cobaltstrike | f36782acbb9331aa33a196b635fcd44e087576ea17a5015d21bc3fd855406e27

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d132cef95bdb4f09504ede1bac6d904e
SHA1

02e0d7b18ece94cea6b1a22d796127870b4f0b30
SHA256

f36782acbb9331aa33a196b635fcd44e087576ea17a5015d21bc3fd855406e27
SHA512

46f6837a46184d62c0fca3dccc1bc250433bdb363792ef49c3990994c192b71e3a614c54ac06d5cfade428920d6af0aed2cbb95f36c8c8ec261d8797d56f8258
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUu

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000233a7-8.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a8-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a6-14.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a2-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233af-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ae-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ad-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b2-80.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b1-82.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a3-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b3-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b4-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b7-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b8-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b6-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b5-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b0-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ac-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ab-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233aa-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a9-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2776-9-0x00007FF750C00000-0x00007FF750F51000-memory.dmp	xmrig
behavioral2/memory/1188-101-0x00007FF7DC580000-0x00007FF7DC8D1000-memory.dmp	xmrig
behavioral2/memory/3888-93-0x00007FF652400000-0x00007FF652751000-memory.dmp	xmrig
behavioral2/memory/3020-87-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp	xmrig
behavioral2/memory/5032-68-0x00007FF6CD5A0000-0x00007FF6CD8F1000-memory.dmp	xmrig
behavioral2/memory/2776-129-0x00007FF750C00000-0x00007FF750F51000-memory.dmp	xmrig
behavioral2/memory/1152-132-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp	xmrig
behavioral2/memory/4484-137-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	xmrig
behavioral2/memory/968-138-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp	xmrig
behavioral2/memory/4080-136-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp	xmrig
behavioral2/memory/3624-135-0x00007FF601D10000-0x00007FF602061000-memory.dmp	xmrig
behavioral2/memory/668-134-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp	xmrig
behavioral2/memory/1192-131-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	xmrig
behavioral2/memory/2988-130-0x00007FF799030000-0x00007FF799381000-memory.dmp	xmrig
behavioral2/memory/4572-133-0x00007FF70A100000-0x00007FF70A451000-memory.dmp	xmrig
behavioral2/memory/4484-128-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	xmrig
behavioral2/memory/516-144-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp	xmrig
behavioral2/memory/4624-146-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp	xmrig
behavioral2/memory/4048-150-0x00007FF606380000-0x00007FF6066D1000-memory.dmp	xmrig
behavioral2/memory/3124-149-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp	xmrig
behavioral2/memory/400-147-0x00007FF756290000-0x00007FF7565E1000-memory.dmp	xmrig
behavioral2/memory/972-145-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp	xmrig
behavioral2/memory/3020-141-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp	xmrig
behavioral2/memory/872-148-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp	xmrig
behavioral2/memory/3000-140-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp	xmrig
behavioral2/memory/4484-151-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	xmrig
behavioral2/memory/2776-213-0x00007FF750C00000-0x00007FF750F51000-memory.dmp	xmrig
behavioral2/memory/2988-215-0x00007FF799030000-0x00007FF799381000-memory.dmp	xmrig
behavioral2/memory/1152-217-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp	xmrig
behavioral2/memory/4572-219-0x00007FF70A100000-0x00007FF70A451000-memory.dmp	xmrig
behavioral2/memory/1192-221-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	xmrig
behavioral2/memory/668-225-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp	xmrig
behavioral2/memory/3624-224-0x00007FF601D10000-0x00007FF602061000-memory.dmp	xmrig
behavioral2/memory/968-230-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp	xmrig
behavioral2/memory/5032-233-0x00007FF6CD5A0000-0x00007FF6CD8F1000-memory.dmp	xmrig
behavioral2/memory/3020-235-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp	xmrig
behavioral2/memory/1188-237-0x00007FF7DC580000-0x00007FF7DC8D1000-memory.dmp	xmrig
behavioral2/memory/4080-232-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp	xmrig
behavioral2/memory/3000-228-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp	xmrig
behavioral2/memory/516-247-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp	xmrig
behavioral2/memory/972-248-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp	xmrig
behavioral2/memory/3124-255-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp	xmrig
behavioral2/memory/400-256-0x00007FF756290000-0x00007FF7565E1000-memory.dmp	xmrig
behavioral2/memory/872-252-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp	xmrig
behavioral2/memory/4048-258-0x00007FF606380000-0x00007FF6066D1000-memory.dmp	xmrig
behavioral2/memory/4624-250-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp	xmrig
behavioral2/memory/3888-244-0x00007FF652400000-0x00007FF652751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2776	zVtiPKh.exe
2988	TuTbbYg.exe
1192	KGgqeXD.exe
1152	NliDZzS.exe
4572	JgHKZnN.exe
