cobaltstrike | 21320919a28c259dc12a91fa8f2628c888756420d455b220295e94d3d60dfa6e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

084c28207fc55414b3ede2aaab9a0ab9
SHA1

8488c6e82ac7a3c1fb4ef8a3e17594958fdd1aa4
SHA256

21320919a28c259dc12a91fa8f2628c888756420d455b220295e94d3d60dfa6e
SHA512

92f129c1d464528984b94d5793f55c4b722b9d0c48cd2560d7828b8935fe11533f8451a406828046775feff29f155509337be7af3cd5246105cea086eee13f0a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lUC

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023404-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023419-8.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023417-9.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341a-17.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341c-34.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023420-43.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341d-51.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023423-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023426-85.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234ad-91.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234ab-100.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b4-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023407-110.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b7-122.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b3-113.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b2-102.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b0-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023425-89.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023422-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023453-69.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341f-47.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3696-126-0x00007FF776CE0000-0x00007FF777031000-memory.dmp	xmrig
behavioral2/memory/892-127-0x00007FF747550000-0x00007FF7478A1000-memory.dmp	xmrig
behavioral2/memory/5084-125-0x00007FF7A0010000-0x00007FF7A0361000-memory.dmp	xmrig
behavioral2/memory/4564-124-0x00007FF7FCD30000-0x00007FF7FD081000-memory.dmp	xmrig
behavioral2/memory/4600-121-0x00007FF6A6140000-0x00007FF6A6491000-memory.dmp	xmrig
behavioral2/memory/1952-120-0x00007FF72EF60000-0x00007FF72F2B1000-memory.dmp	xmrig
behavioral2/memory/4320-116-0x00007FF640190000-0x00007FF6404E1000-memory.dmp	xmrig
behavioral2/memory/3236-109-0x00007FF793290000-0x00007FF7935E1000-memory.dmp	xmrig
behavioral2/memory/5068-99-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp	xmrig
behavioral2/memory/4572-88-0x00007FF60F270000-0x00007FF60F5C1000-memory.dmp	xmrig
behavioral2/memory/4736-138-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp	xmrig
behavioral2/memory/3404-136-0x00007FF623830000-0x00007FF623B81000-memory.dmp	xmrig
behavioral2/memory/4016-145-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp	xmrig
behavioral2/memory/5068-143-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp	xmrig
behavioral2/memory/3684-142-0x00007FF6225E0000-0x00007FF622931000-memory.dmp	xmrig
behavioral2/memory/3972-140-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp	xmrig
behavioral2/memory/2676-133-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	xmrig
behavioral2/memory/4604-131-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp	xmrig
behavioral2/memory/4536-134-0x00007FF744720000-0x00007FF744A71000-memory.dmp	xmrig
behavioral2/memory/1596-132-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp	xmrig
behavioral2/memory/2268-130-0x00007FF6121C0000-0x00007FF612511000-memory.dmp	xmrig
behavioral2/memory/32-129-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp	xmrig
behavioral2/memory/1840-128-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	xmrig
behavioral2/memory/1840-150-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	xmrig
behavioral2/memory/1840-151-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	xmrig
behavioral2/memory/32-196-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp	xmrig
behavioral2/memory/2268-198-0x00007FF6121C0000-0x00007FF612511000-memory.dmp	xmrig
behavioral2/memory/4604-200-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp	xmrig
behavioral2/memory/1596-204-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp	xmrig
behavioral2/memory/2676-203-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	xmrig
behavioral2/memory/3236-207-0x00007FF793290000-0x00007FF7935E1000-memory.dmp	xmrig
behavioral2/memory/4536-210-0x00007FF744720000-0x00007FF744A71000-memory.dmp	xmrig
behavioral2/memory/3404-209-0x00007FF623830000-0x00007FF623B81000-memory.dmp	xmrig
behavioral2/memory/4600-214-0x00007FF6A6140000-0x00007FF6A6491000-memory.dmp	xmrig
behavioral2/memory/5068-213-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp	xmrig
behavioral2/memory/1952-217-0x00007FF72EF60000-0x00007FF72F2B1000-memory.dmp	xmrig
behavioral2/memory/4736-222-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp	xmrig
behavioral2/memory/4564-226-0x00007FF7FCD30000-0x00007FF7FD081000-memory.dmp	xmrig
behavioral2/memory/4572-221-0x00007FF60F270000-0x00007FF60F5C1000-memory.dmp	xmrig
behavioral2/memory/4320-219-0x00007FF640190000-0x00007FF6404E1000-memory.dmp	xmrig
behavioral2/memory/3972-224-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp	xmrig
behavioral2/memory/892-233-0x00007FF747550000-0x00007FF7478A1000-memory.dmp	xmrig
behavioral2/memory/5084-238-0x00007FF7A0010000-0x00007FF7A0361000-memory.dmp	xmrig
behavioral2/memory/3696-231-0x00007FF776CE0000-0x00007FF777031000-memory.dmp	xmrig
behavioral2/memory/4016-234-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp	xmrig
behavioral2/memory/3684-228-0x00007FF6225E0000-0x00007FF622931000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
32	iECeCNc.exe
2268	ozkRjBk.exe
4604	dARfqkc.exe
1596	qXNthQp.exe
2676	bdrelZV.exe
4536	KmNDsSI.exe
3236	OwfieEt.exe
