cobaltstrike | d3b9b662a77b876b5ead611b557944d56e057079cf5f0a040f27c88350e7d76b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

131568df16bb60335a521a2966c31765
SHA1

e5acf8fad4648435358d44b2702a18198b343716
SHA256

d3b9b662a77b876b5ead611b557944d56e057079cf5f0a040f27c88350e7d76b
SHA512

fd312ed8a1c87a5d05c841f4a371bef3a28b47f2f1b2a1410b2fccd5ecb4926e27772c1fadb0f4a6baa379c5070598a51f72949ce34c36b0a53973daa2d2db4c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibf56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002346e-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-9.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234d1-11.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234cb-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-48.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234d7-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000002334d-78.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234db-86.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000234d9-96.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e0-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-113.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2084-14-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp	xmrig
behavioral2/memory/2828-20-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/3456-44-0x00007FF655920000-0x00007FF655C71000-memory.dmp	xmrig
behavioral2/memory/4608-62-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	xmrig
behavioral2/memory/2536-70-0x00007FF7AD580000-0x00007FF7AD8D1000-memory.dmp	xmrig
behavioral2/memory/3348-69-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp	xmrig
behavioral2/memory/3964-65-0x00007FF704F30000-0x00007FF705281000-memory.dmp	xmrig
behavioral2/memory/216-82-0x00007FF6AD150000-0x00007FF6AD4A1000-memory.dmp	xmrig
behavioral2/memory/2828-81-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/2004-87-0x00007FF706D00000-0x00007FF707051000-memory.dmp	xmrig
behavioral2/memory/2144-94-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	xmrig
behavioral2/memory/5080-102-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp	xmrig
behavioral2/memory/4608-129-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	xmrig
behavioral2/memory/4744-136-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp	xmrig
behavioral2/memory/1484-137-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp	xmrig
behavioral2/memory/468-142-0x00007FF7986D0000-0x00007FF798A21000-memory.dmp	xmrig
behavioral2/memory/1752-141-0x00007FF6441E0000-0x00007FF644531000-memory.dmp	xmrig
behavioral2/memory/2116-143-0x00007FF7FAA40000-0x00007FF7FAD91000-memory.dmp	xmrig
behavioral2/memory/2308-144-0x00007FF69F490000-0x00007FF69F7E1000-memory.dmp	xmrig
behavioral2/memory/1432-148-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp	xmrig
behavioral2/memory/760-150-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	xmrig
behavioral2/memory/4608-151-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	xmrig
behavioral2/memory/4840-154-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp	xmrig
behavioral2/memory/384-153-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp	xmrig
behavioral2/memory/2896-152-0x00007FF612180000-0x00007FF6124D1000-memory.dmp	xmrig
behavioral2/memory/4608-173-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	xmrig
behavioral2/memory/3348-204-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp	xmrig
behavioral2/memory/2084-206-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp	xmrig
behavioral2/memory/2828-208-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/2004-210-0x00007FF706D00000-0x00007FF707051000-memory.dmp	xmrig
behavioral2/memory/2144-212-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	xmrig
behavioral2/memory/5080-217-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp	xmrig
behavioral2/memory/3456-219-0x00007FF655920000-0x00007FF655C71000-memory.dmp	xmrig
behavioral2/memory/4744-221-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp	xmrig
behavioral2/memory/3964-225-0x00007FF704F30000-0x00007FF705281000-memory.dmp	xmrig
behavioral2/memory/1484-223-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp	xmrig
behavioral2/memory/2536-227-0x00007FF7AD580000-0x00007FF7AD8D1000-memory.dmp	xmrig
behavioral2/memory/216-229-0x00007FF6AD150000-0x00007FF6AD4A1000-memory.dmp	xmrig
behavioral2/memory/1432-233-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp	xmrig
behavioral2/memory/760-235-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	xmrig
behavioral2/memory/2896-241-0x00007FF612180000-0x00007FF6124D1000-memory.dmp	xmrig
behavioral2/memory/4840-243-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp	xmrig
behavioral2/memory/1752-245-0x00007FF6441E0000-0x00007FF644531000-memory.dmp	xmrig
behavioral2/memory/468-248-0x00007FF7986D0000-0x00007FF798A21000-memory.dmp	xmrig
behavioral2/memory/2116-249-0x00007FF7FAA40000-0x00007FF7FAD91000-memory.dmp	xmrig
behavioral2/memory/2308-251-0x00007FF69F490000-0x00007FF69F7E1000-memory.dmp	xmrig
behavioral2/memory/384-254-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3348	DwtIKQW.exe
2084	osprojR.exe
2828	eJTZKUA.exe
2004	bbHgICc.exe
2144	XDXthua.exe
5080	aclkENp.exe
3456	oFjRLTM.exe
4744	PpzXOls.exe
1484	qLcQhIL.exe
3964	QfKwBYU.exe
2536	qhaeaFa.exe
1432	KaUztdK.exe
216	NpMHWgk.exe
760	lAuJfST.exe
2896	skBKIrb.exe
384	eftiaHz.exe
4840	rcleDBE.exe
1752	GLSJsws.exe
468	hwYHevf.exe
2116	aglYRap.exe
2308	WzLBfCs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-0-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	upx