668	PuKvSWA.exe
3624	WtAejSl.exe
4080	pHxLkFC.exe
968	yXMCHjq.exe
5032	ybRFtdY.exe
3000	tkRIgbJ.exe
3020	UUOzYTK.exe
1188	yDAnnpv.exe
3888	ZFFtMlB.exe
516	SEkYeIB.exe
972	oUUbFVs.exe
4624	gAPAIuW.exe
400	AYyerkx.exe
872	hsAyDQD.exe
3124	DhVTiVt.exe
4048	RfpzmtG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4484-0-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	upx
behavioral2/files/0x00070000000233a7-8.dat	upx
behavioral2/memory/2988-20-0x00007FF799030000-0x00007FF799381000-memory.dmp	upx
behavioral2/files/0x00070000000233a8-18.dat	upx
behavioral2/files/0x00070000000233a6-14.dat	upx
behavioral2/memory/2776-9-0x00007FF750C00000-0x00007FF750F51000-memory.dmp	upx
behavioral2/files/0x00080000000233a2-6.dat	upx
behavioral2/files/0x00070000000233af-56.dat	upx
behavioral2/files/0x00070000000233ae-55.dat	upx
behavioral2/files/0x00070000000233ad-64.dat	upx
behavioral2/files/0x00070000000233b2-80.dat	upx
behavioral2/files/0x00070000000233b1-82.dat	upx
behavioral2/files/0x00080000000233a3-92.dat	upx
behavioral2/files/0x00070000000233b3-97.dat	upx
behavioral2/files/0x00070000000233b4-103.dat	upx
behavioral2/memory/4624-102-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp	upx
behavioral2/files/0x00070000000233b7-114.dat	upx
behavioral2/files/0x00070000000233b8-126.dat	upx
behavioral2/memory/4048-125-0x00007FF606380000-0x00007FF6066D1000-memory.dmp	upx
behavioral2/files/0x00070000000233b6-121.dat	upx
behavioral2/files/0x00070000000233b5-119.dat	upx
behavioral2/memory/3124-118-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp	upx
behavioral2/memory/872-117-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp	upx
behavioral2/memory/400-115-0x00007FF756290000-0x00007FF7565E1000-memory.dmp	upx
behavioral2/memory/1188-101-0x00007FF7DC580000-0x00007FF7DC8D1000-memory.dmp	upx
behavioral2/memory/972-96-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp	upx
behavioral2/memory/516-94-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp	upx
behavioral2/memory/3888-93-0x00007FF652400000-0x00007FF652751000-memory.dmp	upx
behavioral2/memory/3020-87-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp	upx
behavioral2/files/0x00070000000233b0-75.dat	upx
behavioral2/memory/5032-68-0x00007FF6CD5A0000-0x00007FF6CD8F1000-memory.dmp	upx
behavioral2/memory/4080-67-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp	upx
behavioral2/files/0x00070000000233ac-61.dat	upx
behavioral2/memory/3000-58-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp	upx
behavioral2/memory/968-57-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp	upx
behavioral2/memory/668-54-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp	upx
behavioral2/files/0x00070000000233ab-49.dat	upx
behavioral2/files/0x00070000000233aa-44.dat	upx
behavioral2/memory/3624-43-0x00007FF601D10000-0x00007FF602061000-memory.dmp	upx
behavioral2/memory/4572-35-0x00007FF70A100000-0x00007FF70A451000-memory.dmp	upx
behavioral2/files/0x00070000000233a9-34.dat	upx
behavioral2/memory/1192-27-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	upx
behavioral2/memory/1152-26-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp	upx
behavioral2/memory/2776-129-0x00007FF750C00000-0x00007FF750F51000-memory.dmp	upx
behavioral2/memory/1152-132-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp	upx
behavioral2/memory/4484-137-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	upx
behavioral2/memory/968-138-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp	upx
behavioral2/memory/4080-136-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp	upx
behavioral2/memory/3624-135-0x00007FF601D10000-0x00007FF602061000-memory.dmp	upx
behavioral2/memory/668-134-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp	upx
behavioral2/memory/1192-131-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp	upx
behavioral2/memory/2988-130-0x00007FF799030000-0x00007FF799381000-memory.dmp	upx
behavioral2/memory/4572-133-0x00007FF70A100000-0x00007FF70A451000-memory.dmp	upx
behavioral2/memory/4484-128-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	upx
behavioral2/memory/516-144-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp	upx
behavioral2/memory/4624-146-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp	upx
behavioral2/memory/4048-150-0x00007FF606380000-0x00007FF6066D1000-memory.dmp	upx
behavioral2/memory/3124-149-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp	upx
behavioral2/memory/400-147-0x00007FF756290000-0x00007FF7565E1000-memory.dmp	upx
behavioral2/memory/972-145-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp	upx
behavioral2/memory/3020-141-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp	upx
behavioral2/memory/872-148-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp	upx
behavioral2/memory/3000-140-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp	upx
behavioral2/memory/4484-151-0x00007FF61D010000-0x00007FF61D361000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SEkYeIB.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gAPAIuW.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYyerkx.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JgHKZnN.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHxLkFC.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yDAnnpv.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yXMCHjq.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUOzYTK.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVtiPKh.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGgqeXD.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuKvSWA.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tkRIgbJ.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZFFtMlB.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsAyDQD.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TuTbbYg.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NliDZzS.