cobaltstrike | e6ea8c95a3cafebbd4066c0c901401bae7f9df558ffee9ce3e793e618d59bfd0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d045adebce54b55b783c2bf616f6ad20
SHA1

db4df8f67b7f592aac6c6ffed15e5164468f53b2
SHA256

e6ea8c95a3cafebbd4066c0c901401bae7f9df558ffee9ce3e793e618d59bfd0
SHA512

8a540628418b67d4e16d7464d966b7df739118c85d35f2d6876f6986a02383d7d3b5ef5a436ae7bf4b7eca74160f72b3e7904d84888348059252330fe6871699
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000235d1-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d6-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d5-15.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235d2-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d7-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235da-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235db-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235dc-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235dd-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235de-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d9-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d8-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e1-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e4-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e2-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e6-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e7-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e8-140.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e5-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e3-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235df-90.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/568-55-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/2868-64-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp	xmrig
behavioral2/memory/4204-63-0x00007FF632610000-0x00007FF632961000-memory.dmp	xmrig
behavioral2/memory/1972-80-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp	xmrig
behavioral2/memory/2568-89-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp	xmrig
behavioral2/memory/944-95-0x00007FF6D8A80000-0x00007FF6D8DD1000-memory.dmp	xmrig
behavioral2/memory/400-101-0x00007FF750420000-0x00007FF750771000-memory.dmp	xmrig
behavioral2/memory/4180-129-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp	xmrig
behavioral2/memory/3212-138-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp	xmrig
behavioral2/memory/1304-122-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp	xmrig
behavioral2/memory/1156-118-0x00007FF632F40000-0x00007FF633291000-memory.dmp	xmrig
behavioral2/memory/1956-114-0x00007FF786D30000-0x00007FF787081000-memory.dmp	xmrig
behavioral2/memory/4676-153-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	xmrig
behavioral2/memory/1740-151-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp	xmrig
behavioral2/memory/2992-152-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	xmrig
behavioral2/memory/1968-159-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp	xmrig
behavioral2/memory/3448-162-0x00007FF601D20000-0x00007FF602071000-memory.dmp	xmrig
behavioral2/memory/1900-163-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	xmrig
behavioral2/memory/4904-161-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp	xmrig
behavioral2/memory/1980-160-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp	xmrig
behavioral2/memory/1104-158-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp	xmrig
behavioral2/memory/568-154-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/4940-157-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp	xmrig
behavioral2/memory/568-176-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	xmrig
behavioral2/memory/4204-210-0x00007FF632610000-0x00007FF632961000-memory.dmp	xmrig
behavioral2/memory/2868-215-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp	xmrig
behavioral2/memory/1972-217-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp	xmrig
behavioral2/memory/2568-219-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp	xmrig
behavioral2/memory/400-222-0x00007FF750420000-0x00007FF750771000-memory.dmp	xmrig
behavioral2/memory/1956-230-0x00007FF786D30000-0x00007FF787081000-memory.dmp	xmrig
behavioral2/memory/1156-232-0x00007FF632F40000-0x00007FF633291000-memory.dmp	xmrig
behavioral2/memory/1304-234-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp	xmrig
behavioral2/memory/3212-237-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp	xmrig
behavioral2/memory/4180-239-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp	xmrig
behavioral2/memory/1740-242-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp	xmrig
behavioral2/memory/4676-243-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	xmrig
behavioral2/memory/944-249-0x00007FF6D8A80000-0x00007FF6D8DD1000-memory.dmp	xmrig
behavioral2/memory/2992-251-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	xmrig
behavioral2/memory/1104-260-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp	xmrig
behavioral2/memory/4940-259-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp	xmrig
behavioral2/memory/1968-262-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp	xmrig
behavioral2/memory/1980-264-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp	xmrig
behavioral2/memory/3448-268-0x00007FF601D20000-0x00007FF602071000-memory.dmp	xmrig
behavioral2/memory/4904-267-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp	xmrig
behavioral2/memory/1900-270-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4204	OCbuMIV.exe
2868	WNBDHly.exe
1972	ZDziCyT.exe
2568	DoYwONX.exe
400	QbZzAXW.exe
1956	oGrkyEA.exe
1156	gDpyCmg.exe
1304	RyRMVRk.exe
4180	nhctCWQ.exe
4676	hSPXUKp.exe
3212	XAGqPTQ.exe
1740	SQmNvpz.exe
2992	tBjklRK.exe
944	YQAJRJo.exe
4940	fmAIFHf.exe
1104	yEdXprs.exe
1968	CFtFEHQ.exe
1980	LnnwQpH.exe