behavioral2/files/0x000900000002346e-5.dat	upx
behavioral2/files/0x00070000000234d2-9.dat	upx
behavioral2/files/0x00080000000234d1-11.dat	upx
behavioral2/memory/2084-14-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp	upx
behavioral2/memory/3348-7-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp	upx
behavioral2/files/0x00090000000234cb-23.dat	upx
behavioral2/memory/2828-20-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx
behavioral2/memory/2004-24-0x00007FF706D00000-0x00007FF707051000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-31.dat	upx
behavioral2/memory/2144-30-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-34.dat	upx
behavioral2/memory/5080-37-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-41.dat	upx
behavioral2/memory/3456-44-0x00007FF655920000-0x00007FF655C71000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-48.dat	upx
behavioral2/memory/4744-49-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp	upx
behavioral2/files/0x00080000000234d7-52.dat	upx
behavioral2/files/0x00070000000234dd-59.dat	upx
behavioral2/memory/4608-62-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	upx
behavioral2/files/0x00070000000234de-66.dat	upx
behavioral2/memory/2536-70-0x00007FF7AD580000-0x00007FF7AD8D1000-memory.dmp	upx
behavioral2/files/0x00070000000234df-73.dat	upx
behavioral2/files/0x000a00000002334d-78.dat	upx
behavioral2/memory/1432-75-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp	upx
behavioral2/memory/3348-69-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp	upx
behavioral2/memory/3964-65-0x00007FF704F30000-0x00007FF705281000-memory.dmp	upx
behavioral2/memory/1484-60-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp	upx
behavioral2/memory/216-82-0x00007FF6AD150000-0x00007FF6AD4A1000-memory.dmp	upx
behavioral2/memory/2828-81-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx
behavioral2/files/0x00080000000234db-86.dat	upx
behavioral2/memory/760-88-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	upx
behavioral2/memory/2004-87-0x00007FF706D00000-0x00007FF707051000-memory.dmp	upx
behavioral2/memory/2144-94-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	upx
behavioral2/files/0x00090000000234d9-96.dat	upx
behavioral2/memory/2896-95-0x00007FF612180000-0x00007FF6124D1000-memory.dmp	upx
behavioral2/files/0x00080000000234e0-100.dat	upx
behavioral2/files/0x00070000000234e1-105.dat	upx
behavioral2/memory/4840-107-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp	upx
behavioral2/memory/384-103-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp	upx
behavioral2/memory/5080-102-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-118.dat	upx
behavioral2/files/0x00070000000234e5-126.dat	upx
behavioral2/files/0x00070000000234e4-123.dat	upx
behavioral2/files/0x00070000000234e2-113.dat	upx
behavioral2/memory/4608-129-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	upx
behavioral2/memory/4744-136-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp	upx
behavioral2/memory/1484-137-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp	upx
behavioral2/memory/468-142-0x00007FF7986D0000-0x00007FF798A21000-memory.dmp	upx
behavioral2/memory/1752-141-0x00007FF6441E0000-0x00007FF644531000-memory.dmp	upx
behavioral2/memory/2116-143-0x00007FF7FAA40000-0x00007FF7FAD91000-memory.dmp	upx
behavioral2/memory/2308-144-0x00007FF69F490000-0x00007FF69F7E1000-memory.dmp	upx
behavioral2/memory/1432-148-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp	upx
behavioral2/memory/760-150-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp	upx
behavioral2/memory/4608-151-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	upx
behavioral2/memory/4840-154-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp	upx
behavioral2/memory/384-153-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp	upx
behavioral2/memory/2896-152-0x00007FF612180000-0x00007FF6124D1000-memory.dmp	upx
behavioral2/memory/4608-173-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp	upx
behavioral2/memory/3348-204-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp	upx
behavioral2/memory/2084-206-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp	upx
behavioral2/memory/2828-208-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx
behavioral2/memory/2004-210-0x00007FF706D00000-0x00007FF707051000-memory.dmp	upx
behavioral2/memory/2144-212-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rcleDBE.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aglYRap.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\osprojR.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbHgICc.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aclkENp.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lAuJfST.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hwYHevf.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzLBfCs.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDXthua.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oFjRLTM.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLcQhIL.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KaUztdK.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJTZKUA.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLSJsws.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NpMHWgk.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\skBKIrb.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eftiaHz.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DwtIKQW.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PpzXOls.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfKwBYU.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhaeaFa.exe	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3348	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4608 wrote to memory of 3348	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4608 wrote to memory of 2084	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4608 wrote to memory of 2084	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4608 wrote to memory of 2828	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4608 wrote to memory of 2828	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4608 wrote to memory of 2004	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4608 wrote to memory of 2004	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4608 wrote to memory of 2144	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4608 wrote to memory of 2144	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4608 wrote to memory of 5080	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4608 wrote to memory of 5080	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4608 wrote to memory of 3456	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4608 wrote to memory of 3456	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4608 wrote to memory of 4744	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4608 wrote to memory of 4744	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4608 wrote to memory of 1484	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4608 wrote to memory of 1484	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4608 wrote to memory of 3964	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4608 wrote to memory of 3964	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4608 wrote to memory of 2536	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4608 wrote to memory of 2536	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4608 wrote to memory of 1432	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4608 wrote to memory of 1432	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4608 wrote to memory of 216	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4608 wrote to memory of 216	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4608 wrote to memory of 760	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4608 wrote to memory of 760	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4608 wrote to memory of 2896	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4608 wrote to memory of 2896	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4608 wrote to memory of 384	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4608 wrote to memory of 384	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4608 wrote to memory of 4840	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4608 wrote to memory of 4840	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4608 wrote to memory of 1752	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4608 wrote to memory of 1752	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4608 wrote to memory of 468	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4608 wrote to memory of 468	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4608 wrote to memory of 2116	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4608 wrote to memory of 2116	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4608 wrote to memory of 2308	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4608 wrote to memory of 2308	4608	2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_131568df16bb60335a521a2966c31765_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\System\DwtIKQW.exe
  C:\Windows\System\DwtIKQW.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\osprojR.exe
  C:\Windows\System\osprojR.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\eJTZKUA.exe
  C:\Windows\System\eJTZKUA.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\bbHgICc.exe
  C:\Windows\System\bbHgICc.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\XDXthua.exe
  C:\Windows\System\XDXthua.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\aclkENp.exe
  C:\Windows\System\aclkENp.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\oFjRLTM.exe
  C:\Windows\System\oFjRLTM.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\PpzXOls.exe
  C:\Windows\System\PpzXOls.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\qLcQhIL.exe
  C:\Windows\System\qLcQhIL.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\QfKwBYU.exe
  C:\Windows\System\QfKwBYU.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\qhaeaFa.exe
  C:\Windows\System\qhaeaFa.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\KaUztdK.exe
  C:\Windows\System\KaUztdK.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\NpMHWgk.exe
  C:\Windows\System\NpMHWgk.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\lAuJfST.exe
  C:\Windows\System\lAuJfST.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\skBKIrb.exe
  C:\Windows\System\skBKIrb.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\eftiaHz.exe
  C:\Windows\System\eftiaHz.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\rcleDBE.exe
  C:\Windows\System\rcleDBE.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\GLSJsws.exe
  C:\Windows\System\GLSJsws.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\hwYHevf.exe
  C:\Windows\System\hwYHevf.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\aglYRap.exe
  C:\Windows\System\aglYRap.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\WzLBfCs.exe
  C:\Windows\System\WzLBfCs.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DwtIKQW.exe