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybRFtdY.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfpzmtG.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtAejSl.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oUUbFVs.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DhVTiVt.exe	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2776	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4484 wrote to memory of 2776	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4484 wrote to memory of 2988	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4484 wrote to memory of 2988	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4484 wrote to memory of 1192	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4484 wrote to memory of 1192	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4484 wrote to memory of 1152	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4484 wrote to memory of 1152	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4484 wrote to memory of 4572	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4484 wrote to memory of 4572	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4484 wrote to memory of 668	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4484 wrote to memory of 668	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4484 wrote to memory of 3624	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4484 wrote to memory of 3624	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4484 wrote to memory of 4080	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4484 wrote to memory of 4080	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4484 wrote to memory of 968	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4484 wrote to memory of 968	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4484 wrote to memory of 5032	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4484 wrote to memory of 5032	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4484 wrote to memory of 3000	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4484 wrote to memory of 3000	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4484 wrote to memory of 3020	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4484 wrote to memory of 3020	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4484 wrote to memory of 3888	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4484 wrote to memory of 3888	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4484 wrote to memory of 1188	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4484 wrote to memory of 1188	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4484 wrote to memory of 516	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4484 wrote to memory of 516	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4484 wrote to memory of 972	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4484 wrote to memory of 972	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4484 wrote to memory of 4624	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4484 wrote to memory of 4624	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4484 wrote to memory of 400	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4484 wrote to memory of 400	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4484 wrote to memory of 872	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4484 wrote to memory of 872	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4484 wrote to memory of 3124	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4484 wrote to memory of 3124	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4484 wrote to memory of 4048	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4484 wrote to memory of 4048	4484	2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_d132cef95bdb4f09504ede1bac6d904e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\System\zVtiPKh.exe
  C:\Windows\System\zVtiPKh.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\TuTbbYg.exe
  C:\Windows\System\TuTbbYg.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\KGgqeXD.exe
  C:\Windows\System\KGgqeXD.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\NliDZzS.exe
  C:\Windows\System\NliDZzS.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\JgHKZnN.exe
  C:\Windows\System\JgHKZnN.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\PuKvSWA.exe
  C:\Windows\System\PuKvSWA.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\WtAejSl.exe
  C:\Windows\System\WtAejSl.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\pHxLkFC.exe
  C:\Windows\System\pHxLkFC.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\yXMCHjq.exe
  C:\Windows\System\yXMCHjq.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\ybRFtdY.exe
  C:\Windows\System\ybRFtdY.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\tkRIgbJ.exe
  C:\Windows\System\tkRIgbJ.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\UUOzYTK.exe
  C:\Windows\System\UUOzYTK.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\ZFFtMlB.exe
  C:\Windows\System\ZFFtMlB.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\yDAnnpv.exe
  C:\Windows\System\yDAnnpv.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\SEkYeIB.exe
  C:\Windows\System\SEkYeIB.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\oUUbFVs.exe
  C:\Windows\System\oUUbFVs.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\gAPAIuW.exe
  C:\Windows\System\gAPAIuW.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\AYyerkx.exe
  C:\Windows\System\AYyerkx.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\hsAyDQD.exe
  C:\Windows\System\hsAyDQD.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\DhVTiVt.exe
  C:\Windows\System\DhVTiVt.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\RfpzmtG.exe
  C:\Windows\System\RfpzmtG.exe
  2⤵
  - Executes dropped EXE
  PID:4048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYyerkx.exe

