tZeDzWl.exe
  C:\Windows\System\tZeDzWl.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\lelykgb.exe
  C:\Windows\System\lelykgb.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\ouJeBNv.exe
  C:\Windows\System\ouJeBNv.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\TIBGyCL.exe
  C:\Windows\System\TIBGyCL.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\ETCrUaY.exe
  C:\Windows\System\ETCrUaY.exe
  2⤵
  - Executes dropped EXE
  PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ETCrUaY.exe

Filesize
5.2MB

MD5
f168bc895df2d0bb0cb048787f2066d9

SHA1
0636ec874e9bd6fe822418c71fdbd8ae1d306013

SHA256
15be3ad8ca08772652107da8bd52105fa298d35b98b693dd4d7feeeabcb48fb7

SHA512
261f73fc4a73e9d59bcb9ad88a7f912f5f1193f9f4f5ed3d5c180dbd27f335621c646ce3c8eea32913f261e2bb65de5876c457a05cd003ff9c235499e3edddfe

Download Submit
C:\Windows\System\EbEkfpw.exe

Filesize
5.2MB

MD5
b5346a8395cb0615fa053afca413bba7

SHA1
fcb725d65bbe475917e75568bfc27df9de0922cc

SHA256
3432f78541350dbc56e8f25e17844b75ab41e4a5376d67302ec2e7bf7090cd9f

SHA512
69cd232bd4321b8fef575efe7896481b31659fe41e8cfcef52395a421c416eeeac0e2e73f8718de7192262b114084da08efde1fe9d0ea07034313a6dacb0f4b5

Download Submit
C:\Windows\System\IVJGDpm.exe

Filesize
5.2MB

MD5
fe1f20dc07c51e4e8bf2708c722960d0

SHA1
8c59a00cb0a405d6adcbe9af3ebff9b16de6a14e

SHA256
7611f32fe395b31bb7d733ef87161c7e58b762ae32952dfb8bf9b613202172b1

SHA512
9a2b439302a9f549ddbc74b21e7d81a0aded7b7ae4afc4d74016087a247d9428ed5b3d572f47f887e557790686052c21dab7d5fe7f74805c789b1e50fb67a781

Download Submit
C:\Windows\System\IVMxNFv.exe

Filesize
5.2MB

MD5
493e2a153a5bd73133c99b6efdd8fe4c

SHA1
215ce6c2c90fbc740548564139a44b3a7eadc490

SHA256
698f81d8321b6d57c516db84656e10394dd2b4ada8c0b88a60f4649b108be201

SHA512
a1d75812ed764134650cb75a793ee72637ebfa93cec51ad91d393e502d45b195ec8f019e48b287c32aa049f139c025cda485f659fe76993b1106900e8183e626

Download Submit
C:\Windows\System\LXAlPOZ.exe

Filesize
5.2MB

MD5
c782536f8b36f0d921d9fb58d5f63015

SHA1
576279bbbcbc3f206f24c69540913d18904278d3

SHA256
68717b8570c3a474498673c91dc17c38a653d4f5bf3ca922c4949fe7f928fbbd

SHA512
c8c36389e3465ac745dbf68f0dab07feecde2434817be4691fef276ac19c7978d418f68eb315a2d62d3a90952e5e552c0a572c12dd9c74724b6b872e560fd3dd

Download Submit
C:\Windows\System\QWJzlrx.exe

Filesize
5.2MB

MD5
9822673f14ebe6f8a55103bfd9c46aae

SHA1
50381149b95ef03ab78c7937fe6da54591cbe5f5

SHA256
67d918a5242784db8d6f9f1d4effb00ffd063e7842a2498f188b77b99cf03bde

SHA512
36b1991ba14d2fa60bf3e0ee2ce65a2ab2853b199ff7d1ca2794628c1af7e11138ba0a8d0a7ea1bb336b8109a0d8aaa9bb6ee834202c1ee37288a542a3aa72b1

Download Submit
C:\Windows\System\SzdnsuV.exe

Filesize
5.2MB

MD5
344d0ab068c9704e04300e3f70030709

SHA1
0e8e906452db1d28fca2adf00aa23f9bb202f389

SHA256
87474883c49dca7ed57a4a5ad9dbb2da6e61a7e9592dc7d863a66c94b5243c9b

SHA512
7ca740afa3383c8b5589e4721c57c24efe9a2d74a20ed6bf052fdff7a011f939fa0b47023106f559c22738059da84bec1fbcb3c25ac9282779d593223e92d7e8