3404	qiMAagt.exe
4320	tnYaexw.exe
4736	jSsqmBa.exe
1952	vCaAMEe.exe
3972	ggTmDJW.exe
4572	gSsfBEM.exe
3684	NiYppOh.exe
5068	GDaoGdN.exe
4600	oFhrRfd.exe
4016	CgPsHqV.exe
4564	xpxuosX.exe
5084	IAsmokJ.exe
3696	GAcVLNc.exe
892	unhnuoG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1840-0-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	upx
behavioral2/files/0x000a000000023404-4.dat	upx
behavioral2/files/0x0008000000023419-8.dat	upx
behavioral2/files/0x0008000000023417-9.dat	upx
behavioral2/memory/32-6-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp	upx
behavioral2/files/0x000800000002341a-17.dat	upx
behavioral2/memory/1596-21-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp	upx
behavioral2/memory/4604-27-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp	upx
behavioral2/files/0x000800000002341c-34.dat	upx
behavioral2/files/0x0008000000023420-43.dat	upx
behavioral2/files/0x000800000002341d-51.dat	upx
behavioral2/files/0x0008000000023423-77.dat	upx
behavioral2/files/0x0008000000023426-85.dat	upx
behavioral2/files/0x00080000000234ad-91.dat	upx
behavioral2/files/0x00080000000234ab-100.dat	upx
behavioral2/files/0x00080000000234b4-108.dat	upx
behavioral2/files/0x000a000000023407-110.dat	upx
behavioral2/files/0x00080000000234b7-122.dat	upx
behavioral2/memory/3696-126-0x00007FF776CE0000-0x00007FF777031000-memory.dmp	upx
behavioral2/memory/892-127-0x00007FF747550000-0x00007FF7478A1000-memory.dmp	upx
behavioral2/memory/5084-125-0x00007FF7A0010000-0x00007FF7A0361000-memory.dmp	upx
behavioral2/memory/4564-124-0x00007FF7FCD30000-0x00007FF7FD081000-memory.dmp	upx
behavioral2/memory/4600-121-0x00007FF6A6140000-0x00007FF6A6491000-memory.dmp	upx
behavioral2/memory/1952-120-0x00007FF72EF60000-0x00007FF72F2B1000-memory.dmp	upx
behavioral2/memory/4320-116-0x00007FF640190000-0x00007FF6404E1000-memory.dmp	upx
behavioral2/memory/3236-109-0x00007FF793290000-0x00007FF7935E1000-memory.dmp	upx
behavioral2/memory/4016-106-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp	upx
behavioral2/files/0x00080000000234b3-113.dat	upx
behavioral2/files/0x00080000000234b2-102.dat	upx
behavioral2/memory/5068-99-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp	upx
behavioral2/memory/3684-96-0x00007FF6225E0000-0x00007FF622931000-memory.dmp	upx
behavioral2/files/0x00080000000234b0-94.dat	upx
behavioral2/files/0x0008000000023425-89.dat	upx
behavioral2/memory/4572-88-0x00007FF60F270000-0x00007FF60F5C1000-memory.dmp	upx
behavioral2/memory/3972-82-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp	upx
behavioral2/files/0x0008000000023422-70.dat	upx
behavioral2/files/0x0008000000023453-69.dat	upx
behavioral2/memory/4736-81-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp	upx
behavioral2/memory/3404-48-0x00007FF623830000-0x00007FF623B81000-memory.dmp	upx
behavioral2/files/0x000800000002341f-47.dat	upx
behavioral2/memory/4536-44-0x00007FF744720000-0x00007FF744A71000-memory.dmp	upx
behavioral2/memory/2676-39-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	upx
behavioral2/memory/2268-19-0x00007FF6121C0000-0x00007FF612511000-memory.dmp	upx
behavioral2/memory/4736-138-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp	upx
behavioral2/memory/3404-136-0x00007FF623830000-0x00007FF623B81000-memory.dmp	upx
behavioral2/memory/4016-145-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp	upx
behavioral2/memory/5068-143-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp	upx
behavioral2/memory/3684-142-0x00007FF6225E0000-0x00007FF622931000-memory.dmp	upx
behavioral2/memory/3972-140-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp	upx
behavioral2/memory/2676-133-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	upx
behavioral2/memory/4604-131-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp	upx
behavioral2/memory/4536-134-0x00007FF744720000-0x00007FF744A71000-memory.dmp	upx
behavioral2/memory/1596-132-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp	upx
behavioral2/memory/2268-130-0x00007FF6121C0000-0x00007FF612511000-memory.dmp	upx
behavioral2/memory/32-129-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp	upx
behavioral2/memory/1840-128-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	upx
behavioral2/memory/1840-150-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	upx
behavioral2/memory/1840-151-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp	upx
behavioral2/memory/32-196-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp	upx
behavioral2/memory/2268-198-0x00007FF6121C0000-0x00007FF612511000-memory.dmp	upx
behavioral2/memory/4604-200-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp	upx
behavioral2/memory/1596-204-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp	upx
behavioral2/memory/2676-203-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp	upx
behavioral2/memory/3236-207-0x00007FF793290000-0x00007FF7935E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iECeCNc.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwfieEt.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tnYaexw.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GDaoGdN.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oFhrRfd.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgPsHqV.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAcVLNc.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dARfqkc.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qXNthQp.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KmNDsSI.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jSsqmBa.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCaAMEe.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\unhnuoG.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qiMAagt.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gSsfBEM.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xpxuosX.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAsmokJ.