cobaltstrike | 8b05c4d5f309f30dc0a18be8fee312afffe45a91e59f8183ae06d000909b1007

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

80f7620f48b2145fb03ef9674f795bc2
SHA1

ccef7510d3dfa39ef0a03c7ca342bff359d900d4
SHA256

8b05c4d5f309f30dc0a18be8fee312afffe45a91e59f8183ae06d000909b1007
SHA512

84b1fe05978182cda53b35fd6eb9e45a4555293b50d41c6a8051ff3ee801226a48725448fdff0dcc78b66b58bb0fce894bf591aade11a2d8ddd99246019eb3c3
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibd56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233fa-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-104.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-57.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/448-78-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	xmrig
behavioral2/memory/1584-117-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp	xmrig
behavioral2/memory/452-129-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp	xmrig
behavioral2/memory/2912-128-0x00007FF668B70000-0x00007FF668EC1000-memory.dmp	xmrig
behavioral2/memory/4784-127-0x00007FF740020000-0x00007FF740371000-memory.dmp	xmrig
behavioral2/memory/4400-122-0x00007FF61ED70000-0x00007FF61F0C1000-memory.dmp	xmrig
behavioral2/memory/1252-118-0x00007FF669C20000-0x00007FF669F71000-memory.dmp	xmrig
behavioral2/memory/4736-106-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	xmrig
behavioral2/memory/3412-87-0x00007FF6ED390000-0x00007FF6ED6E1000-memory.dmp	xmrig
behavioral2/memory/3464-68-0x00007FF638EA0000-0x00007FF6391F1000-memory.dmp	xmrig
behavioral2/memory/4816-131-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp	xmrig
behavioral2/memory/1752-132-0x00007FF646000000-0x00007FF646351000-memory.dmp	xmrig
behavioral2/memory/5040-133-0x00007FF7010D0000-0x00007FF701421000-memory.dmp	xmrig
behavioral2/memory/448-134-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	xmrig
behavioral2/memory/4148-135-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp	xmrig
behavioral2/memory/2064-143-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp	xmrig
behavioral2/memory/4456-142-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp	xmrig
behavioral2/memory/1440-150-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp	xmrig
behavioral2/memory/2676-145-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp	xmrig
behavioral2/memory/4036-149-0x00007FF655410000-0x00007FF655761000-memory.dmp	xmrig
behavioral2/memory/1296-154-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp	xmrig
behavioral2/memory/3548-155-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp	xmrig
behavioral2/memory/1844-156-0x00007FF737C20000-0x00007FF737F71000-memory.dmp	xmrig
behavioral2/memory/448-159-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	xmrig
behavioral2/memory/1584-207-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp	xmrig
behavioral2/memory/452-215-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp	xmrig
behavioral2/memory/4816-217-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp	xmrig
behavioral2/memory/1752-219-0x00007FF646000000-0x00007FF646351000-memory.dmp	xmrig
behavioral2/memory/5040-221-0x00007FF7010D0000-0x00007FF701421000-memory.dmp	xmrig
behavioral2/memory/4148-235-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp	xmrig
behavioral2/memory/4456-238-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp	xmrig
behavioral2/memory/3464-240-0x00007FF638EA0000-0x00007FF6391F1000-memory.dmp	xmrig
behavioral2/memory/2064-243-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp	xmrig
behavioral2/memory/2676-244-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp	xmrig
behavioral2/memory/3412-246-0x00007FF6ED390000-0x00007FF6ED6E1000-memory.dmp	xmrig
behavioral2/memory/1252-249-0x00007FF669C20000-0x00007FF669F71000-memory.dmp	xmrig
behavioral2/memory/1440-250-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp	xmrig
behavioral2/memory/4736-254-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	xmrig
behavioral2/memory/4036-253-0x00007FF655410000-0x00007FF655761000-memory.dmp	xmrig
behavioral2/memory/4400-256-0x00007FF61ED70000-0x00007FF61F0C1000-memory.dmp	xmrig
behavioral2/memory/4784-261-0x00007FF740020000-0x00007FF740371000-memory.dmp	xmrig
behavioral2/memory/1844-264-0x00007FF737C20000-0x00007FF737F71000-memory.dmp	xmrig
behavioral2/memory/2912-263-0x00007FF668B70000-0x00007FF668EC1000-memory.dmp	xmrig
behavioral2/memory/3548-259-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp	xmrig
behavioral2/memory/1296-266-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1584	mXusPHV.exe
452	rySsmOt.exe
4816	lIQPeay.exe
1752	JVUSFVR.exe
5040	gnDGnHy.exe
4148	gXPerCY.exe
4456	mKvoUUn.exe
2676	EMhcclx.exe
2064	FZyZRRh.exe
3464	kfabTMK.exe
3412	wsFYTfZ.exe
4036	NqwUimP.exe
1440	KPlTLod.exe
1252	SdkQRvk.exe
4736	vyRlXXU.exe
1296	cudIswO.exe
4400	NgQqVkZ.exe
3548	IjQaIcU.exe
1844	gLnSosa.exe
4784	tpIUQEs.exe
2912	ndaJTax.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/448-0-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	upx
behavioral2/files/0x00090000000233fa-5.dat	upx
behavioral2/memory/1584-8-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp	upx
behavioral2/files/0x000700000002340e-11.dat	upx
behavioral2/memory/452-12-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp	upx
behavioral2/files/0x000700000002340f-17.dat	upx
behavioral2/memory/4816-18-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp	upx
behavioral2/files/0x0007000000023410-22.dat	upx