Filesize
5.2MB

MD5
d064ed0fc4efa41c0b4675ea35e17b09

SHA1
5676a70c1788f70e31e1ffd58c473fec26156a2f

SHA256
02622b43b24b4bf7a2d63b2a7cc94a933935e17287c02fc09c5195aba518e342

SHA512
ccbef0265de41d5b34aa35d7d993726940f7df600a73263c1dd1f40ab01f9349703f557a98ea404ef32e1ce6369eba5ae8ed776071eaa44885a7930b21634210

Download Submit
C:\Windows\System\GLSJsws.exe

Filesize
5.2MB

MD5
d7fed680c013c09172c4e034e6e4ddb2

SHA1
2063cf3d10664f528f9f3685bfedaa19ed1642a2

SHA256
79e240e9be761d61b7ab0cfebefeefdfb91a38880365fe582a632978cc1e429d

SHA512
9c36073185c38352c86cd3706ac299252501a3cc5f04e945bd56f119e9b748cc59b4df3d6ad4558d16299adb2b6d6be03a57be112e46d218e1527a73732ca844

Download Submit
C:\Windows\System\KaUztdK.exe

Filesize
5.2MB

MD5
b5831ff291f86657b0b193b0a4e7e55e

SHA1
252e54e44127b5102efcd14ce9aa6fa266219fff

SHA256
1c3a1e688b5e3daf4a1bfc1ff1dff6deb760a93f5e6834bd9c04a71e4eb3b542

SHA512
0b3e0512ce0d818965c9e185f5becea6132410cbba7ab3cfe62f615a3ff404dcaebe5846935c139b4ea28be5705f0eb3fac7db6a04e09e3454024d8a5f0222e7

Download Submit
C:\Windows\System\NpMHWgk.exe

Filesize
5.2MB

MD5
eb551efa2c2b1dcb3e9d39a1baecc850

SHA1
9596e64e12a8e63bf2138faffacd57637f1de4b7

SHA256
21fbf6324adf820ca0b069b621701cbb1f4a1318e54d88fc9352d4d4c2bf8209

SHA512
64d4b9bf0eccf941d097f8a743d0c5c62e35fed1bddfce0660aeb35a3e276d332d5b0a12b5328ec9c6bc79039b985bfb99310f067fdad692de44fd34e3625d91

Download Submit
C:\Windows\System\PpzXOls.exe

Filesize
5.2MB

MD5
f2392b61f1d559c280b7005a941562fb

SHA1
5ea3431c6119fff5ef2b0979f7d358abdafa6d93

SHA256
7c86982f0eaf87a3a3a43ef887fb425759159ad5b387521cc5b97bd8316fe95b

SHA512
8374cd5fa07618824c03562fb2999860ca1e13cefaa18ead8f2ec1941b7e64b4e8d0567904a2b5a3bd29972bf41cc4b3a3e97d48ace94cdfee7638b90f34d001

Download Submit
C:\Windows\System\QfKwBYU.exe

Filesize
5.2MB

MD5
0222a06bf7657585695f1e2cbd3d820a

SHA1
3ddcb0315519bcbf62b737ac078150849d00eb86

SHA256
7d8a498a97c3e713b3e0155442ecffb7a7cdbfc4c8cc692cf0cfa8796e412644

SHA512
cf5356c422f584aeb49625f0d8fc18edc90566465245415b028cb480097059a7eeb182b67712beff5d379b97025b2562634104d97065890ce638e14b76d85c6e

Download Submit
C:\Windows\System\WzLBfCs.exe

Filesize
5.2MB

MD5
e48b4365db86e91f88fd88a674687229

SHA1
783b57dab0e977f77e8e6ab1afb4e26aed7cd0ee

SHA256
53566d6f8075edffd894e8956d1a5f098b3bbe31bb415bd66624f4cfe45c0576

SHA512
1d6691b834dad452f6bd13880b10615b2872f43bf512c0a81f34d7c5b13d4b62f91a1fa9077dccec75c4fc78c2afac7b0efaaf556af546ff8a52703853103579

