cobaltstrike | acbd2553e6314dcf335f70360905998be592d211e68c79dfc58790a262950e6c

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

70c0fcc3e6b9e7776053dd8629df4819
SHA1

29b0d5ea141435a957bb6b0fb4c754a46467feaa
SHA256

acbd2553e6314dcf335f70360905998be592d211e68c79dfc58790a262950e6c
SHA512

308fb13e1ba392e59e37a695c08ab0dae1651b07861140ee9fc7c73a7d96f4140f1abbf87f64bc4e30a0902b1a8a8d66e4f9a11003b4b267516e3a8e3b135937
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234c0-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-8.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-21.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-28.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234c1-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-48.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022ab2-53.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e557-58.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001e559-67.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022ab4-74.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002341f-80.dat	cobalt_reflective_dll
behavioral2/files/0x000d00000001e4f6-87.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e55b-108.dat	cobalt_reflective_dll
behavioral2/files/0x000800000001e55d-113.dat	cobalt_reflective_dll
behavioral2/files/0x000900000001e561-131.dat	cobalt_reflective_dll
behavioral2/files/0x000900000001e585-133.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001e55f-129.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001e554-106.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001e550-97.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4140-14-0x00007FF749D30000-0x00007FF74A081000-memory.dmp	xmrig
behavioral2/memory/996-68-0x00007FF69B4F0000-0x00007FF69B841000-memory.dmp	xmrig
behavioral2/memory/4764-69-0x00007FF739140000-0x00007FF739491000-memory.dmp	xmrig
behavioral2/memory/3708-63-0x00007FF62A010000-0x00007FF62A361000-memory.dmp	xmrig
behavioral2/memory/5072-60-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	xmrig
behavioral2/memory/1368-81-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp	xmrig
behavioral2/memory/5032-77-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp	xmrig
behavioral2/memory/5052-95-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp	xmrig
behavioral2/memory/2340-103-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp	xmrig
behavioral2/memory/4996-126-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp	xmrig
behavioral2/memory/2900-127-0x00007FF65FA90000-0x00007FF65FDE1000-memory.dmp	xmrig
behavioral2/memory/1048-102-0x00007FF689B10000-0x00007FF689E61000-memory.dmp	xmrig
behavioral2/memory/1436-93-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp	xmrig
behavioral2/memory/5072-136-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	xmrig
behavioral2/memory/4600-137-0x00007FF747B20000-0x00007FF747E71000-memory.dmp	xmrig
behavioral2/memory/1060-141-0x00007FF71E320000-0x00007FF71E671000-memory.dmp	xmrig
behavioral2/memory/4104-144-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp	xmrig
behavioral2/memory/4320-153-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp	xmrig
behavioral2/memory/3936-155-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp	xmrig
behavioral2/memory/4756-159-0x00007FF689C30000-0x00007FF689F81000-memory.dmp	xmrig
behavioral2/memory/3760-160-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp	xmrig
behavioral2/memory/3272-157-0x00007FF661EE0000-0x00007FF662231000-memory.dmp	xmrig
behavioral2/memory/2688-156-0x00007FF744530000-0x00007FF744881000-memory.dmp	xmrig
behavioral2/memory/5072-162-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	xmrig
behavioral2/memory/3708-213-0x00007FF62A010000-0x00007FF62A361000-memory.dmp	xmrig
behavioral2/memory/4140-215-0x00007FF749D30000-0x00007FF74A081000-memory.dmp	xmrig
behavioral2/memory/5032-217-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp	xmrig
behavioral2/memory/1368-219-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp	xmrig
behavioral2/memory/1436-224-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp	xmrig
behavioral2/memory/5052-226-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp	xmrig
behavioral2/memory/1048-228-0x00007FF689B10000-0x00007FF689E61000-memory.dmp	xmrig
behavioral2/memory/2340-235-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp	xmrig
behavioral2/memory/996-237-0x00007FF69B4F0000-0x00007FF69B841000-memory.dmp	xmrig
behavioral2/memory/4764-239-0x00007FF739140000-0x00007FF739491000-memory.dmp	xmrig
behavioral2/memory/4996-241-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp	xmrig
behavioral2/memory/4600-243-0x00007FF747B20000-0x00007FF747E71000-memory.dmp	xmrig
behavioral2/memory/4104-247-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp	xmrig
behavioral2/memory/4320-249-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp	xmrig
behavioral2/memory/3936-256-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp	xmrig
behavioral2/memory/2688-258-0x00007FF744530000-0x00007FF744881000-memory.dmp	xmrig
behavioral2/memory/2900-261-0x00007FF65FA90000-0x00007FF65FDE1000-memory.dmp	xmrig
behavioral2/memory/3272-263-0x00007FF661EE0000-0x00007FF662231000-memory.dmp	xmrig
behavioral2/memory/4756-266-0x00007FF689C30000-0x00007FF689F81000-memory.dmp	xmrig
behavioral2/memory/3760-267-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp	xmrig
behavioral2/memory/1060-269-0x00007FF71E320000-0x00007FF71E671000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3708	NhbHjnZ.exe
4140	UmViAUF.exe
5032	UxZkpYz.exe
1368	ggqBKII.exe
1436	wOXErWF.exe
5052	bmIasnr.exe
1048	SXDcSKe.exe
2340	ZDwYtyn.exe
996	VSIQDeb.exe
4764	hBTRuPn.exe
4996	EmrLwel.exe
4600	qzFSbzt.exe
4104	mYBlXgR.exe
4320	QQXgyZM.exe