Filesize
5.2MB

MD5
fe0d25c08e46bb54d0eb04d7c2f568dd

SHA1
4c0175ac5ba9402007cb5b37b5bc3e56d91fb2e3

SHA256
3d12b09b7af074d80ae90c1012d212fa9880a9746018a7b175256e1474211c0e

SHA512
1a21ee4d4ddf604ca86f6f7e4b1669b9fa04d310ce27b232bb02d08df892f9517c8278823cb26f59e770d351048ea3148ea4da5636c57c344986311a74f2587e

Download Submit
C:\Windows\System\DhVTiVt.exe

Filesize
5.2MB

MD5
c2a0a527c3c4cf3a57e60dab812c50b8

SHA1
eaf037403b50ddd02d899e96a050f030492859ee

SHA256
7e49837ee94517f97e0608b2e5ba666fa206be530f8c0ddc68f03551d953cd32

SHA512
531a8e0bb15a39990a5712b58b541147131df0f076586572179f717ee35db655e91e9cd4b04c2670005486f6fbdc4a11a383f7170b6a8791573f7dd54d83a661

Download Submit
C:\Windows\System\JgHKZnN.exe

Filesize
5.2MB

MD5
f4c65941637306797ccd27aadfd7912e

SHA1
c6de167119bc9c84b0959e1a7423f5344302d2e0

SHA256
7503dcd86d527f06c5e21d8ba1ede8fe6c0334fa34262167a8f9e110d7fda512

SHA512
7340eadf41aaddadcbb1812fc6a19c0c449373a3d2b0e66af53ec734e5c72e97dffd18e91202b1065ed9b61d7e8354d12b44de8b2e3afdbb741bd328fc383dda

Download Submit
C:\Windows\System\KGgqeXD.exe

Filesize
5.2MB

MD5
0284bfb15c4e384f581971882ee49c54

SHA1
1e690cce012c4b1bc2ed9337881126fd9997643c

SHA256
fb55f561b4068eaf05e9f53b4bfdd4d40b2f700a7e49106e770f25993611d24c

SHA512
f1168d4bb82395fea6eb8ee2ef8b6dd1c6564f6945c2351e3308dd6da90c1aab2cbb15ed24386be25a09b0860e617bbf73eeb063f7ce0c83a98469b0907584bb