4904	zqeUJSG.exe
3448	unLlkCa.exe
1900	KcOrBLl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/568-0-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx
behavioral2/files/0x00080000000235d1-6.dat	upx
behavioral2/memory/4204-7-0x00007FF632610000-0x00007FF632961000-memory.dmp	upx
behavioral2/files/0x00070000000235d6-10.dat	upx
behavioral2/memory/2868-16-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp	upx
behavioral2/files/0x00070000000235d5-15.dat	upx
behavioral2/files/0x00080000000235d2-23.dat	upx
behavioral2/memory/1972-22-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp	upx
behavioral2/memory/2568-24-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp	upx
behavioral2/files/0x00070000000235d7-29.dat	upx
behavioral2/memory/400-31-0x00007FF750420000-0x00007FF750771000-memory.dmp	upx
behavioral2/memory/1956-39-0x00007FF786D30000-0x00007FF787081000-memory.dmp	upx
behavioral2/files/0x00070000000235da-44.dat	upx
behavioral2/files/0x00070000000235db-52.dat	upx
behavioral2/memory/568-55-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx
behavioral2/files/0x00070000000235dc-59.dat	upx
behavioral2/memory/3212-62-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp	upx
behavioral2/memory/4676-65-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	upx
behavioral2/memory/2868-64-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp	upx
behavioral2/memory/4204-63-0x00007FF632610000-0x00007FF632961000-memory.dmp	upx
behavioral2/memory/4180-61-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp	upx
behavioral2/files/0x00070000000235dd-60.dat	upx
behavioral2/files/0x00070000000235de-74.dat	upx
behavioral2/memory/1740-75-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp	upx
behavioral2/files/0x00070000000235d9-47.dat	upx
behavioral2/memory/1304-46-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp	upx
behavioral2/memory/1156-45-0x00007FF632F40000-0x00007FF633291000-memory.dmp	upx
behavioral2/files/0x00070000000235d8-36.dat	upx
behavioral2/memory/1972-80-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp	upx
behavioral2/files/0x00070000000235e1-85.dat	upx
behavioral2/memory/2568-89-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp	upx
behavioral2/memory/944-95-0x00007FF6D8A80000-0x00007FF6D8DD1000-memory.dmp	upx
behavioral2/files/0x00070000000235e4-100.dat	upx
behavioral2/memory/400-101-0x00007FF750420000-0x00007FF750771000-memory.dmp	upx
behavioral2/files/0x00070000000235e2-108.dat	upx
behavioral2/files/0x00070000000235e6-116.dat	upx
behavioral2/files/0x00070000000235e7-127.dat	upx
behavioral2/memory/3448-130-0x00007FF601D20000-0x00007FF602071000-memory.dmp	upx
behavioral2/memory/4180-129-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp	upx
behavioral2/files/0x00070000000235e8-140.dat	upx
behavioral2/memory/1900-139-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	upx
behavioral2/memory/3212-138-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp	upx
behavioral2/files/0x00070000000235e5-123.dat	upx
behavioral2/memory/1304-122-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp	upx
behavioral2/memory/1980-121-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp	upx
behavioral2/memory/4904-119-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp	upx
behavioral2/memory/1156-118-0x00007FF632F40000-0x00007FF633291000-memory.dmp	upx
behavioral2/memory/1956-114-0x00007FF786D30000-0x00007FF787081000-memory.dmp	upx
behavioral2/memory/1968-111-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp	upx
behavioral2/memory/1104-110-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp	upx
behavioral2/files/0x00070000000235e3-103.dat	upx
behavioral2/memory/4940-102-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp	upx
behavioral2/memory/2992-94-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	upx
behavioral2/files/0x00070000000235df-90.dat	upx
behavioral2/memory/4676-153-0x00007FF654C20000-0x00007FF654F71000-memory.dmp	upx
behavioral2/memory/1740-151-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp	upx
behavioral2/memory/2992-152-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	upx
behavioral2/memory/1968-159-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp	upx
behavioral2/memory/3448-162-0x00007FF601D20000-0x00007FF602071000-memory.dmp	upx
behavioral2/memory/1900-163-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp	upx
behavioral2/memory/4904-161-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp	upx
behavioral2/memory/1980-160-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp	upx
behavioral2/memory/1104-158-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp	upx
behavioral2/memory/568-154-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gDpyCmg.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hSPXUKp.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqeUJSG.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WNBDHly.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QbZzAXW.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RyRMVRk.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nhctCWQ.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SQmNvpz.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YQAJRJo.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\unLlkCa.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KcOrBLl.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OCbuMIV.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFtFEHQ.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZDziCyT.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGrkyEA.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAGqPTQ.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBjklRK.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fmAIFHf.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEdXprs.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LnnwQpH.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DoYwONX.exe	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 4204	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 568 wrote to memory of 4204	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 568 wrote to memory of 2868	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 568 wrote to memory of 2868	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 568 wrote to memory of 1972	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 568 wrote to memory of 1972	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 568 wrote to memory of 2568	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 568 wrote to memory of 2568	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 568 wrote to memory of 400	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 568 wrote to memory of 400	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 568 wrote to memory of 1956	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 568 wrote to memory of 1956	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 568 wrote to memory of 1156	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 568 wrote to memory of 1156	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 568 wrote to memory of 1304	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 568 wrote to memory of 1304	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 568 wrote to memory of 4180	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 568 wrote to memory of 4180	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 568 wrote to memory of 4676	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 568 wrote to memory of 4676	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 568 wrote to memory of 3212	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 568 wrote to memory of 3212	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 568 wrote to memory of 1740	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 568 wrote to memory of 1740	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 568 wrote to memory of 2992	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 568 wrote to memory of 2992	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 568 wrote to memory of 944	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 568 wrote to memory of 944	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 568 wrote to memory of 4940	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 568 wrote to memory of 4940	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 568 wrote to memory of 1104	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 568 wrote to memory of 1104	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 568 wrote to memory of 1968	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 568 wrote to memory of 1968	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 568 wrote to memory of 1980	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 568 wrote to memory of 1980	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	112
PID 568 wrote to memory of 4904	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 568 wrote to memory of 4904	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	113
PID 568 wrote to memory of 3448	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 568 wrote to memory of 3448	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	114
PID 568 wrote to memory of 1900	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	115
PID 568 wrote to memory of 1900	568	2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d045adebce54b55b783c2bf616f6ad20_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\System\OCbuMIV.exe
  C:\Windows\System\OCbuMIV.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\WNBDHly.exe
  C:\Windows\System\WNBDHly.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\ZDziCyT.exe
  C:\Windows\System\ZDziCyT.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\DoYwONX.exe
  C:\Windows\System\DoYwONX.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\QbZzAXW.exe
  C:\Windows\System\QbZzAXW.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\oGrkyEA.exe
  C:\Windows\System\oGrkyEA.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\gDpyCmg.exe
  C:\Windows\System\gDpyCmg.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\RyRMVRk.exe
  C:\Windows\System\RyRMVRk.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\nhctCWQ.exe
  C:\Windows\System\nhctCWQ.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\hSPXUKp.exe
  C:\Windows\System\hSPXUKp.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\XAGqPTQ.exe
  C:\Windows\System\XAGqPTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\SQmNvpz.exe
  C:\Windows\System\SQmNvpz.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\tBjklRK.exe
  C:\Windows\System\tBjklRK.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\YQAJRJo.exe
  C:\Windows\System\YQAJRJo.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\fmAIFHf.exe
  C:\Windows\System\fmAIFHf.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\yEdXprs.exe
  C:\Windows\System\yEdXprs.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\CFtFEHQ.exe
  C:\Windows\System\CFtFEHQ.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\LnnwQpH.exe
  C:\Windows\System\LnnwQpH.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\zqeUJSG.exe
  C:\Windows\System\zqeUJSG.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\unLlkCa.exe
  C:\Windows\System\unLlkCa.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\KcOrBLl.exe
  C:\Windows\System\KcOrBLl.exe
  2⤵
  - Executes dropped EXE
  PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
1⤵
PID:3248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CFtFEHQ.exe