3936	KFxjNWX.exe
2688	NIgfkcW.exe
3272	EXyQhTJ.exe
2900	MsJfUqy.exe
4756	BEQIWrI.exe
3760	VIcDtNK.exe
1060	EwVyzWQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-0-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	upx
behavioral2/files/0x00080000000234c0-6.dat	upx
behavioral2/files/0x00070000000234c4-10.dat	upx
behavioral2/memory/3708-12-0x00007FF62A010000-0x00007FF62A361000-memory.dmp	upx
behavioral2/memory/4140-14-0x00007FF749D30000-0x00007FF74A081000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-8.dat	upx
behavioral2/files/0x00070000000234c6-21.dat	upx
behavioral2/memory/5032-19-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp	upx
behavioral2/memory/1368-24-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-28.dat	upx
behavioral2/files/0x00080000000234c1-34.dat	upx
behavioral2/memory/5052-40-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp	upx
behavioral2/memory/1048-42-0x00007FF689B10000-0x00007FF689E61000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-43.dat	upx
behavioral2/memory/1436-32-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-48.dat	upx
behavioral2/memory/2340-49-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp	upx
behavioral2/files/0x0002000000022ab2-53.dat	upx
behavioral2/files/0x000600000001e557-58.dat	upx
behavioral2/files/0x000500000001e559-67.dat	upx
behavioral2/memory/996-68-0x00007FF69B4F0000-0x00007FF69B841000-memory.dmp	upx
behavioral2/memory/4764-69-0x00007FF739140000-0x00007FF739491000-memory.dmp	upx
behavioral2/memory/4600-75-0x00007FF747B20000-0x00007FF747E71000-memory.dmp	upx
behavioral2/files/0x0002000000022ab4-74.dat	upx
behavioral2/memory/4996-71-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp	upx
behavioral2/memory/3708-63-0x00007FF62A010000-0x00007FF62A361000-memory.dmp	upx
behavioral2/memory/5072-60-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	upx
behavioral2/files/0x000900000002341f-80.dat	upx
behavioral2/memory/1368-81-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp	upx
behavioral2/memory/5032-77-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp	upx
behavioral2/memory/4104-82-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp	upx
behavioral2/files/0x000d00000001e4f6-87.dat	upx
behavioral2/memory/4320-88-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp	upx
behavioral2/memory/5052-95-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp	upx
behavioral2/memory/3936-96-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp	upx
behavioral2/memory/2340-103-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp	upx
behavioral2/files/0x000600000001e55b-108.dat	upx
behavioral2/files/0x000800000001e55d-113.dat	upx
behavioral2/memory/3760-124-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp	upx
behavioral2/memory/4996-126-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp	upx
behavioral2/files/0x000900000001e561-131.dat	upx
behavioral2/files/0x000900000001e585-133.dat	upx
behavioral2/files/0x000500000001e55f-129.dat	upx
behavioral2/memory/2900-127-0x00007FF65FA90000-0x00007FF65FDE1000-memory.dmp	upx
behavioral2/memory/3272-121-0x00007FF661EE0000-0x00007FF662231000-memory.dmp	upx
behavioral2/memory/2688-107-0x00007FF744530000-0x00007FF744881000-memory.dmp	upx
behavioral2/files/0x000500000001e554-106.dat	upx
behavioral2/memory/1048-102-0x00007FF689B10000-0x00007FF689E61000-memory.dmp	upx
behavioral2/files/0x000600000001e550-97.dat	upx
behavioral2/memory/1436-93-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp	upx
behavioral2/memory/4756-135-0x00007FF689C30000-0x00007FF689F81000-memory.dmp	upx
behavioral2/memory/5072-136-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	upx
behavioral2/memory/4600-137-0x00007FF747B20000-0x00007FF747E71000-memory.dmp	upx
behavioral2/memory/1060-141-0x00007FF71E320000-0x00007FF71E671000-memory.dmp	upx
behavioral2/memory/4104-144-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp	upx
behavioral2/memory/4320-153-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp	upx
behavioral2/memory/3936-155-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp	upx
behavioral2/memory/4756-159-0x00007FF689C30000-0x00007FF689F81000-memory.dmp	upx
behavioral2/memory/3760-160-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp	upx
behavioral2/memory/3272-157-0x00007FF661EE0000-0x00007FF662231000-memory.dmp	upx
behavioral2/memory/2688-156-0x00007FF744530000-0x00007FF744881000-memory.dmp	upx
behavioral2/memory/5072-162-0x00007FF6774E0000-0x00007FF677831000-memory.dmp	upx
behavioral2/memory/3708-213-0x00007FF62A010000-0x00007FF62A361000-memory.dmp	upx
behavioral2/memory/4140-215-0x00007FF749D30000-0x00007FF74A081000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZDwYtyn.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hBTRuPn.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQXgyZM.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFxjNWX.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VIcDtNK.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxZkpYz.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggqBKII.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYBlXgR.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MsJfUqy.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wOXErWF.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VSIQDeb.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIgfkcW.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEQIWrI.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhbHjnZ.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmViAUF.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmrLwel.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qzFSbzt.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EXyQhTJ.