cobaltstrike | 62f4b60da8059c5df0e44613beb6b98157b0cef32ed1e90408ba3e8ab20f00af

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

fbeb61416871ffda29d67003fca8938a
SHA1

34c532df207202150d0c8f0236c863f6fa4f3dda
SHA256

62f4b60da8059c5df0e44613beb6b98157b0cef32ed1e90408ba3e8ab20f00af
SHA512

6f632f82e824b740e168eb5c3b1e594d0b89e35c7e1c7069cdb4e4f96ae95c2cb518b758b34f63f705f8c6ce6595479865538ba407cf046cc6b6da62f2a1c288
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibj56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023416-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-7.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-8.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-109.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-117.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023457-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-35.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3648-91-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp	xmrig
behavioral2/memory/3748-98-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp	xmrig
behavioral2/memory/3944-124-0x00007FF7EF140000-0x00007FF7EF491000-memory.dmp	xmrig
behavioral2/memory/1100-127-0x00007FF670C40000-0x00007FF670F91000-memory.dmp	xmrig
behavioral2/memory/2992-126-0x00007FF716990000-0x00007FF716CE1000-memory.dmp	xmrig
behavioral2/memory/3680-125-0x00007FF7DC780000-0x00007FF7DCAD1000-memory.dmp	xmrig
behavioral2/memory/100-123-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp	xmrig
behavioral2/memory/4668-122-0x00007FF7BDBE0000-0x00007FF7BDF31000-memory.dmp	xmrig
behavioral2/memory/4704-119-0x00007FF6C31C0000-0x00007FF6C3511000-memory.dmp	xmrig
behavioral2/memory/4592-116-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp	xmrig
behavioral2/memory/5112-113-0x00007FF6E5310000-0x00007FF6E5661000-memory.dmp	xmrig
behavioral2/memory/4032-108-0x00007FF622A20000-0x00007FF622D71000-memory.dmp	xmrig
behavioral2/memory/2152-84-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp	xmrig
behavioral2/memory/4600-74-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp	xmrig
behavioral2/memory/3204-55-0x00007FF616540000-0x00007FF616891000-memory.dmp	xmrig
behavioral2/memory/4372-43-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp	xmrig
behavioral2/memory/4736-129-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp	xmrig
behavioral2/memory/3536-128-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	xmrig
behavioral2/memory/1356-132-0x00007FF786010000-0x00007FF786361000-memory.dmp	xmrig
behavioral2/memory/3768-136-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp	xmrig
behavioral2/memory/1324-134-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	xmrig
behavioral2/memory/2052-131-0x00007FF7171F0000-0x00007FF717541000-memory.dmp	xmrig
behavioral2/memory/3536-150-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	xmrig
behavioral2/memory/3536-151-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	xmrig
behavioral2/memory/4736-206-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp	xmrig
behavioral2/memory/3204-208-0x00007FF616540000-0x00007FF616891000-memory.dmp	xmrig
behavioral2/memory/2052-210-0x00007FF7171F0000-0x00007FF717541000-memory.dmp	xmrig
behavioral2/memory/4372-212-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp	xmrig
behavioral2/memory/1356-214-0x00007FF786010000-0x00007FF786361000-memory.dmp	xmrig
behavioral2/memory/4600-216-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp	xmrig
behavioral2/memory/3768-234-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp	xmrig
behavioral2/memory/3748-232-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp	xmrig
behavioral2/memory/1324-236-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	xmrig
behavioral2/memory/3648-238-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp	xmrig
behavioral2/memory/2152-230-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp	xmrig
behavioral2/memory/100-240-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp	xmrig
behavioral2/memory/4592-254-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp	xmrig
behavioral2/memory/2992-256-0x00007FF716990000-0x00007FF716CE1000-memory.dmp	xmrig
behavioral2/memory/1100-258-0x00007FF670C40000-0x00007FF670F91000-memory.dmp	xmrig
behavioral2/memory/4668-252-0x00007FF7BDBE0000-0x00007FF7BDF31000-memory.dmp	xmrig
behavioral2/memory/3680-250-0x00007FF7DC780000-0x00007FF7DCAD1000-memory.dmp	xmrig
behavioral2/memory/4704-248-0x00007FF6C31C0000-0x00007FF6C3511000-memory.dmp	xmrig
behavioral2/memory/5112-246-0x00007FF6E5310000-0x00007FF6E5661000-memory.dmp	xmrig
behavioral2/memory/4032-244-0x00007FF622A20000-0x00007FF622D71000-memory.dmp	xmrig
behavioral2/memory/3944-243-0x00007FF7EF140000-0x00007FF7EF491000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4736	fyHzJDf.exe
3204	UlLsSOG.exe
2052	fsxzVdh.exe
1356	xZVPnsY.exe
1324	oOdNMmm.exe
4600	RilnrbN.exe
4372	YqNLeiM.exe
3768	wHmLTYD.exe
2152	brRcAkn.exe
100	kfNvlVS.exe
3648	fRZEDaB.exe
3748	HwVCTHT.exe
4032	vrfpkRl.exe
3944	YovIUQt.exe
5112	UEqIUnd.exe
3680	gLBHGZq.exe
4592	ZSMWWuP.exe
4704	yEUlabC.exe
2992	XsjmemC.exe
4668	ClqadQG.exe
1100	jLfwAkE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3536-0-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	upx
behavioral2/files/0x000b000000023416-5.dat	upx
behavioral2/files/0x000700000002345b-7.dat	upx
behavioral2/memory/4736-9-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp	upx
behavioral2/files/0x000700000002345a-8.dat	upx