Download Submit
C:\Windows\System\NliDZzS.exe

Filesize
5.2MB

MD5
46c66c979b1e134e0a5e87fa0ddb8b49

SHA1
30c4cda715e7d7c6625131d2b1b3136bda47c07a

SHA256
a6195df51dca726d054c5610dc66c82270e6ca251f034a16f340653bbc1db545

SHA512
dbf7fd6be701c83bccf341481ed14a6f7e27d0394daf777a2bb924f1e030eaf234198a8596c37180683335d75c91d382d7947301d45257c7553312c818eb98e0

Download Submit
C:\Windows\System\PuKvSWA.exe

Filesize
5.2MB

MD5
e500002a5e272a97d9c5dfc6697ee3bd

SHA1
2ab42b94bdcb56fa46ffa36583e298daa49e008b

SHA256
c31cd2b0c898ecfd0f90149087f6d66acb7eac6e6b5fdf7e96d828cfb2085bbf

SHA512
8d605debb8ac96fff4fa0a6ca7aadba18b628e405b989f82fa44637b58745aa4a34db1e3107f4e86705b6d06d7d5244041c7c9dcd22f7b4904f28bdb77f0eb1e

Download Submit
C:\Windows\System\RfpzmtG.exe

Filesize
5.2MB

MD5
f8e6780bcf8133b40b2440a3d55e7105

SHA1
88d22af8a6bf159f166c3c98a85fb39a86594378

SHA256
85d7f6b65d8174a6ccbe1e4a179ebdcc31520995bcc1669144015be7fb555ce9

SHA512
f54f854afadc89cb1ec6790dadc02163d62e79f057e7bd58e2060bf77b60ea479ad736aff690b32a9a97ddabde456b78bec28a25329ee7f290affab026b52b0b

Download Submit
C:\Windows\System\SEkYeIB.exe

Filesize
5.2MB

MD5
cf747e23011da2f1ee2e5cf12d7c0c79

SHA1
2a2a7bffc793b9823c4ed46a93d64197d1662279

SHA256
ac99e867f8a429f5ba76a8174811dc77f6ea425d4f77e640505b36def3a0e3ad

SHA512
b80f52ff68a96eba0be68ec9f2029ea53e73ed7ccf7e86d58efcaa7726924b942cb7c7139344225c5b0219a9ca15c1811fac31e595e4e759f2dfa9d6503b7feb

Download Submit
C:\Windows\System\TuTbbYg.exe

Filesize
5.2MB

MD5
317d13bd127ffd00442c371ae5517477

SHA1
d0bc65dcdafbbe1ed63a3766d7d2e3d65e4b6294

SHA256
66ba99bf615353def2bf047b56e29c26fe489e111642b90552977748a488133b

SHA512
07de21509f67521e5fd23805bc3ab2b6c80920aacc6ad620bdb0628c57d3a38b3571a29b2a66873f861a080be9d768c2c0b3bea0460595fa4c44fb14bde20eb0

Download Submit
C:\Windows\System\UUOzYTK.exe

Filesize
5.2MB

MD5
dab8daa3ba94ed65a266880bf0575b92

SHA1
6407c310425aab144b395009b697172c4c1161c9

SHA256
a8af8224ae6daaccda1c450812fbb5c4b928c6c89bfe3677da32cc7efbb30449

SHA512
b4a8f7fd6d4c7337249fb889f9c4a0cfaef93a7e6aeb1858bf2abaa29ecb2feacb6e7716b7bf7b3df2113b9f18673d202cb75170f427c5023e214da254ba2948