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EwVyzWQ.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bmIasnr.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SXDcSKe.exe	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3708	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5072 wrote to memory of 3708	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5072 wrote to memory of 4140	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5072 wrote to memory of 4140	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5072 wrote to memory of 5032	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5072 wrote to memory of 5032	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5072 wrote to memory of 1368	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5072 wrote to memory of 1368	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5072 wrote to memory of 1436	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5072 wrote to memory of 1436	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5072 wrote to memory of 5052	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5072 wrote to memory of 5052	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5072 wrote to memory of 1048	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5072 wrote to memory of 1048	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5072 wrote to memory of 2340	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5072 wrote to memory of 2340	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5072 wrote to memory of 996	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5072 wrote to memory of 996	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5072 wrote to memory of 4764	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5072 wrote to memory of 4764	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5072 wrote to memory of 4996	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5072 wrote to memory of 4996	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5072 wrote to memory of 4600	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5072 wrote to memory of 4600	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5072 wrote to memory of 4104	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5072 wrote to memory of 4104	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5072 wrote to memory of 4320	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5072 wrote to memory of 4320	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5072 wrote to memory of 3936	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5072 wrote to memory of 3936	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5072 wrote to memory of 2688	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 5072 wrote to memory of 2688	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 5072 wrote to memory of 3272	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 5072 wrote to memory of 3272	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 5072 wrote to memory of 2900	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 5072 wrote to memory of 2900	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 5072 wrote to memory of 4756	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 5072 wrote to memory of 4756	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 5072 wrote to memory of 3760	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 5072 wrote to memory of 3760	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 5072 wrote to memory of 1060	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 5072 wrote to memory of 1060	5072	2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_70c0fcc3e6b9e7776053dd8629df4819_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\System\NhbHjnZ.exe
  C:\Windows\System\NhbHjnZ.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\UmViAUF.exe
  C:\Windows\System\UmViAUF.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\UxZkpYz.exe
  C:\Windows\System\UxZkpYz.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\ggqBKII.exe
  C:\Windows\System\ggqBKII.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\wOXErWF.exe
  C:\Windows\System\wOXErWF.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\bmIasnr.exe
  C:\Windows\System\bmIasnr.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\SXDcSKe.exe
  C:\Windows\System\SXDcSKe.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\ZDwYtyn.exe
  C:\Windows\System\ZDwYtyn.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\VSIQDeb.exe
  C:\Windows\System\VSIQDeb.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\hBTRuPn.exe
  C:\Windows\System\hBTRuPn.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\EmrLwel.exe
  C:\Windows\System\EmrLwel.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\qzFSbzt.exe
  C:\Windows\System\qzFSbzt.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\mYBlXgR.exe
  C:\Windows\System\mYBlXgR.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\QQXgyZM.exe
  C:\Windows\System\QQXgyZM.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\KFxjNWX.exe
  C:\Windows\System\KFxjNWX.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\NIgfkcW.exe
  C:\Windows\System\NIgfkcW.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\EXyQhTJ.exe
  C:\Windows\System\EXyQhTJ.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\MsJfUqy.exe
  C:\Windows\System\MsJfUqy.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\BEQIWrI.exe
  C:\Windows\System\BEQIWrI.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\VIcDtNK.exe
  C:\Windows\System\VIcDtNK.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\EwVyzWQ.exe
  C:\Windows\System\EwVyzWQ.exe
  2⤵
  - Executes dropped EXE
  PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BEQIWrI.exe