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ozkRjBk.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bdrelZV.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggTmDJW.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NiYppOh.exe	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 32	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1840 wrote to memory of 32	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1840 wrote to memory of 2268	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1840 wrote to memory of 2268	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1840 wrote to memory of 4604	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1840 wrote to memory of 4604	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1840 wrote to memory of 1596	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1840 wrote to memory of 1596	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1840 wrote to memory of 2676	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1840 wrote to memory of 2676	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1840 wrote to memory of 4536	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1840 wrote to memory of 4536	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1840 wrote to memory of 3236	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1840 wrote to memory of 3236	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1840 wrote to memory of 3404	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1840 wrote to memory of 3404	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1840 wrote to memory of 4320	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1840 wrote to memory of 4320	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1840 wrote to memory of 4736	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1840 wrote to memory of 4736	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1840 wrote to memory of 1952	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1840 wrote to memory of 1952	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1840 wrote to memory of 3972	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1840 wrote to memory of 3972	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1840 wrote to memory of 4572	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1840 wrote to memory of 4572	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1840 wrote to memory of 3684	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1840 wrote to memory of 3684	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1840 wrote to memory of 5068	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1840 wrote to memory of 5068	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1840 wrote to memory of 4600	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1840 wrote to memory of 4600	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1840 wrote to memory of 4016	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1840 wrote to memory of 4016	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1840 wrote to memory of 4564	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1840 wrote to memory of 4564	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1840 wrote to memory of 5084	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1840 wrote to memory of 5084	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1840 wrote to memory of 3696	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1840 wrote to memory of 3696	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1840 wrote to memory of 892	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1840 wrote to memory of 892	1840	2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_084c28207fc55414b3ede2aaab9a0ab9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\System\iECeCNc.exe
  C:\Windows\System\iECeCNc.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\ozkRjBk.exe
  C:\Windows\System\ozkRjBk.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\dARfqkc.exe
  C:\Windows\System\dARfqkc.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\qXNthQp.exe
  C:\Windows\System\qXNthQp.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\bdrelZV.exe
  C:\Windows\System\bdrelZV.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\KmNDsSI.exe
  C:\Windows\System\KmNDsSI.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\OwfieEt.exe
  C:\Windows\System\OwfieEt.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\qiMAagt.exe
  C:\Windows\System\qiMAagt.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\tnYaexw.exe
  C:\Windows\System\tnYaexw.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\jSsqmBa.exe
  C:\Windows\System\jSsqmBa.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\vCaAMEe.exe
  C:\Windows\System\vCaAMEe.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\ggTmDJW.exe
  C:\Windows\System\ggTmDJW.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\gSsfBEM.exe
  C:\Windows\System\gSsfBEM.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\NiYppOh.exe
  C:\Windows\System\NiYppOh.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\GDaoGdN.exe
  C:\Windows\System\GDaoGdN.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\oFhrRfd.exe
  C:\Windows\System\oFhrRfd.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\CgPsHqV.exe
  C:\Windows\System\CgPsHqV.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\xpxuosX.exe
  C:\Windows\System\xpxuosX.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\IAsmokJ.exe
  C:\Windows\System\IAsmokJ.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\GAcVLNc.exe
  C:\Windows\System\GAcVLNc.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\unhnuoG.exe
  C:\Windows\System\unhnuoG.exe
  2⤵
  - Executes dropped EXE
  PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CgPsHqV.exe