behavioral2/memory/5040-30-0x00007FF7010D0000-0x00007FF701421000-memory.dmp	upx
behavioral2/files/0x0007000000023411-31.dat	upx
behavioral2/memory/1752-25-0x00007FF646000000-0x00007FF646351000-memory.dmp	upx
behavioral2/files/0x0007000000023412-35.dat	upx
behavioral2/files/0x0007000000023413-42.dat	upx
behavioral2/files/0x0007000000023415-64.dat	upx
behavioral2/memory/448-78-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	upx
behavioral2/files/0x000700000002341d-91.dat	upx
behavioral2/files/0x000700000002341a-92.dat	upx
behavioral2/files/0x000700000002341e-104.dat	upx
behavioral2/memory/3548-112-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp	upx
behavioral2/memory/1584-117-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp	upx
behavioral2/files/0x000700000002341f-123.dat	upx
behavioral2/memory/452-129-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp	upx
behavioral2/memory/2912-128-0x00007FF668B70000-0x00007FF668EC1000-memory.dmp	upx
behavioral2/memory/4784-127-0x00007FF740020000-0x00007FF740371000-memory.dmp	upx
behavioral2/files/0x0007000000023421-125.dat	upx
behavioral2/memory/4400-122-0x00007FF61ED70000-0x00007FF61F0C1000-memory.dmp	upx
behavioral2/memory/1296-121-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp	upx
behavioral2/memory/1252-118-0x00007FF669C20000-0x00007FF669F71000-memory.dmp	upx
behavioral2/files/0x0007000000023420-114.dat	upx
behavioral2/memory/1844-113-0x00007FF737C20000-0x00007FF737F71000-memory.dmp	upx
behavioral2/files/0x000700000002341c-107.dat	upx
behavioral2/memory/4736-106-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp	upx
behavioral2/files/0x000700000002341b-98.dat	upx
behavioral2/memory/1440-96-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp	upx
behavioral2/files/0x0007000000023419-89.dat	upx
behavioral2/memory/3412-87-0x00007FF6ED390000-0x00007FF6ED6E1000-memory.dmp	upx
behavioral2/memory/4036-77-0x00007FF655410000-0x00007FF655761000-memory.dmp	upx
behavioral2/files/0x0007000000023418-73.dat	upx
behavioral2/files/0x0007000000023417-71.dat	upx
behavioral2/memory/3464-68-0x00007FF638EA0000-0x00007FF6391F1000-memory.dmp	upx
behavioral2/files/0x0007000000023414-61.dat	upx
behavioral2/memory/2064-59-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp	upx
behavioral2/files/0x0007000000023416-57.dat	upx
behavioral2/memory/2676-54-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp	upx
behavioral2/memory/4456-47-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp	upx
behavioral2/memory/4148-38-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp	upx
behavioral2/memory/4816-131-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp	upx
behavioral2/memory/1752-132-0x00007FF646000000-0x00007FF646351000-memory.dmp	upx
behavioral2/memory/5040-133-0x00007FF7010D0000-0x00007FF701421000-memory.dmp	upx
behavioral2/memory/448-134-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	upx
behavioral2/memory/4148-135-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp	upx
behavioral2/memory/2064-143-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp	upx
behavioral2/memory/4456-142-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp	upx
behavioral2/memory/1440-150-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp	upx
behavioral2/memory/2676-145-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp	upx
behavioral2/memory/4036-149-0x00007FF655410000-0x00007FF655761000-memory.dmp	upx
behavioral2/memory/1296-154-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp	upx
behavioral2/memory/3548-155-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp	upx
behavioral2/memory/1844-156-0x00007FF737C20000-0x00007FF737F71000-memory.dmp	upx
behavioral2/memory/448-159-0x00007FF789270000-0x00007FF7895C1000-memory.dmp	upx
behavioral2/memory/1584-207-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp	upx
behavioral2/memory/452-215-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp	upx
behavioral2/memory/4816-217-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp	upx
behavioral2/memory/1752-219-0x00007FF646000000-0x00007FF646351000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gXPerCY.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tpIUQEs.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfabTMK.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPlTLod.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vyRlXXU.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLnSosa.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndaJTax.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnDGnHy.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKvoUUn.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wsFYTfZ.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NqwUimP.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SdkQRvk.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mXusPHV.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rySsmOt.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lIQPeay.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JVUSFVR.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMhcclx.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FZyZRRh.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NgQqVkZ.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cudIswO.