Filesize
5.2MB

MD5
5ff7ed89a8350856cee67cbcba20414d

SHA1
54eb41f9ac35c6a14b7c6a79dbb890f008cd2334

SHA256
dadef51d9282d048257b1d5ad455175051fe845db5237783a4903d10d5585281

SHA512
d609030f002fc6b5233ba5a3ce8fb9acad07671d14c035ee840558c46c8718821e51ef3bf310c25a8a5e939dc8227f34231e41d794686323e04a500882f6e090

Download Submit
C:\Windows\System\EXyQhTJ.exe

Filesize
5.2MB

MD5
c2c301a5fc3b1f89b6f333fbc7c6a664

SHA1
6e5b8ef86afe09598da17d36151ee4d06ce5b5fc

SHA256
3bf943e54434434beb7f8a59f9d9c2f62338de9b43d786c61041e36325d8b66a

SHA512
af7786f51b35d8eadcb5730ccbcb242fe5cecdc9286fe354453b290d36597f865315d2172dfaa935f690740e6705afa90498a872518781577230ad3ed1616a0d

Download Submit
C:\Windows\System\EmrLwel.exe

Filesize
5.2MB

MD5
0a0656a4e1a114887d0de11928dbc610

SHA1
7891b9908e6214fcadf662deaad2a7588067708c

SHA256
5ea73f697fbbe7cb5147133fba9c923aa98c2fc83da4a85ef2c14eb1afccb644

SHA512
80067c12391afc15c143783ac395f2e61a5f82c9d8bd65e0260477a91a899553042618eda42836fea737a3ed68b12396a0b6c4e93538f873265c860aeff4b578