Filesize
5.2MB

MD5
7893bef3607002621848f1be566bd8ee

SHA1
3787cd8e5d8b87a706295535bc06715e4ac87222

SHA256
9c968e2c5e817f502a13afb79f7c41719b61aadb95f0394b06b46202cfa14884

SHA512
786f85bead937a6fe2c7e36ab0444e5f603b61aa530aca0cd897344b2bc482aeb582c03a51495bbeb1c23c48ddc3b84941c341c0c1d5ecffdfb88f2e6f546860

Download Submit
C:\Windows\System\GAcVLNc.exe

Filesize
5.2MB

MD5
383535fdc7aab8dbcfc587e01071632b

SHA1
5c8be66a591bbe782ab6391b86d9517cdf0ad340

SHA256
de6db4b5de9e4d870b9015612936b7d67cd7206e4277419e6defb499cee5be83

SHA512
88e2b01311c4dfe5eb59ef44fbda24122341836c55abe6e96d4d4c0b260a07fe3622601a332cc7faff79145b5618ed7376887e2481ea32df2914eedf07a62ac3

Download Submit
C:\Windows\System\GDaoGdN.exe

Filesize
5.2MB

MD5
e409f7016ac47f3764fea8e9a3fbee8b

SHA1
5e017b9e4fb69b2c61d72cb68dbb2265fea50745

SHA256
297bc56ae5e5a4f3847b51ad417baccd8bd37f8492f456832e26e2fdca4598b8

SHA512
431f8982d0a0303dfc136f1d034c6bec3790d269b13896187f34a965e87bb8582412e539046c9090ed7ed7b1e815f3730e733098423ab5baea390e5a93750ef5