Filesize
5.2MB

MD5
774f0cb2cd4a23fa1d48d132c1c80181

SHA1
aa48f9d3be44af2a67c6d3c1c1a59c7bd99499bb

SHA256
a39bd1f11d603cbfc31575f60b2fc0a7011040ae0b63058ae75ffbcd79cd0fea

SHA512
e198f9ad8889d4fb3dd22fd4eb0aa49845c6b9b0439ee2c7160ecfa3bc46e9c4ca1fdda7810f0cd98ad5f0b29e5fafe61070a3ce2b4618d9490bf8822a3329e6

Download Submit
C:\Windows\System\DoYwONX.exe

Filesize
5.2MB

MD5
fbf6496a361ab9ed1d5c9d97c11cef85

SHA1
03e463cfa4139792b86330911506cdbc34d6c5e5

SHA256
0231d42acfe4dc7aa3e3ab0514e5af4a8c28e49d54d27f4f3017baca4b8ba781

SHA512
8b2a4ef68c47243b3b8b5000f5286ce75508ba7bee7dd0ae22c3c8f1d5f50f011adfa0427673f517a4ca6564c7cb83cebb1fdca523bb306bd559a66475816c1b

Download Submit
C:\Windows\System\KcOrBLl.exe

Filesize
5.2MB

MD5
f6c0a489c2cd4d6844ed80c9f748aed6

SHA1
bfb806b6e8296fe5f0e9d7c875f18e0b87f00419

SHA256
8dec85bdfa268d7b27c16b5a3fcd56917fa205c86640baad9cc26106d3a6e2bd

SHA512
4fdef4f575cc00d8786d9fc4fe5e807ae3bf0bc33305f7c70ca85aefffca6d07bcbbf96360e08f74bb7803e0f88ee72788fb15a208eb83bcacc9744ed3228b6b

Download Submit
C:\Windows\System\LnnwQpH.exe

Filesize
5.2MB

MD5
37a515bc5aec496a1855f684643ba4be

SHA1
62f77d0f44f2a349b5ded62c9c088140de2ac8fe

SHA256
cd8f498e886cd1bfc5bb0c60dd4fd9636efa52941a8dbe69b3fa769ca3817fa9

SHA512
8a06bf53516553a8c7168864f71aa5c228c3d202c22b35651904b113594a2e3ba92c429b4ec3b43969dce77fafbdbdbe00edfe24c0603d787d258e7cf3896a58

Download Submit
C:\Windows\System\OCbuMIV.exe

Filesize
5.2MB

MD5
fdd9016628fac2a5479f1eff14eaff3c

SHA1
46c1d2c85a9d3cf6ab0c75fed4eb8203dd3da7b3

SHA256
599491e0f3e1f8f637956e3e1dd030f0af6ed0402314178f545f77ec6d928153

SHA512
4057562e9526b7fd82e045d158baaa619c5620553b300feb81143e79dd5cd4142a786938ee0be63f90152b5731c6795c486441b1c9ec22d95c1830a5f3d2a8b4

Download Submit
C:\Windows\System\QbZzAXW.exe

Filesize
5.2MB

MD5
ba5a92ea4c04fe953d0000cf056195e4

SHA1
a021a62001b9d60ed4c8cb6b7ae94a2ea430a4e0

SHA256
2003a6572d549fdd60238de4661530fde1b273a30146c7baf931c505828f9bff

SHA512
6ede22ac42fdfcdc584d043509c37810af2cefd9834af00cf6ef60780de00016642749348332b5d9fd779f3e0e3be3e498a631cd14d3ca44b82f45f41099db64

Download Submit
C:\Windows\System\RyRMVRk.exe

Filesize
5.2MB

MD5
14c37eaba13768d17341d1acee2017d0

SHA1
ef2f348a3a69a6fab10ce6deb40dcf0056e5afea

SHA256
30be4eac52a598ab5d67c3bce77797ee7f13b7b3556541b1de4d4589fcb141de

SHA512
b7e9c5e2f067140cd580fa02426d8e93f8dbffd69b738d768d39a85a5639d0bca49a13f0ad4dc609de8f17327d29e8a80b670c762ddadff08704e69ac843e8c2