behavioral2/memory/1356-34-0x00007FF786010000-0x00007FF786361000-memory.dmp	upx
behavioral2/files/0x000700000002345f-40.dat	upx
behavioral2/files/0x0007000000023464-56.dat	upx
behavioral2/files/0x0007000000023461-66.dat	upx
behavioral2/files/0x0007000000023468-79.dat	upx
behavioral2/files/0x0007000000023467-97.dat	upx
behavioral2/memory/3648-91-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp	upx
behavioral2/memory/3748-98-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp	upx
behavioral2/files/0x000700000002346b-109.dat	upx
behavioral2/files/0x000700000002346c-120.dat	upx
behavioral2/memory/3944-124-0x00007FF7EF140000-0x00007FF7EF491000-memory.dmp	upx
behavioral2/memory/1100-127-0x00007FF670C40000-0x00007FF670F91000-memory.dmp	upx
behavioral2/memory/2992-126-0x00007FF716990000-0x00007FF716CE1000-memory.dmp	upx
behavioral2/memory/3680-125-0x00007FF7DC780000-0x00007FF7DCAD1000-memory.dmp	upx
behavioral2/memory/100-123-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp	upx
behavioral2/memory/4668-122-0x00007FF7BDBE0000-0x00007FF7BDF31000-memory.dmp	upx
behavioral2/memory/4704-119-0x00007FF6C31C0000-0x00007FF6C3511000-memory.dmp	upx
behavioral2/files/0x000700000002346a-117.dat	upx
behavioral2/memory/4592-116-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp	upx
behavioral2/memory/5112-113-0x00007FF6E5310000-0x00007FF6E5661000-memory.dmp	upx
behavioral2/memory/4032-108-0x00007FF622A20000-0x00007FF622D71000-memory.dmp	upx
behavioral2/files/0x0008000000023457-104.dat	upx
behavioral2/files/0x0007000000023469-103.dat	upx
behavioral2/files/0x0007000000023466-93.dat	upx
behavioral2/files/0x0007000000023465-87.dat	upx
behavioral2/memory/2152-84-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp	upx
behavioral2/memory/4600-74-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp	upx
behavioral2/memory/1324-73-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-75.dat	upx
behavioral2/files/0x0007000000023463-65.dat	upx
behavioral2/memory/3204-55-0x00007FF616540000-0x00007FF616891000-memory.dmp	upx
behavioral2/files/0x0007000000023460-52.dat	upx
behavioral2/files/0x000700000002345e-49.dat	upx
behavioral2/memory/3768-48-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp	upx
behavioral2/memory/4372-43-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp	upx
behavioral2/files/0x000700000002345d-31.dat	upx
behavioral2/files/0x000700000002345c-35.dat	upx
behavioral2/memory/2052-21-0x00007FF7171F0000-0x00007FF717541000-memory.dmp	upx
behavioral2/memory/4736-129-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp	upx
behavioral2/memory/3536-128-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	upx
behavioral2/memory/1356-132-0x00007FF786010000-0x00007FF786361000-memory.dmp	upx
behavioral2/memory/3768-136-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp	upx
behavioral2/memory/1324-134-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	upx
behavioral2/memory/2052-131-0x00007FF7171F0000-0x00007FF717541000-memory.dmp	upx
behavioral2/memory/3536-150-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	upx
behavioral2/memory/3536-151-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp	upx
behavioral2/memory/4736-206-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp	upx
behavioral2/memory/3204-208-0x00007FF616540000-0x00007FF616891000-memory.dmp	upx
behavioral2/memory/2052-210-0x00007FF7171F0000-0x00007FF717541000-memory.dmp	upx
behavioral2/memory/4372-212-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp	upx
behavioral2/memory/1356-214-0x00007FF786010000-0x00007FF786361000-memory.dmp	upx
behavioral2/memory/4600-216-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp	upx
behavioral2/memory/3768-234-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp	upx
behavioral2/memory/3748-232-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp	upx
behavioral2/memory/1324-236-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp	upx
behavioral2/memory/3648-238-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp	upx
behavioral2/memory/2152-230-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp	upx
behavioral2/memory/100-240-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp	upx
behavioral2/memory/4592-254-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fyHzJDf.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fRZEDaB.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEUlabC.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jLfwAkE.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fsxzVdh.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xZVPnsY.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfNvlVS.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vrfpkRl.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLBHGZq.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UEqIUnd.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqNLeiM.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wHmLTYD.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brRcAkn.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HwVCTHT.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XsjmemC.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UlLsSOG.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oOdNMmm.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RilnrbN.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YovIUQt.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSMWWuP.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ClqadQG.exe	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 4736	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3536 wrote to memory of 4736	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3536 wrote to memory of 3204	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3536 wrote to memory of 3204	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3536 wrote to memory of 2052	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3536 wrote to memory of 2052	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3536 wrote to memory of 1356	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3536 wrote to memory of 1356	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3536 wrote to memory of 4372	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3536 wrote to memory of 4372	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3536 wrote to memory of 1324	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3536 wrote to memory of 1324	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3536 wrote to memory of 4600	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3536 wrote to memory of 4600	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3536 wrote to memory of 3768	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3536 wrote to memory of 3768	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3536 wrote to memory of 2152	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3536 wrote to memory of 2152	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3536 wrote to memory of 3648	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3536 wrote to memory of 3648	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3536 wrote to memory of 3748	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3536 wrote to memory of 3748	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3536 wrote to memory of 100	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3536 wrote to memory of 100	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3536 wrote to memory of 4032	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3536 wrote to memory of 4032	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3536 wrote to memory of 3944	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3536 wrote to memory of 3944	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3536 wrote to memory of 3680	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3536 wrote to memory of 3680	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3536 wrote to memory of 5112	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3536 wrote to memory of 5112	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3536 wrote to memory of 4592	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3536 wrote to memory of 4592	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3536 wrote to memory of 4704	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3536 wrote to memory of 4704	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3536 wrote to memory of 2992	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3536 wrote to memory of 2992	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3536 wrote to memory of 4668	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3536 wrote to memory of 4668	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3536 wrote to memory of 1100	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3536 wrote to memory of 1100	3536	2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-20_fbeb61416871ffda29d67003fca8938a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\System\fyHzJDf.exe
  C:\Windows\System\fyHzJDf.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\UlLsSOG.exe
  C:\Windows\System\UlLsSOG.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\fsxzVdh.exe
  C:\Windows\System\fsxzVdh.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\xZVPnsY.exe
  C:\Windows\System\xZVPnsY.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\YqNLeiM.exe
  C:\Windows\System\YqNLeiM.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\oOdNMmm.exe
  C:\Windows\System\oOdNMmm.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\RilnrbN.exe
  C:\Windows\System\RilnrbN.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\wHmLTYD.exe
  C:\Windows\System\wHmLTYD.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\brRcAkn.exe
  C:\Windows\System\brRcAkn.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\fRZEDaB.exe
  C:\Windows\System\fRZEDaB.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\HwVCTHT.exe
  C:\Windows\System\HwVCTHT.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\kfNvlVS.exe
  C:\Windows\System\kfNvlVS.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System\vrfpkRl.exe
  C:\Windows\System\vrfpkRl.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\YovIUQt.exe
  C:\Windows\System\YovIUQt.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\gLBHGZq.exe
  C:\Windows\System\gLBHGZq.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\UEqIUnd.exe
  C:\Windows\System\UEqIUnd.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\ZSMWWuP.exe
  C:\Windows\System\ZSMWWuP.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\yEUlabC.exe
  C:\Windows\System\yEUlabC.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\XsjmemC.exe
  C:\Windows\System\XsjmemC.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\ClqadQG.exe
  C:\Windows\System\ClqadQG.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\jLfwAkE.exe
  C:\Windows\System\jLfwAkE.exe
  2⤵
  - Executes dropped EXE
  PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ClqadQG.exe