Download Submit
C:\Windows\System\IAsmokJ.exe

Filesize
5.2MB

MD5
03edf410a6746638223ae76f6a66769a

SHA1
a048b98ffcc3ab25defd7a389217bb1400bc501b

SHA256
caf702c0b5f96ef212fa7a110d8d86358e991783fe167e302575ae723b9c6cbc

SHA512
e6a4436fff764d773f44f3647150a22f3046a6b84f86c0f1df18c6275910dbf84c62102d1e1837de77841b198afe7f7462528186bdecfdf9e933b86144688b4e

Download Submit
C:\Windows\System\KmNDsSI.exe

Filesize
5.2MB

MD5
e57803f7bd611c74114e604b3b138611

SHA1
b9fa802a57b105b5be7ed776ad9e442fcdcd13ca

SHA256
fd7343b20e1c741978c0e2d1a5a43f5709f65f08deeab3120840afa59df29d30

SHA512
e76c70e85f177ec7eb0a0cf896529e745716e27baeb07d87d02f6323c2b214ba0147a2980ad45d33c8508b54a442db5a5cb7ef2ff4c9f00a7a89e2224eb894fd

Download Submit
C:\Windows\System\NiYppOh.exe

Filesize
5.2MB

MD5
b8d70b8a2d205214b17b57cb58ba6325

SHA1
24a61f16a844473e6b22282ece1a65b1e5066679

SHA256
8f48b7fc4ec1e5a62ba3583307688923c05b7c4350c4cd681a2e80ca8989d57a

SHA512
1f05739aa1132158d12ae9044bbe2194018ec78909e56c967c9c729425aca732772c599c621541a0a3c8c9ee6c518890d959bda40e0cb05c7f3a39a82030e08d

Download Submit
C:\Windows\System\OwfieEt.exe

Filesize
5.2MB

MD5
a8f5eeb07cf595b1a9c80e621e81ede1

SHA1
b9d0035ecf75b15407291c3996c0430a79711c98

SHA256
1011d3a8b7ac7973308f1f84472fc19c254a760598d0afdc9a3e2c896ef7b191

SHA512
cf11ff07d1acc455be711340f3cc14a89f2578da581f43545ef460a066fb2ad2fe579c59d2613819aa272d750c3e0f306250ccbfefcc762e9d4cf636fb07a9bd

Download Submit
C:\Windows\System\bdrelZV.exe

Filesize
5.2MB

MD5
a49b89ed7940affe78a31f0fc55c4e27

SHA1
7497bcf40b2914412e2b7d6d28d655abe8a3e6e5

SHA256
2f7d43ea5a235c663dab178993cccc3c93eac585349cb966b1dd306b01ea33ea

SHA512
0dc76608d8a2ea9fd6d9245c08c9d67e267185a87a591acc5903b3c5c4acd6f9aee523d1584fc8c1beec6090bbc7d71b45073c6fe34f57b02ac5cc211403eb1f

Download Submit
C:\Windows\System\dARfqkc.exe

Filesize
5.2MB

MD5
28efb84e6a75856b5e50ba6616464edd

SHA1
f8f0bba53fbb39e6a26a40f95fa4b9d2f8ea9672

SHA256
bae6ceb7edbfd427f4bd5fc97aa7d5049b718676009d804891974f7912f13322

SHA512
8751f3efed2c95901b42a89fd0bea555ba30d3d9ce735dfa1adcf5b0121328c2afc6b6e1c1449e8adf9d0be8e9522344328d4d2b948468d8ce4d65f10dd7bd26

Download Submit
C:\Windows\System\gSsfBEM.exe

Filesize
5.2MB

MD5
0242051fc9aae60f8d79dfa6d12b44b2

SHA1
dbe3c37c84f16cf147a04ef7d99054e63c507ee7

SHA256
c432233335ec60a3ba1fbb51bf424f7f0c96b6f5cc10d593e5cfaa678f4eba08

SHA512
cf8594708538b10ccbd98c9d8f1511028a6f9aed3b9ba242d6cc084da3a67c9d4ad4c239983e81db17e615b5922bba277683362b26510a9bca814e66e46c9a47