Download Submit
C:\Windows\System\SQmNvpz.exe

Filesize
5.2MB

MD5
78630a2207402cfb5ec1cd09394e2353

SHA1
aa365d1a6e588d380d9cd970e38657bab2bdf5b6

SHA256
35cedbad4e69269cb444aa24be26f5d2460ab5f1ae3ba93a3ef5b5b921fbb11d

SHA512
d6b9f8b62e5ba6ae943e51afc388dbd823e78a4187505c614026559e5fe907678d83c9523b1f5f864cbabb1b4b7de44f697e31d4350025e5c587ced03bb8e9a5

Download Submit
C:\Windows\System\WNBDHly.exe

Filesize
5.2MB

MD5
d711e1dc3975fff26675c67d4b23c3a7

SHA1
145e5e3bc19076cde00edc9dc60e6d1a1d500919

SHA256
87a9c2401c866d13010b83862d25fb0ff21812119fa657ec8d730689d3c5b14a

SHA512
e8ceecbe45786a1e667059613c9ca4898bb27991f68915116a02106712086888262155a779b5b04f72f15b064f5d25af4a4d4fb6674e485fdf2ad361aef1683a

Download Submit
C:\Windows\System\XAGqPTQ.exe

Filesize
5.2MB

MD5
714be5a14d22b9557344a0792768d263

SHA1
5493fcc1da2e5bf17c2e6590797c46433c8f2df5

SHA256
eb04daec749013e2542a16c746f7de3fa29fdd9e0ae4d96a4d49cfb9c67bae91

SHA512
aae4f0d3a3242e4b9bfddba1d78238bbbc9c112450a0b7b4233d0682fa673dbe7712559a92b4a85c796c4da9291c4c23440fcde8576aca13e418390a1b1f9881

Download Submit
C:\Windows\System\YQAJRJo.exe

Filesize
5.2MB

MD5
3d2ecb9762069ace50e9c146e7ab9831

SHA1
0f764348857bec9a0267f144933a33d41afa98ec

SHA256
48aa45d65e0fb5f9e4a39c27a1266ffee1cae0297b8bf743065742e1f49a97c3

SHA512
f03362028b948bfb59dc6bc95ca2eeee2a3e70903b146b81bdc8ff9324c133a1a75f8f82380b5efbeb991b742cdd2e6db73c1c341f06f03501386ee2bcfb6e24

Download Submit
C:\Windows\System\ZDziCyT.exe

Filesize
5.2MB

MD5
7d15cf03de72f823f0ab2dd8d9690df2

SHA1
e1d2b1525394dcdb93d0bbbbb1ada6f16ca0886c

SHA256
8e2bc093652a45018b9b83a60d6dd4f88717d9b0ab6dc195ca83edfc3f525336

SHA512
df14033bf615e1911a7c8ec064aad3b06d995c7b8469e27b8ad1d99874c194f760fab07afc4242e58a38e5abf7f67f7cdbc760cb985d1a15d9f30346badafd69

Download Submit
C:\Windows\System\fmAIFHf.exe

Filesize
5.2MB

MD5
f26b8631aeaa7030c94a75447a3fcc51

SHA1
6c0d0f3e5771778215256ba8fe8b4e61797d5d29

SHA256
08032053a9cb8f24ae6a680bc21bfa96948725966b97a7f0a73b670cb16c6730

SHA512
b478509d4652559811673fd231f84b28d38e471b0ce2339041731bc29bfce52f9844f84b57ef4d34c3ee7c695f27ca77b198bf1eb9124172887ade519db486dc

Download Submit
C:\Windows\System\gDpyCmg.exe

Filesize
5.2MB

MD5
3d332a9bcf1e7b882f52c1880cbcc6a9

SHA1
d53aee9205440d9406ccc4fa33649ff8718a82a5

SHA256
b1553cf20e033151477c541e97254850efa2e9acbd2ec196932318888dbd373f

SHA512
091cf22e38b11ea9fb2b2df6f5ef173c3fbcbf99861dcf0287ec09cfbe94576c00c8bf6c097c2192cfb2bd373d7c7c9761159f55cdff55fbaab9241ac9ad2ca7