Download Submit
C:\Windows\System\EwVyzWQ.exe

Filesize
5.2MB

MD5
04102140fdac6d7d2b49f9fa3d5824bd

SHA1
56fc055b39b5ce3ff067ab088644ac7c9778ac11

SHA256
3d9bb231d4553611192d64923a539444be23d0f9a964dc13a9911cf9c12716c6

SHA512
3da96040fe5718c77ad367b479ca560a2c389d37a47f41c6d2c136ca583dcadf334802e2f26b0e161a9be0aea9caea71c11ee478eb5e77b6cd5adb9d0a5cd197

Download Submit
C:\Windows\System\KFxjNWX.exe

Filesize
5.2MB

MD5
29b25d66ff7e60a4586516cade2c8e4b

SHA1
44ee04c34a4cd850418d7ebc2429c266a678d591

SHA256
c7b028a29282f2db3724ece94866dbc79eca9e141af3a982a10eee277118f8c4

SHA512
3964ff217f67620a6d446f4edfa6ab1837b9e941d065e772944982064e1afdb1441fc432519005b395c115f2318d132386481cd53107e83a35797b9307b0a613

Download Submit
C:\Windows\System\MsJfUqy.exe

Filesize
5.2MB

MD5
2b43f1bae5424a79dcd52d5e3b252840

SHA1
2c57b6ee7becf9de6be293e4b8f99b652f320ab5

SHA256
675ed57aa20678bc08d0f4e46a49a62176b64de4e95b8c6a60dac5df5d7c272f

SHA512
d0060977d6fc55713ce2bdf08f2c9d6076783864d3097590024ad40597f8c7aecc6989f89577cd0b386f2b9ab378252d79ddcc1ead559f1d2df19ec979664899

Download Submit
C:\Windows\System\NIgfkcW.exe

Filesize
5.2MB

MD5
61af32b69d7962e561cf9597f0c8e176

SHA1
21b4fb1594ebf436c49849844d490a06b31a4baf

SHA256
1e09c7740646fe566ef495e44af6e0ee18b2299f62f440f9953ae8d12ef517d4

SHA512
23a034206e612225fd8538117ccde5b9115786d2a44afdb0251832090ce226a9f159d00caf479841a6526bcdccb3f0892cd311d67400ae82f6e2951aa500cd61

Download Submit
C:\Windows\System\NhbHjnZ.exe

Filesize
5.2MB

MD5
4a39d086b4a39d1f7c3d76645e9ee75e

SHA1
cb15f148527a8eef0d42f08281b4f416715e2cb9

SHA256
e8e1233900c9b748bd2c68cad24ed6aece043e1fb61f229703d2fe37046dd36c

SHA512
1b0b2d248499c96c9fc9d060ce385d431a4eb7912384e9479ec791b81c34b4e06fa057c32f2f1b34d13722b57c41709793d1ac2dfaabc7214e884b0b770ca877

Download Submit
C:\Windows\System\QQXgyZM.exe

Filesize
5.2MB

MD5
fe1d5d3ace78578d6378fb03c5190c67

SHA1
30972279fedebb5fe1c0af0205bf0c6080c7199a

SHA256
6398d727f05e76ed83a91fc7a323f6ed9d4c66d5d7b274a6ae0d1a01802f1fd4

SHA512
c7f07689498f590ee9c5ddce3debf5d0a2d4e057f55aa9a0c091c1197cf59e0993fd7d2298761b70b3f6710696d205d6aaa1494f0de8eb32d7756961c063491c

Download Submit
C:\Windows\System\SXDcSKe.exe

Filesize
5.2MB

MD5
da449fb13547ac3d3ec4edc5a4bb4185

SHA1
a0994e5db3806e6540471204dcdaabf427b455d0

SHA256
0db2fd9a8aace14eabc1c0a79e64e6242058dff0968dc0c1e542752ac2d5dc95

SHA512
1dd50e26a8a5ec86b5fa66951e8c72d0a521d97825cd153fddcda38b6c23fab82ab2ade9c8d277a0da513bbe4ec2192ce767a175d21723b95fd1abde3da4acd0