Download Submit
C:\Windows\System\WtAejSl.exe

Filesize
5.2MB

MD5
18eb3bb2cb255953671353e60d6d0c0f

SHA1
39e3a567c36580bbb75a328bd602ab11ea85f9fd

SHA256
f6cd46e5cb72bf349ca3238b615632501ddf96e3ba1a820d309f337bbea00833

SHA512
d2a9aa91a222db6bd2b787ac726e728a2628a8e63b6bfcb11da722a00f9c85f52ccf4046071b4727e921a86c157a59afb25ecb5ca871d3511b22b3d5f4a4339a

Download Submit
C:\Windows\System\ZFFtMlB.exe

Filesize
5.2MB

MD5
721b520d2f2f6eff78c45396293ceb88

SHA1
1d90b3e2ba0e4ace3788a5497e279baf73803841

SHA256
b29c9060f7117605c90db0475f843c643e008121de5cd3410f6a7eb68c5827a5

SHA512
190f2c7f1112920e7e0074bba089230081d3b79fbb8628ec8f98d32f5f4e339656bf04627bfd0e0fd3cc5a3a6f3fc04a210db5ef2e28ae146014b7bd2971d562

Download Submit
C:\Windows\System\gAPAIuW.exe

Filesize
5.2MB

MD5
da4574a35e449ddf09541429aead7a8f

SHA1
eeb54e353997d3f18802c4dc090bddd3602b23d9

SHA256
3b43d22f9c96d29e4750e598c2cb2c3feb60e596f2c7ef5166834a22ea55e571

SHA512
f15d602ddc13f1789b4f3504a44442fee8323b67fa29e581d9820efe8a52736fa7fd58b17788441217cb430ce2795900ec3ed5a22b8f63276d133d0960efcb6c

Download Submit
C:\Windows\System\hsAyDQD.exe

Filesize
5.2MB

MD5
6ede2f69f9425fdf4b18e2363a79f141

SHA1
4d6f0edc646b5a68ff970380eb6f60cba3aaf59f

SHA256
90100254a228e9f993b8fa461caac1b35cd245087d9992faf127d07eb5a8d923

SHA512
dfd0bb84e2abd2ff0fc233f6136603565a24cc4cf34b8a6cdb546e3ce0cb4c00cb76891e0710f7732f4551e56d2c1bb8d92b7990029152ae5d4f791385a1c93b

Download Submit
C:\Windows\System\oUUbFVs.exe

Filesize
5.2MB

MD5
7a0c6bfe38029866b0740ab4fd1302b9

SHA1
01c5d539201577afbde618a9b1c2d685fe639018

SHA256
eeec3cf9d4a7bda6886dd44861c1546e6ce38dd918fef74283ae6e310517b99f

SHA512
6a26077c7179dc4535bef07187f3be2a4444e43dab872a5a23de0bd5e44294a1c862223344c25170adafc6c216042dc0df1595b457553665e215ffb2d89fc127

Download Submit
C:\Windows\System\pHxLkFC.exe

Filesize
5.2MB

MD5
83aca33a7e1eb0eed4bc1a3a46be5b90

SHA1
9615fed753f637a3425b8156c86671106fccdc6e

SHA256
a3ee0719d6a1f48c2be4a12708d4e0129b2ca4a53c20a5488e4446d4cc9bd637

SHA512
6410f8aa7c447ce36fe62e575ec5ad661c2212ee7b6b9f67ce512a1280a6da23e7869062514ed1c383f3a10955b63140a3616a47d8ea8cce008e063058b6a3f2

Download Submit
C:\Windows\System\tkRIgbJ.exe

Filesize
5.2MB

MD5
4d8fe8164add433067e3e241cbc0ec97

SHA1
370a924ea7d909ee6deb620e3a1a2e27d0ca64d7

SHA256
7b8f49867a48173fe85ef991031d928b2ea8489df32668dc94e816a7026c1c6e

SHA512
6dea3a2174868d8baaace62be540f30f09e93472eb4a26d0c9d5102c4a2a49a06fe9d8284e17c67dc2c7be09de730d4b164f5486176126a3b5e5cbacfe08dbad