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IjQaIcU.exe	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1584	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 448 wrote to memory of 1584	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 448 wrote to memory of 452	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 448 wrote to memory of 452	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 448 wrote to memory of 4816	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 448 wrote to memory of 4816	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 448 wrote to memory of 1752	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 448 wrote to memory of 1752	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 448 wrote to memory of 5040	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 448 wrote to memory of 5040	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 448 wrote to memory of 4148	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 448 wrote to memory of 4148	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 448 wrote to memory of 4456	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 448 wrote to memory of 4456	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 448 wrote to memory of 2676	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 448 wrote to memory of 2676	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 448 wrote to memory of 2064	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 448 wrote to memory of 2064	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 448 wrote to memory of 3464	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 448 wrote to memory of 3464	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 448 wrote to memory of 3412	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 448 wrote to memory of 3412	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 448 wrote to memory of 4036	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 448 wrote to memory of 4036	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 448 wrote to memory of 1440	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 448 wrote to memory of 1440	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 448 wrote to memory of 1252	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 448 wrote to memory of 1252	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 448 wrote to memory of 4736	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 448 wrote to memory of 4736	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 448 wrote to memory of 4400	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 448 wrote to memory of 4400	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 448 wrote to memory of 1296	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 448 wrote to memory of 1296	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 448 wrote to memory of 3548	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 448 wrote to memory of 3548	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 448 wrote to memory of 1844	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 448 wrote to memory of 1844	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 448 wrote to memory of 4784	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 448 wrote to memory of 4784	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 448 wrote to memory of 2912	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 448 wrote to memory of 2912	448	2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_80f7620f48b2145fb03ef9674f795bc2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\System\mXusPHV.exe
  C:\Windows\System\mXusPHV.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\rySsmOt.exe
  C:\Windows\System\rySsmOt.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\lIQPeay.exe
  C:\Windows\System\lIQPeay.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\JVUSFVR.exe
  C:\Windows\System\JVUSFVR.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\gnDGnHy.exe
  C:\Windows\System\gnDGnHy.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\gXPerCY.exe
  C:\Windows\System\gXPerCY.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\mKvoUUn.exe
  C:\Windows\System\mKvoUUn.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\EMhcclx.exe
  C:\Windows\System\EMhcclx.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\FZyZRRh.exe
  C:\Windows\System\FZyZRRh.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\kfabTMK.exe
  C:\Windows\System\kfabTMK.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\wsFYTfZ.exe
  C:\Windows\System\wsFYTfZ.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\NqwUimP.exe
  C:\Windows\System\NqwUimP.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\KPlTLod.exe
  C:\Windows\System\KPlTLod.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\SdkQRvk.exe
  C:\Windows\System\SdkQRvk.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\vyRlXXU.exe
  C:\Windows\System\vyRlXXU.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\NgQqVkZ.exe
  C:\Windows\System\NgQqVkZ.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\cudIswO.exe
  C:\Windows\System\cudIswO.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\IjQaIcU.exe
  C:\Windows\System\IjQaIcU.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\gLnSosa.exe
  C:\Windows\System\gLnSosa.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\tpIUQEs.exe
  C:\Windows\System\tpIUQEs.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\ndaJTax.exe
  C:\Windows\System\ndaJTax.exe
  2⤵
  - Executes dropped EXE
  PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EMhcclx.exe