Download Submit
C:\Windows\System\UmViAUF.exe

Filesize
5.2MB

MD5
6f197a959ff7d0807f2c23888cb38a38

SHA1
e7e6f9849f3a0485dc02a558b9ff79d7dbf1b31e

SHA256
8e8d9c21684f82f2cab68edfb437ef639883134fb7d7e60c758df800cdec2114

SHA512
e4adbc081032f7bf0ca8df62ec1e091225c002525dcb5fc625706163c4c621c3ed01ce23c78f6c13b878c6466ae9a16e347f79951b94b31895c6c3ee703dc21c

Download Submit
C:\Windows\System\UxZkpYz.exe

Filesize
5.2MB

MD5
4fd825f9351193718fb2e4dcd825c8c6

SHA1
4cc1355cd01fb00e0d0526aa6c733e410ba9b594

SHA256
831822689e0e1900bc52294763eec86dc18cad3d7037dbe2da7b7be3fd0e7bf1

SHA512
753d3404ade714a8fd6b52c69677c3999c3a9a9c05dfe41ed6976d3c72484fb140bcd1f5b1ba1933ad1153e6b409ffef59b44627412b12b48c299a2c7705bd1d

Download Submit
C:\Windows\System\VIcDtNK.exe

Filesize
5.2MB

MD5
b40730e22676e9d548035d7cf89be5fe

SHA1
f59978b196ec7ca5ea1b97fdf54b5d685e18f586

SHA256
09cbfe5a1a37ea2720727523e57396a49129eea5ae1b48dc4d0b1dc5cc6bfdd6

SHA512
9e9c4f4f337255d402d123cbb6ca38adb7c03bf2563338b2811cfcb106b8cb6e0619b71072345e6a0e0870cd5f32e338c19a707998d4b539d160199d838aa2d6

Download Submit
C:\Windows\System\VSIQDeb.exe

Filesize
5.2MB

MD5
cb0b9d1d00c86582eddc65533eed0569

SHA1
0ecd60ced89793c57d10e8ef1249bcf6cf8ed2cd

SHA256
2b521d25937d1ac9f62b1de3e24b83b7b3aebb596fa51cc40aa0f14590b72ef7

SHA512
1560e20cac96c2f031592a47dddf6c6e65ea4041971252135fca4ea944bd066f9221a334b22cacf90b6cae874e6b93bd9a98eb64a0ea014b2bb49c5b355f727d

Download Submit
C:\Windows\System\ZDwYtyn.exe

Filesize
5.2MB

MD5
f341ea7a07140623ca0147623cdd2022

SHA1
1c3cf65c99a8288b08f40289020a6b8c072dc372

SHA256
87066e5a9beb98ba5e7e60437239c563ea8c314a19de18c4d7ef54486a49fdad

SHA512
259104f628f9174bf33d3fba288d870c5dfebfa70ec916ca1088082ff98124613c49cda25613e8c97b0f82435a40f05f2febc0b5f7e8f4a96da8f3f45466c9ea

Download Submit
C:\Windows\System\bmIasnr.exe

Filesize
5.2MB

MD5
cb27e8d79a3db0a35daa9c4dd7d077d9

SHA1
5707adcb1131242bc13114f3e5552ca65dad4462

SHA256
a30a062efc165ff07b1d581adcd3f3d83cf65f9d55292e864fd2d9f9c91f3762

SHA512
985d3ddc33b8945e5759c3eb7390e0a4b8e3638e4093017e33b5b15065a6fca2bc3df4608ac4f1dd46274d1076df0b1fed25ef8fa97303973fc3f0884f57df4d

Download Submit
C:\Windows\System\ggqBKII.exe

Filesize
5.2MB

MD5
847822a9347ea6dcaaf5fb0705a6aec5

SHA1
a94de215b39170bc15060a87cddca04224a19249

SHA256
c5f5653cd7da731d161a11b765edaaefa1090eb6aa7f7dcf97ebfe90a819a927

SHA512
e7e39d2680448ebec58f2d3cc762a1fc7f80343e7927721dbc162e51d7d5fb7e7aabed5193d9dd6fc2c7fd93dd262c1c67e109132c4da200b67b1a025cdc4c61