Download Submit
C:\Windows\System\XDXthua.exe

Filesize
5.2MB

MD5
e9c2fda695559a5caff19118460199f7

SHA1
33e2d5fde0e8798c812db631d9ad7aa4e2fd4f5b

SHA256
790ba0fc81c0c899fd6b4db10ac935d5effaf0d45a06b3cd2bcbc043f349f2e0

SHA512
e32e10c822e9a7abdab517683a35e225927cbecce9549b7577e25613557d717e119404b055d79bb60f1eac57b1316351c42e1378b9a15f8af85722c741f049de

Download Submit
C:\Windows\System\aclkENp.exe

Filesize
5.2MB

MD5
23cc1d6b214177d9bffb5aea7d84a09e

SHA1
5b501d6b6d8e0bc46e65dc7d577850e03f4dbbe9

SHA256
8bd25b1f83b4ec40f0131dcef2315a5ea792f9d90f4b7a427c8acc819da0d4fe

SHA512
10790fbe7cef487b8d80456580b4bfda14b4ab48437f5691256b0ede67727cc9649a7b04f60624a5974a324b949eed381160f9fdbc32f4b725cf77f55e13ff56

Download Submit
C:\Windows\System\aglYRap.exe

Filesize
5.2MB

MD5
6e3bd4b80510755709c3638bbd9f4238

SHA1
2f200d7016b6c069fbed917a205a67e9285bdc38

SHA256
0b06eaf1b0333afa1f6d17d992e2c603d743a2b6259a771a7ac8ebc67582dcfd

SHA512
71edcac9d3fa840ba7689edddb6c510cb6b80103f90eeaaa653675ded8ae25b6508be1ddfa13fbe07a541c84a71cdca7b5d62060d5ef76da1af806e5d5317b0c

Download Submit
C:\Windows\System\bbHgICc.exe

Filesize
5.2MB

MD5
78f72e71cc9b79b55b706b3d89ccdbcf

SHA1
d84959c6240fb4bcd469d6140e2f9fd913ed386d

SHA256
96f0decdd9721304b9d1d7629731952311960eb521a8e778199e3ea3c972e0da

SHA512
93dec7ae3469df90eb075d4a20eff59cad1e7fdbe64cc43acc67ea76e2bbc6cef9f3e7f6eb329aee9778707e2693d88cdf833f2065f5e64def15509cf62b2841

Download Submit
C:\Windows\System\eJTZKUA.exe

Filesize
5.2MB

MD5
f393a40e01dd7424782e7c2274c011dd

SHA1
827a0e5278583fa51de41cfea69b4e4574a306ad

SHA256
ea1e4564f9fef695f95c693eb811c59a9facf63c36aaa9aab674561e34290770

SHA512
7bd08d8ce9a81850138817d771969d64a89d16aa38d14ca89e4fa397930964b5e1fb9661b7bef66d111af9d6c11adb8d9e46c67fcce1543a92da64db128c7aa7

Download Submit
C:\Windows\System\eftiaHz.exe

Filesize
5.2MB

MD5
25410d7a8841d1a826fca4aaf7d19b6d

SHA1
426c06911e0f4eb59e954808cbd7a1951721b7be

SHA256
c3c3e2d9772cd58664676d82a71f005680949d2ca10c38852b5e488aef3334e7

SHA512
ef6323ad2efe1d9e3ae517b245360eb2dc53eea5872cc7a1f9f01cb0105f23d5bdd351e07fc9cb3d69d30c5222d603ab12a041dea7f4eb668c2c5e962168b7b2

Download Submit
C:\Windows\System\hwYHevf.exe

Filesize
5.2MB

MD5
92ce01e98675dd1381f188e1986ef6ae

SHA1
93e3e0fbea87635992959bf71bcd3058ce432829

SHA256
bcd69ee9c4236e54f9ae51b0118b61dc349df8214070243a5e320ae9e22f8b96

SHA512
4fa383377c6bb7e0e91a011306872cfe26cbba678a95ec16b9be51b49935b2de0e5a586be67cc69db30a1a60f29cbdc3a35befea9e10611be7b9de2c51a06dc2