Download Submit
C:\Windows\System\ggTmDJW.exe

Filesize
5.2MB

MD5
9bf657fe77939f63e230ff1e1b59a7ca

SHA1
ab95a3442714195e73cefe7d9d2a24da2ea18528

SHA256
f9e01d2d1d57ccf4730b03a27db408ae159d2601e4062fcff7a989c59ecab4f8

SHA512
01f5e817ef51268ea748a7327051792d6d7a63961b9b10be2fb83798603df8c304e9cf8950d871bb6766d0a33aa41335708f7bac3c1d7d8dcfc0a75d51ab216b

Download Submit
C:\Windows\System\iECeCNc.exe

Filesize
5.2MB

MD5
c91771f2628bf3ce9750c2a80c0f035f

SHA1
ebdbe90415e8041cebc1b180acd8e7f57859df90

SHA256
9d7b474f3d9cbd9f37ad3fb1032b3ed6d4d950bfb7bef9896986bc8192c40f89

SHA512
e798bb7c6c6bd0a5390f2f0ae4f4a2e68327c2f84704b33f89c909921d352a6e7be0e868053371775a40ce8cbdf00bcd919d9fdce80f3f3b03756f5fad943570

Download Submit
C:\Windows\System\jSsqmBa.exe

Filesize
5.2MB

MD5
330d866fa29531825bdc976df3de931a

SHA1
e1deccc3fc28bd310abb927d79df3b15122ed9b5

SHA256
9c0cd12804e0bb93ec2f19eaf2eb439e0def9395f14213d856d500aaa4792dbd

SHA512
dcb43437d0896ffb676799b335305719e4e675780c708670fce0dcaf975d080a0c7e30b4fc637e9716932cf63d1d8941daf2c0476db98f5c96f603708543c45d

Download Submit
C:\Windows\System\oFhrRfd.exe

Filesize
5.2MB

MD5
c6f9c2088d26063a2031ad8d704547c9

SHA1
14b3224ffdb48485cdd1df0f80aff6896338aed1

SHA256
8750d4a9d43c1c2b15d48d763aae6a97b4f473ee3acda89cac656591d77bb8cb

SHA512
ecf3c4921fc3099bd33e6eb27e50b5cf0c82b94d5bb042a39d842278989cd1bfb28401a4517faa78a7265afb3278599e07db8957642af8b33a7c9cc84dd1a155

Download Submit
C:\Windows\System\ozkRjBk.exe

Filesize
5.2MB

MD5
441839a76c132d2eb1921c07f12df9ec

SHA1
5ced00541c07015da25b9178000dda69e0064772

SHA256
8d81204c5fc5298361e6d58b5dd4be47fe4fcfd3eb589f6882e317907638bfa9

SHA512
7adab751f50546eef500ba140e4a0ec40bb3c062a0a1b01e6a8bf1aaaf8fb2b9b4f73cc2ed14f494313d947f55c03203437775bd1a13fdbbcae3c7e2c64d1c90

Download Submit
C:\Windows\System\qXNthQp.exe

Filesize
5.2MB

MD5
ded179322e2be67c59174dc112a3c524

SHA1
0862217237921137fbdb5a3052aa742b4646fde0

SHA256
0b8c9abe1ad7b1bb406f4c4afdcd8c8d3fc4a6f3f8ba95da23f04ced8717c1b2

SHA512
08cd657c51edb798fca6da1f6f1bd1ab5b27cd99a5c9536912599d1605615c85281b517348be8898ca65ba047c74ddcc7ad040c15b58b64fd7828e57c282178f

Download Submit
C:\Windows\System\qiMAagt.exe

Filesize
5.2MB

MD5
3444d8310246d93bc9e5bc1b216d2f64

SHA1
9fa95a8c69eea32587e37a56de2ba21c4c165857

SHA256
f9ad518c4423dba686879484acf7dd3a3871708c9ebf51429da172dc3caa8630

SHA512
d9f6a2ca8b3b091efca09f5031cf70f3cae94e4f6d01db04874a0334e3ccc258d5a32315ce6308f0ef499d5eea1318d254b71039d40d3cd36da90172a693aac1