Filesize
5.2MB

MD5
68e617fbd58f247ec4f94288c2089fb9

SHA1
c5d8fb5fffc9d42c0cbed263d4bb6d824561a8a0

SHA256
9278a44e6ab755c869f4daae7d09a6add1a682136a74fc8aeb5e2a33f61569a8

SHA512
3d9e6f852a3717c944c2abae094c90767b620edaba8376adf9457fd27e8dbe07a482f94518b169152f636d718699e80a43311b80296eeb5ea2d4e9c2ae8e4703

Download Submit
C:\Windows\System\HwVCTHT.exe

Filesize
5.2MB

MD5
17d305eb633f421deea66dd064e54ca5

SHA1
31ce39440ea1aa7b74be55c9f34177521e37134b

SHA256
67ba03538873ae25b8d11015a0b9f0e300f039566efbe17b5c8e0deccf06beca

SHA512
a810cbb6be3d3f244cbb28d35e5fcb160136fc15d07ba490fb82f36aa594dd2e333dc4c63a628b52c9fad22d4fd8ef911fdc5c95136e56efe7406de25a6be38d

Download Submit
C:\Windows\System\RilnrbN.exe

Filesize
5.2MB

MD5
334b4f9cd386ffa684a58a7aad0de8a3

SHA1
21ffb7bad78c4f2d4055564e3ddbd2da4722bba4

SHA256
dea389069c8d10127a8469f234ffe3d0867f62dfa36e7b8903a93d29f7819eb6

SHA512
99b7400cf3ce6d2ba5bf9f7b5a5e6cd6424bc05d25db3c2d166b3ed1414a76ba2bf5d4b743c99d937ae36df7593706b343471426dddb4b6bf20f18854583ac75

Download Submit
C:\Windows\System\UEqIUnd.exe

Filesize
5.2MB

MD5
8e3b8c4b542f4662ac1fac5ec922761c

SHA1
8e255f1e60f9d1ca782c3b6cdecd7663926275d0

SHA256
85f4933039723a5ace4ef5c8d35d646b39b98d3661022643c1084bd9327ab88f

SHA512
5a18598cf3919fbe6bbbfe578d46e5a4b2f5410060d2a133e77fee09dd5c957d72b80cdc26c646bb3c7bc30adee297d6fd97ac024f6cfa5c164df28c4585a662

Download Submit
C:\Windows\System\UlLsSOG.exe

Filesize
5.2MB

MD5
53a9fd0e69f8ec162b202a615a8f4747

SHA1
bf3abe2b405bc26a8ec9d343493c5f85f1a4f8da

SHA256
13d8176c4326768f9292db0ba2d563df9a33ed758b1f9f4021e18a59c623b184

SHA512
f353fb85214633cc62c49548e6d9fb21eb900fd49c972eec2392b8fcb0a5f2784470b387243c2984d519e09c9b5b2b795eca1531aaa2db02421e7eb5097bcc58

Download Submit
C:\Windows\System\XsjmemC.exe

Filesize
5.2MB

MD5
f73f5aee533d566810c228687522a9ef

SHA1
599c0c4a6a8d377f8cf2da0b02d045d670a9bf78

SHA256
3c2d4f792842da3a48b224ffaa06f5681cd909988f08da7a2f382b28c4b485b3

SHA512
3b779a09f4ed10cad42beec78055632fe4a5e4b1fbe05794df23ef0c00a65a3056d3831d128bf65bb95d43a78435f8e329765a44b5e1836c4db2b5e4aa203e3e