Download Submit
C:\Windows\System\lAuJfST.exe

Filesize
5.2MB

MD5
592ec735b7e0a980f8627b524a5a34b4

SHA1
ef82e54201a5f92e420c9b9595e98240a3e666b4

SHA256
91ba23ef273c97ab1a7667b7e6aa0a3f3467ee6be2c23bd7ece9290fe4de9212

SHA512
d1d03631f22e414b44f20c904ca8dd322cc59d6e824fba5fc0ac774d02fea159fb85d642bfcd61ea67334f19e915df528bce3e15a5fad08937acb2abfb88f3a1

Download Submit
C:\Windows\System\oFjRLTM.exe

Filesize
5.2MB

MD5
347d621c37a1691eeb3d3d9b822566c5

SHA1
da05057e55e2834a5be46fdf4d057bcba42367f3

SHA256
daf3cfe0ce56dc13956de8b7ae2a64a991aa955e000da22d2a06ebee25519143

SHA512
d9ef644b9d808fb07f1cdf5fd2ba930fb7fd906ad7eb84030488197f68bbc4ecb2b5f15831e69dc046fa2d64571f640b55997c789b8a4f7a27619c9361401e79

Download Submit
C:\Windows\System\osprojR.exe

Filesize
5.2MB

MD5
e55aa369c3e09dc62a65111229a8b019

SHA1
f7abab7357cbfaa9d8bb977c480bcf11fadaf825

SHA256
606f3f053ef98ea91c9ccb58b14f954cc39e1393d90c39039f788c6854b5c487

SHA512
680d9616b73f08ccf173b0737587026ffdc76539eeeb7096a7900a596e780f9332ab4d244f1ae462285c1a5d094d18162c0b3c0f1a0765f7684a59805e012ad0

Download Submit
C:\Windows\System\qLcQhIL.exe

Filesize
5.2MB

MD5
55d79823a990306327e5e039db84069d

SHA1
a4bad9a0e0a6e831e2f3bea83e528cd5ff57753b

SHA256
1ee41e98aae622448952177d3443592f630de41d46b48f63986079dd8cde8b0e

SHA512
e7ca288eeb14a45929a90446fa5855a8a6010ae07e974b84eb8985db0518a875d8398e13e560400da7c1dfc576e6b63d635cc337c7453e1fbf3e4fe862fb0b2e

Download Submit
C:\Windows\System\qhaeaFa.exe

Filesize
5.2MB

MD5
85170fe162e3624d2e458d3d78f3f2e3

SHA1
cbc24c43e8de2eee18cd6a604adec27d1abfa964

SHA256
7685339ddaad451f1c115c2f38a4a253d00fae4eaf6a21be41b83493c71190d7

SHA512
a99777de6b9435ecb1cb7b8f7ad352ba4088c038cbccd06907f1c052dc497d9c62d005946392d6c9cb999cfd5f3101843160db79270654dedf54c68bb1317910

Download Submit
C:\Windows\System\rcleDBE.exe

Filesize
5.2MB

MD5
e1238d34696ca8189fbb714b7f2dd8c6

SHA1
bd7f3eccdcbca1299aaa08a3faea8c16bf5b6ab1

SHA256
4687167f120dd2faf14b07694db5e7f00e56d5f0b042e95440495e5e19fef1b3

SHA512
f2fa04c0f08a0ae5cfc5721fa9f368e08d0952ae7040f0bc0b48e25648ff23f5e0e3b44db19f60d079dd759397776be1ddd1c70e23c0efe6bbe89196eec51a1c

Download Submit
C:\Windows\System\skBKIrb.exe

Filesize
5.2MB

MD5
3f2801a44ebb830493018a37a74f39b7

SHA1
5eb1f458e1c4cf6000fddcf9112348a86eedf142

SHA256
6763610e49a08b67b34a26181711a0ae5ad88a921b9e3bfbdcb72dc2ce1e2fd4

SHA512
aba79fc1392fa3ff74b9cd58f961f0c446465be516df1d44bff9cf6b52f108cc0ed7ac3e75c7aba2d64d2ae373790d226718648edb422d659b1c0e060f46d399