Download Submit
C:\Windows\System\tnYaexw.exe

Filesize
5.2MB

MD5
40c657fc33181eebd4925471117319d7

SHA1
2492865730f37653b254e198eb2992487c06c52e

SHA256
2e957b9de2e1d9cd595be56a189c8777e6346e29487a33078aad15bf0d17ac90

SHA512
4dbb638ca82047fda42ba25c942f19652c7e008c5954799e86b113c6f3450afaf8869aa917653e443ce121766e99eea506e49e25fc2b3bdc4f700d931ff1f43f

Download Submit
C:\Windows\System\unhnuoG.exe

Filesize
5.2MB

MD5
2b0778332fdbcea7d3cb39a26a8b00d3

SHA1
bf1911c46866d09978454b3bb1df767ee724d0ab

SHA256
507f89c02603ebbc61bbf213b6a560f05b62cc664d572f5b8c9c0bce0aa86c42

SHA512
ca235b5370e797dcddba1a303d3fac3166182ededc0714ea00ed25922cb80593339d80d9de0ce416518de8e2e053b6a1ca4ea5d421e8e22a41879adf643af095

Download Submit
C:\Windows\System\vCaAMEe.exe

Filesize
5.2MB

MD5
ef2ce49e1ddcb57a2c8667038f368325

SHA1
7d6b78ffb890be0f2c7bd7f13fd262e86abfd9ee

SHA256
e201b4cfe9aed9bd8497b90298d68f525e54255e77c926852063a7190c4d7a85

SHA512
2f1fab33316915708028e3fed1ca6e837f92afbe467d4e07cc9d0c25ae52cfaadc0bd835b91e79c91147f8a5b21c6ac36b653966c5d8948260ea98b7ba819822

Download Submit
C:\Windows\System\xpxuosX.exe

Filesize
5.2MB

MD5
00ffe656a75d4c0741279ebd45f76835

SHA1
a0b2c7589ea6c90cce24631acf980782085cc390

SHA256
81690e28559ae0916b22b142657f245431d3fb8892e5ebf23bbacf875353914b

SHA512
0a86e094004dba9aee3a1a1fc28c5cca05d2087652351f1719a56a078f1146f61d7ba926a3e4b44287182d983ff8ab12d06a2623238018fedebbf735aef3d366

Download Submit
memory/32-196-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp

Filesize
3.3MB

Download
memory/32-6-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp

Filesize
3.3MB

Download
memory/32-129-0x00007FF69D770000-0x00007FF69DAC1000-memory.dmp

Filesize
3.3MB

Download
memory/892-127-0x00007FF747550000-0x00007FF7478A1000-memory.dmp

Filesize
3.3MB

Download
memory/892-233-0x00007FF747550000-0x00007FF7478A1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-21-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-204-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-132-0x00007FF70F980000-0x00007FF70FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-0-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp

Filesize
3.3MB

Download
memory/1840-128-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp

Filesize
3.3MB

Download
memory/1840-1-0x0000027C10BF0000-0x0000027C10C00000-memory.dmp

Filesize
64KB

Download
memory/1840-151-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp

Filesize
3.3MB

Download
memory/1840-150-0x00007FF7F2520000-0x00007FF7F2871000-memory.dmp

Filesize
3.3MB

Download
memory/1952-120-0x00007FF72EF60000-0x00007FF72F2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-217-0x00007FF72EF60000-0x00007FF72F2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-130-0x00007FF6121C0000-0x00007FF612511000-memory.dmp

Filesize
3.3MB

Download
memory/2268-198-0x00007FF6121C0000-0x00007FF612511000-memory.dmp

Filesize
3.3MB

Download
memory/2268-19-0x00007FF6121C0000-0x00007FF612511000-memory.dmp

Filesize
3.3MB

Download
memory/2676-133-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/2676-203-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/2676-39-0x00007FF63DC10000-0x00007FF63DF61000-memory.dmp