Download Submit
C:\Windows\System\hBTRuPn.exe

Filesize
5.2MB

MD5
d57b9d5fc9c0412bdf3634a0fe5a34b7

SHA1
40eb55d0b3cd5c4b57e99818e65c41a5b68a1490

SHA256
c37057427298fd7dbdbd6e683c98b7bb3a4677c811e9865b383f30b3c7708bb4

SHA512
fa1c6ab1c4164f775176a95780ebb6705643b1f81af30d51fc52ed6b45d0dc05cbc5bcb566451900350e58f873e2ecdf734b707492ac3b9ae9ab4dd0e3c5fd5d

Download Submit
C:\Windows\System\mYBlXgR.exe

Filesize
5.2MB

MD5
5fdc3f3c0ea975f861ffffa68ad91ae9

SHA1
39826ac7f869b7e812033de291ec5e20cd3c41ac

SHA256
c1b8907e2d2368dbdf179eb21ca8a005d3371267729e935be9a428bdf8f1d51d

SHA512
fdf07af6499f60479fbff8d939a1e12175af280739b45d62b89a86402653346713b4cd0938ab465df9aa1bacd73ee41e51f0e99f9f1eb7deb02c33c133f4a50c

Download Submit
C:\Windows\System\qzFSbzt.exe

Filesize
5.2MB

MD5
77e767869b471e7e6a25270a806ea60f

SHA1
255dd611c226dcaab5c68c688b1053507771a4a1

SHA256
7b2f5149149b40e9655b8329161dcbad859495450fdd3c5c6fd2b01fe83c20d8

SHA512
4eddb9ad256f3a8ac35994f6b548bf4c7d6534c48f213f8edc26ef2062608a4d3f4aa3732c62d2f8af2b63600bcc789a6989d1dad6bbafafa48f8b141573869a

Download Submit
C:\Windows\System\wOXErWF.exe

Filesize
5.2MB

MD5
92d4a31bae0b76ae14e6224756cc09b2

SHA1
321366fc0eabdf9edccb7c104bbd1f9507568cd3

SHA256
2e0f5573cc2f7d05029a8e522dc2c2dc1b2ed958ac6cd5b99c020eb13e537002

SHA512
0ed3909fda653dad401bdde8a14108209f03009d4021b9f4c346d3da9fbcf5f588d00fa0e75248e8bbe789f37a0082c14bc8e8a399c30e04d543daa0f87d11e0

Download Submit
memory/996-68-0x00007FF69B4F0000-0x00007FF69B841000-memory.dmp

Filesize
3.3MB

Download
memory/996-237-0x00007FF69B4F0000-0x00007FF69B841000-memory.dmp

Filesize
3.3MB

Download
memory/1048-42-0x00007FF689B10000-0x00007FF689E61000-memory.dmp

Filesize
3.3MB

Download
memory/1048-228-0x00007FF689B10000-0x00007FF689E61000-memory.dmp

Filesize
3.3MB

Download
memory/1048-102-0x00007FF689B10000-0x00007FF689E61000-memory.dmp

Filesize
3.3MB

Download
memory/1060-269-0x00007FF71E320000-0x00007FF71E671000-memory.dmp

Filesize
3.3MB

Download
memory/1060-141-0x00007FF71E320000-0x00007FF71E671000-memory.dmp

Filesize
3.3MB

Download
memory/1368-219-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-81-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-24-0x00007FF759C60000-0x00007FF759FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-224-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-93-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-32-0x00007FF65F180000-0x00007FF65F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-103-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-49-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-235-0x00007FF6FBB80000-0x00007FF6FBED1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-156-0x00007FF744530000-0x00007FF744881000-memory.dmp