Download Submit
memory/216-229-0x00007FF6AD150000-0x00007FF6AD4A1000-memory.dmp

Filesize
3.3MB

Download
memory/216-82-0x00007FF6AD150000-0x00007FF6AD4A1000-memory.dmp

Filesize
3.3MB

Download
memory/384-153-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp

Filesize
3.3MB

Download
memory/384-103-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp

Filesize
3.3MB

Download
memory/384-254-0x00007FF7E90B0000-0x00007FF7E9401000-memory.dmp

Filesize
3.3MB

Download
memory/468-248-0x00007FF7986D0000-0x00007FF798A21000-memory.dmp

Filesize
3.3MB

Download
memory/468-142-0x00007FF7986D0000-0x00007FF798A21000-memory.dmp

Filesize
3.3MB

Download
memory/760-88-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/760-235-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/760-150-0x00007FF6B4280000-0x00007FF6B45D1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-75-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1432-148-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1432-233-0x00007FF78ABC0000-0x00007FF78AF11000-memory.dmp

Filesize
3.3MB

Download
memory/1484-223-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1484-60-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1484-137-0x00007FF7419A0000-0x00007FF741CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-245-0x00007FF6441E0000-0x00007FF644531000-memory.dmp

Filesize
3.3MB

Download
memory/1752-141-0x00007FF6441E0000-0x00007FF644531000-memory.dmp

Filesize
3.3MB

Download
memory/2004-87-0x00007FF706D00000-0x00007FF707051000-memory.dmp

Filesize
3.3MB

Download
memory/2004-210-0x00007FF706D00000-0x00007FF707051000-memory.dmp

Filesize
3.3MB

Download
memory/2004-24-0x00007FF706D00000-0x00007FF707051000-memory.dmp

Filesize
3.3MB

Download
memory/2084-14-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp

Filesize
3.3MB

Download
memory/2084-206-0x00007FF6E41D0000-0x00007FF6E4521000-memory.dmp

Filesize
3.3MB

Download
memory/2116-143-0x00007FF7FAA40000-0x00007FF7FAD91000-memory.dmp

Filesize
3.3MB

Download
memory/2116-249-0x00007FF7FAA40000-0x00007FF7FAD91000-memory.dmp

Filesize
3.3MB

Download
memory/2144-94-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-212-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-30-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-144-0x00007FF69F490000-0x00007FF69F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-251-0x00007FF69F490000-0x00007FF69F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-70-0x00007FF7AD580000-0x00007FF7AD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-227-0x00007FF7AD580000-0x00007FF7AD8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-20-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/2828-208-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/2828-81-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/2896-241-0x00007FF612180000-0x00007FF6124D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-95-0x00007FF612180000-0x00007FF6124D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-152-0x00007FF612180000-0x00007FF6124D1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-204-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-69-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-7-0x00007FF7BE980000-0x00007FF7BECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-219-0x00007FF655920000-0x00007FF655C71000-memory.dmp

Filesize
3.3MB

Download
memory/3456-44-0x00007FF655920000-0x00007FF655C71000-memory.dmp

Filesize
3.3MB

Download
memory/3964-65-0x00007FF704F30000-0x00007FF705281000-memory.dmp

Filesize
3.3MB

Download
memory/3964-225-0x00007FF704F30000-0x00007FF705281000-memory.dmp

Filesize
3.3MB

Download
memory/4608-62-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-129-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-1-0x0000011C6E960000-0x0000011C6E970000-memory.dmp

Filesize
64KB

Download
memory/4608-151-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-0-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4608-173-0x00007FF74ED90000-0x00007FF74F0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-221-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp

Filesize
3.3MB

Download
memory/4744-136-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp

Filesize
3.3MB

Download
memory/4744-49-0x00007FF7C9FF0000-0x00007FF7CA341000-memory.dmp

Filesize
3.3MB

Download
memory/4840-107-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp

Filesize
3.3MB

Download
memory/4840-154-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp

Filesize
3.3MB

Download
memory/4840-243-0x00007FF6B12B0000-0x00007FF6B1601000-memory.dmp

Filesize
3.3MB

Download
memory/5080-217-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp

Filesize
3.3MB

Download
memory/5080-37-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp

Filesize
3.3MB

Download
memory/5080-102-0x00007FF69F2B0000-0x00007FF69F601000-memory.dmp

Filesize
3.3MB

Download