Download Submit
C:\Windows\System\hSPXUKp.exe

Filesize
5.2MB

MD5
e3e44d57526f4debf8034795fef81eb3

SHA1
1242c50b3221e0f256ecc12bd241271725ef3f10

SHA256
5fc0d7b32df55b8d411518ea8b21f6de879e2d6036351dc41e12553c72540d67

SHA512
b2c3b3de1e6c8f67286126f5082cc9f72a9a66c02f4b3dcdaecebf84fb4c846a053b06a0f95f79f11dd705a69447eb36a20f5aa7b55d33ef01f7fc9cd7915d17

Download Submit
C:\Windows\System\nhctCWQ.exe

Filesize
5.2MB

MD5
3d8ab0e37e857f795cb62b185b4f92e4

SHA1
3cc5cfef2c441d6b807eee434a295e225a20687b

SHA256
711f326ea8354a2bcb7654f223461988e7591dbd4d6af6749b3030e827e8a0a4

SHA512
8efa105fcf8ac39508172a207a28fdb0759f305f72a77d2c2e3a7670a2a6d66ea5c6362950cf6deffe812d766c8521b9fddaa48e7da354529fb21db095196123

Download Submit
C:\Windows\System\oGrkyEA.exe

Filesize
5.2MB

MD5
4ed767e69463471a06af1ce14d55bbb9

SHA1
a0dd1717bc6e3cc278d9aaf1a4a82c140dc48d91

SHA256
598b4421b1e045187513b42d1e571055f4eeec7e6d6ed7bcd23e53c81fde9441

SHA512
e758e8de1583fc36082c08b1122ab6c19db8d4e65c0c83ca4a49e2084149790d92b91fbb728ef13a9a74902c57c77cb2ff83fbe0a9cc8e75629348fc7a71ff26

Download Submit
C:\Windows\System\tBjklRK.exe

Filesize
5.2MB

MD5
b8300393e9bd906d631ab53bd246f262

SHA1
eb3668be27aa63a5ef498f46d24d33b4a3de3404

SHA256
3c1f308176ceb6ee39c3e22fadfd16eebc12148ba2471c81fe2f81f3fc430d40

SHA512
0b05bd56551e5a758ade22baa63a57b22e96dc399df5b09e1aa5f1e7bb10f25741cee9ebe4a576b63f5bcdfcc84d34398e12456cf0e3d7f0ad0eb3ad48862fcc

Download Submit
C:\Windows\System\unLlkCa.exe

Filesize
5.2MB

MD5
2b7cc5ee09ec347c16972192e5e20f09

SHA1
b33a757965a2e78ab86b6bfe729e8fcb2ecca09e

SHA256
1ddf40629589016c14daba4d8f470d0ea8d7bd656d5fb1874780a5f2acda35da

SHA512
2eb4b94d69158fabfe97e8711fd6dc7e67a930942c3d59230589302b0b33373562eb39259d06f50dc3bdadff63277815aa1713f2056c1a0a937757f9886c20ff

Download Submit
C:\Windows\System\yEdXprs.exe

Filesize
5.2MB

MD5
cb44b89d306eeed2012ee3e391320af1

SHA1
929ac37e5539ca0c6e23a7c26eb3f424d8edaf7c

SHA256
04aaa3a59f6dd6be70db225662647b237e856a49f70a2f4c637dd8a0e1a234bb

SHA512
5aedade1edf6675df9b789648eef3a1100eb279d3cdc4b83160d63e96e515241e0ca4402572937b5370ab23df9b160b1c0d12c5277f2243202999a5fc575c04c

Download Submit
C:\Windows\System\zqeUJSG.exe

Filesize
5.2MB

MD5
96f0a336199b4e60f837222ace5e3315

SHA1
46ef08928371577607e93c31ca3d7eebb6e61573

SHA256
c9b5c99ccfab7ac5c3053b71a3ede6c900b9ba5d1a1e5f8966a530aa409c09eb

SHA512
89aba7aa1624935454db31abf89079be2b40b7dbbef8f02f298aca8298d4d2bcaadf7c1ac902aa57a7cf7d40f526f2eadb817e753dc842a2ff58b428526edf53