Download Submit
C:\Windows\System\TIBGyCL.exe

Filesize
5.2MB

MD5
28303ff8eec39865cfbcaf1b2f8d2de3

SHA1
fcf6e890c50d8456538939d707cf6516f8feb204

SHA256
57efe7c22fc69e0e505a17cf1aa4a487c9faa73ff70ff9a24a98ec83b108a10a

SHA512
f58fec6a07999b69913f9bcb2f0ad78fb0ab2150f608efee5af9ad03affad45db04c1f9be08d9717180a2918329ccba9cde05aaf7a6dcbd229d1d56124b82ff4

Download Submit
C:\Windows\System\UiWWdZC.exe

Filesize
5.2MB

MD5
0a646b1ec4a77f3d98a3c422577d6b69

SHA1
759549e016042e5d1f27b1155e916313da29b87c

SHA256
dd8cfe1a77ac14fe1df7213b56139e1b3f5d435d2de074fdbdad0fb8c1457671

SHA512
6fb36d1fd21084e875b23fb2b667104629f38838ad7e299aa8235839ef366d7c9b59dd9283ab0869127056d1491adfe812dc8c50932ea8954dbea1d2c37e095c

Download Submit
C:\Windows\System\UlszJEF.exe

Filesize
5.2MB

MD5
9199a071ef565689588f2615402a23f3

SHA1
9c03f493ff01a9d11dd74387b17a89a313160de0

SHA256
882cf2b2362f52eb792949eed4d69af41b36f1658d6e726f04f9bfb637ff87dc

SHA512
e66dee32302102923403bae848539895505522090bcdc8eecaf5ebf109cef2ab14d6d5d21fa37196e37d062d56ba2d2d189b979b0c0c55f38c8fde144890a1f0

Download Submit
C:\Windows\System\dzjHCCm.exe

Filesize
5.2MB

MD5
29e7fbef6b76713ca6a581377c31c8a2

SHA1
588259178841185b72c73060dd0afafbf19863c4

SHA256
05644052dd4b86d98f6b4f9112422910abc5d2a86386ac5f9343865b4a2b1e3e

SHA512
bd71af9803e15d0bc3e30ef03d434a4d2172b88ee94cd85b08fa4613942669c0e275d247af6f50a03ae8b78434168eca88a0d8a5b5d68b4799e246d651980f64

Download Submit
C:\Windows\System\eIWCWNz.exe

Filesize
5.2MB

MD5
beca045a836981d36ea48ac19d91a68a

SHA1
92965e11d5b8c12ab1d19103958620229874ad5f

SHA256
8781b6dee30cd564bf7093dd9739137f7571cbb22d55a6325201e0299a4751e3

SHA512
c9570b88a25c5bb6272bf4b577dc069a994fb55b2450b78698169e54e88e05b005155a3f89ade828ed2aa5d4c55be5e8dfa19a8b9cc6b9f63c1276754d18173a

Download Submit
C:\Windows\System\jlsfhiy.exe

Filesize
5.2MB

MD5
24f1c29c23e46859ebb7d27bf5ef4897

SHA1
a6ea4d89902737e6702cad129bb0c05d438a1b9f

SHA256
baf658ae0135c28aad1d3a68c4827a312db9b69dae9e75304f2ea7fe2fc1f6ce

SHA512
19e5677267682726daabb67afb1841dce6f53e3f87f69066ba3ef0ec16902cfd9c70f2f1aa31feb77f0cd07029bece0fe2e977c27f1b1455e8aa95fd67a8b6fb

Download Submit
C:\Windows\System\lelykgb.exe

Filesize
5.2MB

MD5
2ca44e90b60a25b80f1d0db092f33dea

SHA1
382c961d53068cec5b80b2654feeeb0f7dd813c8

SHA256
56a72200430a43318f22ec0a608383313ee102bc26867e05eaa7160302c215db

SHA512
d0762f4b0fee66799623f40ab1279f78c642a986e62d85499e72022a5a362213a2210b2e595c1127f3a535404799878278ed4b30bd738eec493a7729ea67c4f4