Download Submit
C:\Windows\System\yDAnnpv.exe

Filesize
5.2MB

MD5
c20d4198cceddc1ac108caf9c5269de4

SHA1
9c1324a01053e2f6017e621e9822d1e25a8f8546

SHA256
58674c9e5aab3598b3a74d8d3e5f2412cfcb6abec25d5f8e690c3b9ccaa49227

SHA512
ef61788e6c513df5d36bf16c611d1faf1f59d646c1e64a7b3173da8b03da95187cad6bead67a9313a354fc8462b5f0f7af4d9910fbd8fd09b3a5b1f8624c43e0

Download Submit
C:\Windows\System\yXMCHjq.exe

Filesize
5.2MB

MD5
93d94918bb4cb22800007141d4580035

SHA1
865f3d625befda63a7d6769ace20ee499936a3ce

SHA256
5ad679a4628c1a3d44131ef3dd43fbd36a9c87dc7bec9b082dd7480f76a1f299

SHA512
dc63fcc93950093d6e93b706da46de44339f4582e1903a2f9536f38a107d46a3a759cc8b50621429885e3417c31d7e20bbdc05911ae57e63da74fb3bee1afda8

Download Submit
C:\Windows\System\ybRFtdY.exe

Filesize
5.2MB

MD5
d0322ed433f6eb0678376df6569c4824

SHA1
c64bdbca983ef8c0bd1920f6da046da68ae7e3a0

SHA256
2313fc58f01cf952d78e4646cba945bfb12e001b20608230df9af0b2c608d42f

SHA512
87c5b4c2b06ae7c4eb3fc3a36424707e76abc202e347fee489162a8925de2eb9e55f473ef62f8b61cad91eecc769327c59ae72e2ba44c239b08b341934b7a00e

Download Submit
C:\Windows\System\zVtiPKh.exe

Filesize
5.2MB

MD5
ac6f650e844bc8829216799551a2f030

SHA1
dec55ed28f48c3bb736f332d91b1911b75c3aaa0

SHA256
8c3405907ec75fc4f5e26fbc94e9c94673583ee77710ef9e7c327401b1118360

SHA512
6bb94998791c3a2a01d9e19365420ed666aa63c967a83047b30910fd73203039979a34bf71f7c8ced62f5e412fccb609ab3660404355bb3ccc1df60e0d0534ff

Download Submit
memory/400-256-0x00007FF756290000-0x00007FF7565E1000-memory.dmp

Filesize
3.3MB

Download
memory/400-115-0x00007FF756290000-0x00007FF7565E1000-memory.dmp

Filesize
3.3MB

Download
memory/400-147-0x00007FF756290000-0x00007FF7565E1000-memory.dmp

Filesize
3.3MB

Download
memory/516-94-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp

Filesize
3.3MB

Download
memory/516-247-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp

Filesize
3.3MB

Download
memory/516-144-0x00007FF75D8E0000-0x00007FF75DC31000-memory.dmp

Filesize
3.3MB

Download
memory/668-134-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp

Filesize
3.3MB

Download
memory/668-54-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp

Filesize
3.3MB

Download
memory/668-225-0x00007FF6C20E0000-0x00007FF6C2431000-memory.dmp

Filesize
3.3MB

Download
memory/872-148-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp

Filesize
3.3MB

Download
memory/872-117-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp

Filesize
3.3MB

Download
memory/872-252-0x00007FF6E1F40000-0x00007FF6E2291000-memory.dmp

Filesize
3.3MB

Download
memory/968-230-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp

Filesize
3.3MB

Download
memory/968-138-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp

Filesize
3.3MB

Download
memory/968-57-0x00007FF75AFF0000-0x00007FF75B341000-memory.dmp

Filesize
3.3MB

Download
memory/972-145-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp

Filesize
3.3MB

Download
memory/972-96-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp

Filesize
3.3MB

Download
memory/972-248-0x00007FF7E0B40000-0x00007FF7E0E91000-memory.dmp

Filesize
3.3MB

Download
memory/1152-26-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-132-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-217-0x00007FF78E270000-0x00007FF78E5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-237-0x00007FF7DC580000-0x00007FF7DC8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-101-0x00007FF7DC580000-0x00007FF7DC8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1192-131-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1192-221-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1192-27-0x00007FF7FD650000-0x00007FF7FD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-9-0x00007FF750C00000-0x00007FF750F51000-memory.dmp