Download Submit
memory/400-222-0x00007FF750420000-0x00007FF750771000-memory.dmp

Filesize
3.3MB

Download
memory/400-101-0x00007FF750420000-0x00007FF750771000-memory.dmp

Filesize
3.3MB

Download
memory/400-31-0x00007FF750420000-0x00007FF750771000-memory.dmp

Filesize
3.3MB

Download
memory/568-176-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/568-0-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/568-55-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/568-154-0x00007FF6D3610000-0x00007FF6D3961000-memory.dmp

Filesize
3.3MB

Download
memory/568-1-0x000001867E6F0000-0x000001867E700000-memory.dmp

Filesize
64KB

Download
memory/944-249-0x00007FF6D8A80000-0x00007FF6D8DD1000-memory.dmp

Filesize
3.3MB

Download
memory/944-95-0x00007FF6D8A80000-0x00007FF6D8DD1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-158-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-110-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1104-260-0x00007FF76B4A0000-0x00007FF76B7F1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-45-0x00007FF632F40000-0x00007FF633291000-memory.dmp

Filesize
3.3MB

Download
memory/1156-118-0x00007FF632F40000-0x00007FF633291000-memory.dmp

Filesize
3.3MB

Download
memory/1156-232-0x00007FF632F40000-0x00007FF633291000-memory.dmp

Filesize
3.3MB

Download
memory/1304-122-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp

Filesize
3.3MB

Download
memory/1304-46-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp

Filesize
3.3MB

Download
memory/1304-234-0x00007FF6F2B00000-0x00007FF6F2E51000-memory.dmp

Filesize
3.3MB

Download
memory/1740-75-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp

Filesize
3.3MB

Download
memory/1740-242-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp

Filesize
3.3MB

Download
memory/1740-151-0x00007FF78E4F0000-0x00007FF78E841000-memory.dmp

Filesize
3.3MB

Download
memory/1900-139-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp

Filesize
3.3MB

Download
memory/1900-163-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp

Filesize
3.3MB

Download
memory/1900-270-0x00007FF717BF0000-0x00007FF717F41000-memory.dmp

Filesize
3.3MB

Download
memory/1956-230-0x00007FF786D30000-0x00007FF787081000-memory.dmp

Filesize
3.3MB

Download
memory/1956-39-0x00007FF786D30000-0x00007FF787081000-memory.dmp

Filesize
3.3MB

Download
memory/1956-114-0x00007FF786D30000-0x00007FF787081000-memory.dmp

Filesize
3.3MB

Download
memory/1968-159-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-262-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-111-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-80-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-217-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-22-0x00007FF78BA80000-0x00007FF78BDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-264-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

Filesize
3.3MB

Download
memory/1980-121-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

Filesize
3.3MB

Download
memory/1980-160-0x00007FF6907B0000-0x00007FF690B01000-memory.dmp

Filesize
3.3MB

Download
memory/2568-219-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-24-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-89-0x00007FF617D80000-0x00007FF6180D1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-64-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp

Filesize
3.3MB

Download
memory/2868-16-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp

Filesize
3.3MB

Download
memory/2868-215-0x00007FF7DE1F0000-0x00007FF7DE541000-memory.dmp

Filesize
3.3MB

Download
memory/2992-152-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-251-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-94-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-62-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp

Filesize
3.3MB

Download
memory/3212-237-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp

Filesize
3.3MB

Download
memory/3212-138-0x00007FF7DA840000-0x00007FF7DAB91000-memory.dmp

Filesize
3.3MB

Download
memory/3448-162-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/3448-130-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/3448-268-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/4180-61-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4180-129-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4180-239-0x00007FF610BA0000-0x00007FF610EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4204-210-0x00007FF632610000-0x00007FF632961000-memory.dmp

Filesize
3.3MB

Download
memory/4204-63-0x00007FF632610000-0x00007FF632961000-memory.dmp

Filesize
3.3MB

Download
memory/4204-7-0x00007FF632610000-0x00007FF632961000-memory.dmp

Filesize
3.3MB

Download
memory/4676-153-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/4676-243-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/4676-65-0x00007FF654C20000-0x00007FF654F71000-memory.dmp

Filesize
3.3MB

Download
memory/4904-161-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-119-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-267-0x00007FF7AFE60000-0x00007FF7B01B1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-259-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-102-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-157-0x00007FF66FC80000-0x00007FF66FFD1000-memory.dmp

Filesize
3.3MB

Download