Download Submit
C:\Windows\System\YovIUQt.exe

Filesize
5.2MB

MD5
4b57a4ebc77116a11efdd2c1bdb33e8c

SHA1
3f96617fb2052a87d0eb9c4ab97bdb22e1f5b3f3

SHA256
ee49574aca3b1e886a5740b1264a2a8270fec85daabcb76050742415cfd11dde

SHA512
68cc1cd9a924e0eeaaadf271598c933f76df591a97e9fe1af2824d18453f391e8833bdfee75f22c0563e65e2970ae1d73453ae54ae748da9e56bd034f9f2b116

Download Submit
C:\Windows\System\YqNLeiM.exe

Filesize
5.2MB

MD5
a2f40262b74253ff0a2f51b239d05342

SHA1
2ae4efbb58d5092abbf3321e058131e736995b01

SHA256
c5be9f287120355d51e139e281525b8279ac2a14e23bcbf82b26eda48e13ae58

SHA512
a164d2c524e73fe45d2f04c1b04df94be5e591863eb9cf3e434f5133902436580c00782edc53b864c9e12ad1e31b2f546dc50871f350d03c560085a9f07fc4cb

Download Submit
C:\Windows\System\ZSMWWuP.exe

Filesize
5.2MB

MD5
9704375e84fbf80ed9a03b1e1e2ce998

SHA1
b37ce22753f34e7fc7cf7a012bd6837fba803968

SHA256
acd37c56626e4365ca5a6aa88f2498a995fd6d2b02a172b7a0e8f02a999ac86b

SHA512
3eefdf446573419c1075dfdae90edfeb4e6fb6959059948f27c0e3497f707980928a54da5d993b24239204ee45b937b98d7c2d7ec7f7007559385bbd7806fc7f

Download Submit
C:\Windows\System\brRcAkn.exe

Filesize
5.2MB

MD5
72cc0a5cdb0f69dcb965604fd3377886

SHA1
7f9b954ffc1384cc338b014342e67aef285cee76

SHA256
b9314226ccbe71f20115693ca3cc8f6cfb6e0dcfd739eb2d1211e702df5a1a49

SHA512
7f5ff937c7a4f885a987aae2ee743a09d35e89d96c9c6de32ff88bcb1eca8ea342e94c3339a58454943cd3e2f14921bf2e63854143308c24d8ef39c15d422b35

Download Submit
C:\Windows\System\fRZEDaB.exe

Filesize
5.2MB

MD5
09c8fbdc198370bfd0c897756de4048b

SHA1
58768b6b26f494afc3cf81310576a800cff9de5a

SHA256
2a9fabaf3469b323f5333b94535f17c10360edad6d4185b2ffa86cc8b9bce83a

SHA512
3bd5a1b8d39fc2d6a463f79fee00933b98bd937682552bc6d374631d948bbdccc71a11240963f5f869ecfcdad1ef674e8a7a089b7b00b5430d3e23f58b792e60

Download Submit
C:\Windows\System\fsxzVdh.exe

Filesize
5.2MB

MD5
4af80615299052286c6f73cbb64825f8

SHA1
8cac6a8e42c24b3a4d66ea3eb902ad2109897304

SHA256
49f6f6948d3c0dfcf632f9ae2db05001809a56d264673b5d8dc266ac5dd7d5b1

SHA512
91ea7875de862c5230318391bfdf0182b14e86eaff6dcd9bcf93d057ee0a43b58fe3bb2054be582462a4b0f0a1606c985b3b97b2e7f3933481fac939480b65bf

Download Submit
C:\Windows\System\fyHzJDf.exe

Filesize
5.2MB

MD5
21a20904a4c02f2420d9ce71763b6dd2

SHA1
29422698e5cb7538d385e55b1c2111da90c19cc2

SHA256
0325cd7fe91137d722015c3117cc0058eb932fd1e614001d55ae71af4e301106

SHA512
f87a9669f854d10d0d47431d207a80f88f88819ecc5fc3a92945934f26fd79dffe07e614acc5fe7ca98c1e28efb401f606927ffdf01b9ec45a60b2beaa588974

Download Submit
C:\Windows\System\gLBHGZq.exe

Filesize
5.2MB

MD5
eb98c21a83534f1c479fad3324214270

SHA1
2cbc4768f7688886c4c67bb32b1b8a250559a552

SHA256
7bdfb3dc05b687cd0e7fefd357a03186c94eb915b9b99776ef3f5aee92de12db

SHA512
c2a0c7b981bdba1f68f93ffad86c242335f575528d914b3c1fd5a7e6df446766aa7cd9b14075dcf605f1fe6999073c9f340069660e4f17f56a51a0367583f5bc