Filesize
3.3MB

Download
memory/2776-213-0x00007FF750C00000-0x00007FF750F51000-memory.dmp

Filesize
3.3MB

Download
memory/2776-129-0x00007FF750C00000-0x00007FF750F51000-memory.dmp

Filesize
3.3MB

Download
memory/2988-215-0x00007FF799030000-0x00007FF799381000-memory.dmp

Filesize
3.3MB

Download
memory/2988-20-0x00007FF799030000-0x00007FF799381000-memory.dmp

Filesize
3.3MB

Download
memory/2988-130-0x00007FF799030000-0x00007FF799381000-memory.dmp

Filesize
3.3MB

Download
memory/3000-58-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp

Filesize
3.3MB

Download
memory/3000-228-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp

Filesize
3.3MB

Download
memory/3000-140-0x00007FF7BEB10000-0x00007FF7BEE61000-memory.dmp

Filesize
3.3MB

Download
memory/3020-141-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-87-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-235-0x00007FF7C01A0000-0x00007FF7C04F1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-149-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-255-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-118-0x00007FF6F13A0000-0x00007FF6F16F1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-43-0x00007FF601D10000-0x00007FF602061000-memory.dmp

Filesize
3.3MB

Download
memory/3624-224-0x00007FF601D10000-0x00007FF602061000-memory.dmp

Filesize
3.3MB

Download
memory/3624-135-0x00007FF601D10000-0x00007FF602061000-memory.dmp

Filesize
3.3MB

Download
memory/3888-244-0x00007FF652400000-0x00007FF652751000-memory.dmp

Filesize
3.3MB

Download
memory/3888-93-0x00007FF652400000-0x00007FF652751000-memory.dmp

Filesize
3.3MB

Download
memory/4048-125-0x00007FF606380000-0x00007FF6066D1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-150-0x00007FF606380000-0x00007FF6066D1000-memory.dmp

Filesize
3.3MB

Download
memory/4048-258-0x00007FF606380000-0x00007FF6066D1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-67-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-232-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-136-0x00007FF617A70000-0x00007FF617DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4484-137-0x00007FF61D010000-0x00007FF61D361000-memory.dmp

Filesize
3.3MB

Download
memory/4484-128-0x00007FF61D010000-0x00007FF61D361000-memory.dmp

Filesize
3.3MB

Download
memory/4484-1-0x0000017011100000-0x0000017011110000-memory.dmp

Filesize
64KB

Download
memory/4484-0-0x00007FF61D010000-0x00007FF61D361000-memory.dmp

Filesize
3.3MB

Download
memory/4484-151-0x00007FF61D010000-0x00007FF61D361000-memory.dmp

Filesize
3.3MB

Download
memory/4572-35-0x00007FF70A100000-0x00007FF70A451000-memory.dmp

Filesize
3.3MB

Download
memory/4572-219-0x00007FF70A100000-0x00007FF70A451000-memory.dmp

Filesize
3.3MB

Download
memory/4572-133-0x00007FF70A100000-0x00007FF70A451000-memory.dmp

Filesize
3.3MB

Download
memory/4624-102-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-146-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-250-0x00007FF7FAEA0000-0x00007FF7FB1F1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-233-0x00007FF6CD5A0000-0x00007FF6CD8F1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-68-0x00007FF6CD5A0000-0x00007FF6CD8F1000-memory.dmp

Filesize
3.3MB

Download