Filesize
3.3MB

Download
memory/3236-109-0x00007FF793290000-0x00007FF7935E1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-207-0x00007FF793290000-0x00007FF7935E1000-memory.dmp

Filesize
3.3MB

Download
memory/3404-48-0x00007FF623830000-0x00007FF623B81000-memory.dmp

Filesize
3.3MB

Download
memory/3404-136-0x00007FF623830000-0x00007FF623B81000-memory.dmp

Filesize
3.3MB

Download
memory/3404-209-0x00007FF623830000-0x00007FF623B81000-memory.dmp

Filesize
3.3MB

Download
memory/3684-228-0x00007FF6225E0000-0x00007FF622931000-memory.dmp

Filesize
3.3MB

Download
memory/3684-142-0x00007FF6225E0000-0x00007FF622931000-memory.dmp

Filesize
3.3MB

Download
memory/3684-96-0x00007FF6225E0000-0x00007FF622931000-memory.dmp

Filesize
3.3MB

Download
memory/3696-231-0x00007FF776CE0000-0x00007FF777031000-memory.dmp

Filesize
3.3MB

Download
memory/3696-126-0x00007FF776CE0000-0x00007FF777031000-memory.dmp

Filesize
3.3MB

Download
memory/3972-224-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp

Filesize
3.3MB

Download
memory/3972-82-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp

Filesize
3.3MB

Download
memory/3972-140-0x00007FF78B3D0000-0x00007FF78B721000-memory.dmp

Filesize
3.3MB

Download
memory/4016-234-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp

Filesize
3.3MB

Download
memory/4016-145-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp

Filesize
3.3MB

Download
memory/4016-106-0x00007FF6366F0000-0x00007FF636A41000-memory.dmp

Filesize
3.3MB

Download
memory/4320-116-0x00007FF640190000-0x00007FF6404E1000-memory.dmp

Filesize
3.3MB

Download
memory/4320-219-0x00007FF640190000-0x00007FF6404E1000-memory.dmp

Filesize
3.3MB

Download
memory/4536-44-0x00007FF744720000-0x00007FF744A71000-memory.dmp

Filesize
3.3MB

Download
memory/4536-210-0x00007FF744720000-0x00007FF744A71000-memory.dmp

Filesize
3.3MB

Download
memory/4536-134-0x00007FF744720000-0x00007FF744A71000-memory.dmp

Filesize
3.3MB

Download
memory/4564-124-0x00007FF7FCD30000-0x00007FF7FD081000-memory.dmp

Filesize
3.3MB

Download
memory/4564-226-0x00007FF7FCD30000-0x00007FF7FD081000-memory.dmp

Filesize
3.3MB

Download
memory/4572-88-0x00007FF60F270000-0x00007FF60F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-221-0x00007FF60F270000-0x00007FF60F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-214-0x00007FF6A6140000-0x00007FF6A6491000-memory.dmp

Filesize
3.3MB

Download
memory/4600-121-0x00007FF6A6140000-0x00007FF6A6491000-memory.dmp

Filesize
3.3MB

Download
memory/4604-200-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-27-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4604-131-0x00007FF62C2A0000-0x00007FF62C5F1000-memory.dmp

Filesize
3.3MB

Download
memory/4736-222-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp

Filesize
3.3MB

Download
memory/4736-81-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp

Filesize
3.3MB

Download
memory/4736-138-0x00007FF7BBCD0000-0x00007FF7BC021000-memory.dmp

Filesize
3.3MB

Download
memory/5068-99-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp

Filesize
3.3MB

Download
memory/5068-213-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp

Filesize
3.3MB

Download
memory/5068-143-0x00007FF64A3B0000-0x00007FF64A701000-memory.dmp

Filesize
3.3MB

Download
memory/5084-125-0x00007FF7A0010000-0x00007FF7A0361000-memory.dmp

Filesize
3.3MB

Download
memory/5084-238-0x00007FF7A0010000-0x00007FF7A0361000-memory.dmp

Filesize
3.3MB

Download