Download Submit
C:\Windows\System\jLfwAkE.exe

Filesize
5.2MB

MD5
71ce8f8db621f01e037155d889767709

SHA1
9ca12fbfac68314505540b2861c9a1c47b44c709

SHA256
bfe847caf14fafa0094b421d2475d29977375a629b3e218a318edf14211e9d07

SHA512
5b1e72834cc29ca431348600f04061a9964a696fc0237d193ce61d7e4b2eaac584930b1496c8ac8a2befa511464664d01ae07c9c1b7f0b32220c0021c362c96a

Download Submit
C:\Windows\System\kfNvlVS.exe

Filesize
5.2MB

MD5
afdeb6a75dca6d8d415ac48c3a44da0b

SHA1
aa2a3b28f5677c121fb4884f9a5b21a033291320

SHA256
e38afc0d0bb791b8de599204abe2e67849ce26160ef56039a01a03c6d082ddec

SHA512
d99e108ad034ab5ba5ed67b5abfab39780d4ec7a6fc3d261d86d411b914e2e97741b119c774b5f4c682a602b181774bd31df2a3cf1d01ad241fcfd1035d12816

Download Submit
C:\Windows\System\oOdNMmm.exe

Filesize
5.2MB

MD5
242253637fccb1836e85de2c6c62e216

SHA1
7b5bdcab6fbc1b93dd0a3f954dce0d945bb13a36

SHA256
99a5ac257350c489988047e11ea0074da5fbee93b4cbede73b07ff4703987532

SHA512
31ab9486ab2fb5638b9fc5eda153bfaf6e9cdcf175a4b9f8885754856ab12c9a3d3a0803646d9ace7457b8fa526c8a94236fb9d7ea8a6b953975b61e1407ce69

Download Submit
C:\Windows\System\vrfpkRl.exe

Filesize
5.2MB

MD5
294035a354ae2225af23eb4a9a09091d

SHA1
2b3f835d1c08767d32a33e3cad30db6f19f321df

SHA256
47233926d19fa4936cb958eab898a3a67eebb8b2027b1086f9e39915280c56de

SHA512
061e6c11df98bf5309630717387f8347092fcada48d86b8b7752f06b166a575af78bc1e9d93dae93d6b488709cc1365661dfb4b2e3a4ac1c90af3bf679fc515e

Download Submit
C:\Windows\System\wHmLTYD.exe

Filesize
5.2MB

MD5
2a98a7421d5b550b003ee43d6c0b477f

SHA1
110a9169f3b6c83c2d524196c76ad5ab9f906032

SHA256
9e47d4fe3d9c84ff9a584815ce178dcbf63866b06b7274e47b91155593764ff9

SHA512
ce1ff8c0397ee20e1032a786cec635166b33d0aec34d151987fc06d376c6722d40e443e15c73837d2a2b59f9758189791cc7bcac528e9010043d380ed639bb3a

Download Submit
C:\Windows\System\xZVPnsY.exe

Filesize
5.2MB

MD5
4fd81dffa3d3ad167fefce7ae7b247c0

SHA1
6d8fb66440da62db0754800cd9f7565f0d0dc813

SHA256
7109cd9166690ad7ab9a14e677f388dc4cf9ba2e4ec1d6a3360bc0a95ab3a858

SHA512
4658d3935b7104e417327029fb5e1720056844ec4942edbed90999bed18ac7408acaed0526ae338dc5b35524c21d69484374b7a24ef42c797c3ad069f21d5a07

Download Submit
C:\Windows\System\yEUlabC.exe

Filesize
5.2MB

MD5
c6707c8ebf5b99bb3e6954538719b66e

SHA1
5b85effebba6ac3fd0d3a000f8035f03e53528fa

SHA256
0fd9660516740e8f081433801b156260ea28472c1ce0f952a9b0ed62db9658d7

SHA512
7a38a5706a8482df7ee885be95651586845eece9762ccebcc2b636a7b2e8ad4d8d2e0e95e9a39dc4e66e6a8ae4597d3b6421a9053b0c478bf7b86d1f851cdd5a

Download Submit
memory/100-123-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp

Filesize
3.3MB

Download
memory/100-240-0x00007FF7CE4C0000-0x00007FF7CE811000-memory.dmp

Filesize
3.3MB

Download
memory/1100-258-0x00007FF670C40000-0x00007FF670F91000-memory.dmp

Filesize
3.3MB

Download
memory/1100-127-0x00007FF670C40000-0x00007FF670F91000-memory.dmp

Filesize
3.3MB

Download
memory/1324-134-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-236-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-73-0x00007FF61E350000-0x00007FF61E6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-34-0x00007FF786010000-0x00007FF786361000-memory.dmp

Filesize
3.3MB

Download
memory/1356-132-0x00007FF786010000-0x00007FF786361000-memory.dmp

Filesize
3.3MB

Download
memory/1356-214-0x00007FF786010000-0x00007FF786361000-memory.dmp

Filesize
3.3MB

Download
memory/2052-21-0x00007FF7171F0000-0x00007FF717541000-memory.dmp

Filesize
3.3MB

Download
memory/2052-210-0x00007FF7171F0000-0x00007FF717541000-memory.dmp

Filesize
3.3MB

Download
memory/2052-131-0x00007FF7171F0000-0x00007FF717541000-memory.dmp

Filesize
3.3MB

Download
memory/2152-84-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp

Filesize
3.3MB

Download
memory/2152-230-0x00007FF7B0AB0000-0x00007FF7B0E01000-memory.dmp

Filesize
3.3MB

Download
memory/2992-126-0x00007FF716990000-0x00007FF716CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-256-0x00007FF716990000-0x00007FF716CE1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-208-0x00007FF616540000-0x00007FF616891000-memory.dmp

Filesize
3.3MB

Download
memory/3204-55-0x00007FF616540000-0x00007FF616891000-memory.dmp

Filesize
3.3MB

Download
memory/3536-0-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-151-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-1-0x000001D19FC90000-0x000001D19FCA0000-memory.dmp

Filesize
64KB

Download
memory/3536-128-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-150-0x00007FF747BA0000-0x00007FF747EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-91-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-238-0x00007FF7B3470000-0x00007FF7B37C1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-250-0x00007FF7DC780000-0x00007FF7DCAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3680-125-0x00007FF7DC780000-0x00007FF7DCAD1000-memory.dmp

Filesize
3.3MB

Download
memory/3748-98-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3748-232-0x00007FF64FAF0000-0x00007FF64FE41000-memory.dmp

Filesize
3.3MB

Download
memory/3768-136-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-48-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-234-0x00007FF6656A0000-0x00007FF6659F1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-124-0x00007FF7EF140000-0x00007FF7EF491000-memory.dmp

Filesize
3.3MB

Download
memory/3944-243-0x00007FF7EF140000-0x00007FF7EF491000-memory.dmp

Filesize
3.3MB

Download
memory/4032-244-0x00007FF622A20000-0x00007FF622D71000-memory.dmp

Filesize
3.3MB

Download
memory/4032-108-0x00007FF622A20000-0x00007FF622D71000-memory.dmp

Filesize
3.3MB

Download
memory/4372-43-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp

Filesize
3.3MB

Download
memory/4372-212-0x00007FF6CE3E0000-0x00007FF6CE731000-memory.dmp

Filesize
3.3MB

Download
memory/4592-254-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4592-116-0x00007FF60B690000-0x00007FF60B9E1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-216-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-74-0x00007FF7D95A0000-0x00007FF7D98F1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-122-0x00007FF7BDBE0000-0x00007FF7BDF31000-memory.dmp

Filesize
3.3MB

Download
memory/4668-252-0x00007FF7BDBE0000-0x00007FF7BDF31000-memory.dmp

Filesize
3.3MB

Download
memory/4704-119-0x00007FF6C31C0000-0x00007FF6C3511000-memory.dmp

Filesize
3.3MB

Download
memory/4704-248-0x00007FF6C31C0000-0x00007FF6C3511000-memory.dmp

Filesize
3.3MB

Download
memory/4736-206-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4736-9-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp

Filesize
3.3MB

Download
memory/4736-129-0x00007FF7BE450000-0x00007FF7BE7A1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-246-0x00007FF6E5310000-0x00007FF6E5661000-memory.dmp

Filesize
3.3MB

Download
memory/5112-113-0x00007FF6E5310000-0x00007FF6E5661000-memory.dmp

Filesize
3.3MB

Download