Filesize
3.3MB

Download
memory/2688-107-0x00007FF744530000-0x00007FF744881000-memory.dmp

Filesize
3.3MB

Download
memory/2688-258-0x00007FF744530000-0x00007FF744881000-memory.dmp

Filesize
3.3MB

Download
memory/2900-127-0x00007FF65FA90000-0x00007FF65FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-261-0x00007FF65FA90000-0x00007FF65FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-157-0x00007FF661EE0000-0x00007FF662231000-memory.dmp

Filesize
3.3MB

Download
memory/3272-121-0x00007FF661EE0000-0x00007FF662231000-memory.dmp

Filesize
3.3MB

Download
memory/3272-263-0x00007FF661EE0000-0x00007FF662231000-memory.dmp

Filesize
3.3MB

Download
memory/3708-213-0x00007FF62A010000-0x00007FF62A361000-memory.dmp

Filesize
3.3MB

Download
memory/3708-63-0x00007FF62A010000-0x00007FF62A361000-memory.dmp

Filesize
3.3MB

Download
memory/3708-12-0x00007FF62A010000-0x00007FF62A361000-memory.dmp

Filesize
3.3MB

Download
memory/3760-160-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp

Filesize
3.3MB

Download
memory/3760-124-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp

Filesize
3.3MB

Download
memory/3760-267-0x00007FF7A7B00000-0x00007FF7A7E51000-memory.dmp

Filesize
3.3MB

Download
memory/3936-256-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-96-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-155-0x00007FF6477A0000-0x00007FF647AF1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-82-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-144-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-247-0x00007FF7CCA80000-0x00007FF7CCDD1000-memory.dmp

Filesize
3.3MB

Download
memory/4140-14-0x00007FF749D30000-0x00007FF74A081000-memory.dmp

Filesize
3.3MB

Download
memory/4140-215-0x00007FF749D30000-0x00007FF74A081000-memory.dmp

Filesize
3.3MB

Download
memory/4320-153-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4320-249-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4320-88-0x00007FF7DB770000-0x00007FF7DBAC1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-75-0x00007FF747B20000-0x00007FF747E71000-memory.dmp

Filesize
3.3MB

Download
memory/4600-137-0x00007FF747B20000-0x00007FF747E71000-memory.dmp

Filesize
3.3MB

Download
memory/4600-243-0x00007FF747B20000-0x00007FF747E71000-memory.dmp

Filesize
3.3MB

Download
memory/4756-159-0x00007FF689C30000-0x00007FF689F81000-memory.dmp

Filesize
3.3MB

Download
memory/4756-266-0x00007FF689C30000-0x00007FF689F81000-memory.dmp

Filesize
3.3MB

Download
memory/4756-135-0x00007FF689C30000-0x00007FF689F81000-memory.dmp

Filesize
3.3MB

Download
memory/4764-69-0x00007FF739140000-0x00007FF739491000-memory.dmp

Filesize
3.3MB

Download
memory/4764-239-0x00007FF739140000-0x00007FF739491000-memory.dmp

Filesize
3.3MB

Download
memory/4996-241-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-71-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-126-0x00007FF60B760000-0x00007FF60BAB1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-217-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-77-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-19-0x00007FF74A480000-0x00007FF74A7D1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-226-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp

Filesize
3.3MB

Download
memory/5052-40-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp

Filesize
3.3MB

Download
memory/5052-95-0x00007FF69F8F0000-0x00007FF69FC41000-memory.dmp

Filesize
3.3MB

Download
memory/5072-60-0x00007FF6774E0000-0x00007FF677831000-memory.dmp

Filesize
3.3MB

Download
memory/5072-162-0x00007FF6774E0000-0x00007FF677831000-memory.dmp

Filesize
3.3MB

Download
memory/5072-0-0x00007FF6774E0000-0x00007FF677831000-memory.dmp

Filesize
3.3MB

Download
memory/5072-136-0x00007FF6774E0000-0x00007FF677831000-memory.dmp

Filesize
3.3MB

Download
memory/5072-1-0x0000024068C10000-0x0000024068C20000-memory.dmp

Filesize
64KB

Download