Download Submit
C:\Windows\System\ouJeBNv.exe

Filesize
5.2MB

MD5
612964ec6db4be2c3e40b37ad663abd1

SHA1
5edd158d199a34d0ee62e35b9e3c54b70dc69dd9

SHA256
55c151599fe7d9caae4b64b1f7627ad9cf7d03d8777aeb18bad359b1d4d9f7c3

SHA512
c69782205206acda3146852d6dddbba7be6186938457fb3fe36aff42d3d350a9b006f51c3ddb86343c9e0df0d02df644bd342df6308af773ca7a26098a617daa

Download Submit
C:\Windows\System\oxXyxpV.exe

Filesize
5.2MB

MD5
dcba7666192911aa1b2e88fa98c2a2ff

SHA1
35f94822cf307ee76a9708126b278b68d6b2de96

SHA256
5a302aa50ef776bebfe252e81508c9ce8a1964468e3d34d97bffd39c71cd5b7b

SHA512
94b3bf04d9033e54657c7bf473f5ea6ed024bb7187f369077ea90c0af9b84cd90016d0aa88f4148ad270a952082295c2028bd6f5325fe9b916ab8f73b18af225

Download Submit
C:\Windows\System\poaxmnU.exe

Filesize
5.2MB

MD5
e1e05ab7dd055720c7ec110a7f18c161

SHA1
f689e2dda72a60d45cbaedcd6a3865dbb740c9cb

SHA256
e95db7f962a5b9fbba4820561daafcd6a8b11486f02ebb77ac66d9c3a61ae447

SHA512
84fdf9557ac10095e8e49de27703a074e7cf33374321c2426746aedfe23e861e33f59d0218e9a6eeb457e17e99d8e6e873d087edee30804787ae26ac9c019452

Download Submit
C:\Windows\System\rKSMKLQ.exe

Filesize
5.2MB

MD5
9ca7adc25a74e8d7dbd6f26a22f0501a

SHA1
b22d796dc9e9409ed51728a2ae13ac93964d1120

SHA256
a9f486ad096236e37e05e113041db5ebfedfd29b27110a865174485f8b33acae

SHA512
808f8ba1fb59add88d24fc6aaf8afeaeeb40676cf440103175d13333b183db96c840a523d704ccade5a6e6f7108afeba0d2bbf8ded3ca888c07264723bf4ed6c

Download Submit
C:\Windows\System\raewyUW.exe

Filesize
5.2MB

MD5
2ec4a95d4d20ae06996fa145114da007

SHA1
50c091c948c904cd62e268e92984cab94bc8b5e0

SHA256
1501a4b07716ac236fc8400289b224a7e0305c8f53a70d5363c430491139af40

SHA512
91c3224333f845b8a310cafd2365d2da2e5547ec4d4f28d46222a67cadd37a7649637a85a52e4a841e3dcc1b053eb3b86edfa818305d58f3f99b842a0a1f6d01

Download Submit
C:\Windows\System\tZeDzWl.exe

Filesize
5.2MB

MD5
3d1e38f0a7cdcc067d91378273002350

SHA1
64d189d4a832b151cb31e1365e2a8a0c4545a8f5

SHA256
a3f6dd29a21c1da78797b596cbb20784c1904f5d0b2734df1bc183eb61703d5e

SHA512
9bbe37b4ea5e2f9990c2242600d48db4181d3afb137f0f440a4bb487c78e0409a384c19c6aced519f9abaf963b8fd420ef79bd9390c4e1a4a304843fa89cf679

Download Submit
C:\Windows\System\uqFOCej.exe

Filesize
5.2MB

MD5
e55c39b7794d43f22d50e0934da4ed6f

SHA1
dc6728751cfc6b139445ad6d95b7fb624cd4de11

SHA256
1e82bf64a7d786fb2d8b37f30c744b45b6a479be6807142befc6388d82e19920

SHA512
f1b9180b6d492c94eaec0c2757ed046bb1c8d472a97b850caef03dd1adc5bca8fe3a97e462493724b4724f052c03af8d2999545decdcf8f08ecc420b975228cc

Download Submit
memory/516-228-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/516-135-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/516-55-0x00007FF76A260000-0x00007FF76A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/704-111-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp

Filesize
3.3MB

Download
memory/704-244-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp

Filesize
3.3MB

Download
memory/704-146-0x00007FF7D9D90000-0x00007FF7DA0E1000-memory.dmp

Filesize
3.3MB

Download
memory/936-252-0x00007FF63CF90000-0x00007FF63D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/936-79-0x00007FF63CF90000-0x00007FF63D2E1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-235-0x00007FF646910000-0x00007FF646C61000-memory.dmp

Filesize
3.3MB

Download
memory/1348-63-0x00007FF646910000-0x00007FF646C61000-memory.dmp

Filesize
3.3MB

Download
memory/1348-138-0x00007FF646910000-0x00007FF646C61000-memory.dmp

Filesize
3.3MB

Download
memory/1444-96-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp

Filesize
3.3MB

Download
memory/1444-142-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp

Filesize
3.3MB

Download
memory/1444-246-0x00007FF6E1B30000-0x00007FF6E1E81000-memory.dmp

Filesize
3.3MB

Download
memory/1712-215-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-42-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-133-0x00007FF682D50000-0x00007FF6830A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-70-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-211-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-69-0x00007FF767980000-0x00007FF767CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-250-0x00007FF767980000-0x00007FF767CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-140-0x00007FF767980000-0x00007FF767CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-80-0x00007FF7E7290000-0x00007FF7E75E1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-249-0x00007FF7E7290000-0x00007FF7E75E1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-0-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-154-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-150-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-128-0x00007FF74A3A0000-0x00007FF74A6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-1-0x00000248434F0000-0x0000024843500000-memory.dmp

Filesize
64KB

Download
memory/2908-236-0x00007FF6801D0000-0x00007FF680521000-memory.dmp

Filesize
3.3MB

Download
memory/2908-76-0x00007FF6801D0000-0x00007FF680521000-memory.dmp

Filesize
3.3MB

Download
memory/3024-256-0x00007FF6FBFD0000-0x00007FF6FC321000-memory.dmp

Filesize
3.3MB

Download
memory/3024-125-0x00007FF6FBFD0000-0x00007FF6FC321000-memory.dmp

Filesize
3.3MB

Download
memory/3112-112-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp

Filesize
3.3MB

Download
memory/3112-243-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp

Filesize
3.3MB

Download
memory/3112-147-0x00007FF6DDD40000-0x00007FF6DE091000-memory.dmp

Filesize
3.3MB

Download
memory/3144-254-0x00007FF730040000-0x00007FF730391000-memory.dmp

Filesize
3.3MB

Download
memory/3144-104-0x00007FF730040000-0x00007FF730391000-memory.dmp

Filesize
3.3MB

Download
memory/3144-144-0x00007FF730040000-0x00007FF730391000-memory.dmp

Filesize
3.3MB

Download
memory/3180-126-0x00007FF74E870000-0x00007FF74EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-241-0x00007FF74E870000-0x00007FF74EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-124-0x00007FF758FB0000-0x00007FF759301000-memory.dmp

Filesize
3.3MB

Download
memory/3300-239-0x00007FF758FB0000-0x00007FF759301000-memory.dmp

Filesize
3.3MB

Download
memory/3300-149-0x00007FF758FB0000-0x00007FF759301000-memory.dmp

Filesize
3.3MB

Download
memory/3444-258-0x00007FF66D100000-0x00007FF66D451000-memory.dmp

Filesize
3.3MB

Download
memory/3444-103-0x00007FF66D100000-0x00007FF66D451000-memory.dmp

Filesize
3.3MB

Download
memory/3444-143-0x00007FF66D100000-0x00007FF66D451000-memory.dmp

Filesize
3.3MB

Download
memory/3720-213-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp

Filesize
3.3MB

Download
memory/3720-132-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp

Filesize
3.3MB

Download
memory/3720-26-0x00007FF6AFAE0000-0x00007FF6AFE31000-memory.dmp

Filesize
3.3MB

Download
memory/3980-8-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-129-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-207-0x00007FF6B5F50000-0x00007FF6B62A1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-130-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-24-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-209-0x00007FF60A390000-0x00007FF60A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-62-0x00007FF6025F0000-0x00007FF602941000-memory.dmp

Filesize
3.3MB

Download
memory/4532-232-0x00007FF6025F0000-0x00007FF602941000-memory.dmp

Filesize
3.3MB

Download
memory/4660-75-0x00007FF691230000-0x00007FF691581000-memory.dmp

Filesize
3.3MB

Download
memory/4660-230-0x00007FF691230000-0x00007FF691581000-memory.dmp

Filesize
3.3MB

Download