Filesize
5.2MB

MD5
7249ef7122942b160b19956cd4ee8b79

SHA1
227e3788cc6edd51b6a051d95755d0a81ec19d5e

SHA256
bb4456def112b9be4a45645ed14c77130404e9f229ed04776e010ed4b860bd94

SHA512
f6713af76be531d133e6b2cef25a237407a6479cbbf7e96507a1cf2b86020d74356d4ee5f81bf3664a2887d41b84f79738a1951635a6ae287cd087edb347a9ab

Download Submit
C:\Windows\System\FZyZRRh.exe

Filesize
5.2MB

MD5
5f01d1d055266d2877ae43a93f2ce640

SHA1
d367b3934e7970e905d46e7f8a3dbcac628a6b30

SHA256
4b9007a1ae0f02504d5d41526b55713ef6e3c4bd0cd860ec9390422aaa738721

SHA512
1b3ec1138c1d3557be634156209e4913414149597b05a300b04ba0256e2c308d26a93e44078f15f470d8e47a1ea03f4088931d5ab4ea5808335b33a320215458

Download Submit
C:\Windows\System\IjQaIcU.exe

Filesize
5.2MB

MD5
ce36c7147b15c153a7035f024aceefec

SHA1
4f4f4da5096a2a8e54264f63bebdbd12b1fbdd64

SHA256
1c53e08ca9af4ad7670bf3a422c4d1f9a1814a8da528aeed3ef0a21c32e2a37f

SHA512
f49ec179142d1711ab54541cc908052338c675945e32d8f9e80ec0d986f6ed94ce0c922dd4aa56a55ca679d2277319e40b0b13146de188578ab70ab7f4b645b7

Download Submit
C:\Windows\System\JVUSFVR.exe

Filesize
5.2MB

MD5
124910fc632ca5fd7dadcb11df5c5daf

SHA1
c7710e1b0d84b44e57adc6bc1fa6c2210eb8f6e4

SHA256
f4d5e379863b6b016df5b997493acc71d8f4d41232d8b468a514dbc94bcc27ea

SHA512
c81f72dcd5e2b8af5d5769b6f679615571ed1dfed75705b5d01a5ba4603e4e6057b9fd8216c0721644534fb5572b98fcfa6c5702fb4b1fe63748c146a52d8620

Download Submit
C:\Windows\System\KPlTLod.exe

Filesize
5.2MB

MD5
7609b61bdd9ba17867823b82b2cac1e5

SHA1
051f8a1ef38b66857058d7fc4460681cd8fccdb1

SHA256
36c7de9b8b7b80daea4af76c5407f3ff354ad512a337ae870fe29b98b5ba5405

SHA512
4017a237184d81d151488eb9b644aaa22ac1ba497dada02e54773d214a742d65b437428fadf1d8a2f9312787ecd0fba8384af3b47ad278f7b78bb5302b711bcd

Download Submit
C:\Windows\System\NgQqVkZ.exe

Filesize
5.2MB

MD5
11ed08e756c287dc0504001cedfbdf2a

SHA1
65a1b58f649728a919c7de97933d77e7ff8ce64a

SHA256
29d253164b6a3012865224a679f1bd58d097a681a94c6ae9693a8e208d5a4ebe

SHA512
3c5f2e08dc84fb58a6d462a69f0fa792001c4019abb5e540eeba1164131260b960154b72b2f9fadf1ce6b02d75fb449f1d7082f98fece6250d648ca3b0aa0130

Download Submit
C:\Windows\System\NqwUimP.exe

Filesize
5.2MB

MD5
57d24a4acefd26c03fb9daa8f645a7e4

SHA1
0ca916807c1ae93abd768e6967d1e6f85cc56d1d

SHA256
f90b72727937a900a167e61650504f74fc3f8926e1ff3ce05bd9e79400cf43a4

SHA512
a01167f4c88f9c5f865d0a8794a2e45613ae1b5b94835f3de23e36006daa5583394846184faa5e1facc3406cae5766f320758b79a4eb50f625a226c130a9c36a

Download Submit
C:\Windows\System\SdkQRvk.exe

Filesize
5.2MB

MD5
428d5b95c71503420b37de5084892149

SHA1
29ec9801a5f6085c2ce2faa0012979244cf7ca6c

SHA256
326c87e36bbb8d09c2ee016ef5a8a514b98d5e80ad7cf84af1d4b3ea6cc4ad05

SHA512
9c54f2c9fe816e69d01641dcf2a04b7c16ce1c809c73561fdcb37ed80b5112f8dd685d09b7f09ba9feb40f00624ada9c62c41901bf655767de94dd65b2500f9a

Download Submit
C:\Windows\System\cudIswO.exe

Filesize
5.2MB

MD5
2851559572d62cf189def861de82e672

SHA1
64de0a1a0dc2d9e23c53ef11771de721112ad295

SHA256
96d754727cf31f6b8e255f3b545e5fe3b2fd42ead342952a3c4f8c19f306a6ba

SHA512
add727030d5a3cf22e52add0fb2a52188777200a18b5e5bda4027b9b72e0a1ec9f330c59d5ce69025c395d86486218aaa97104b3becb6aa1c7e392209bf9ce5a

Download Submit
C:\Windows\System\gLnSosa.exe

Filesize
5.2MB

MD5
a7249b1901d1002788a70cdc0ce5f717

SHA1
8129c838121ade38fe52655171a5e3622cb29377

SHA256
6f4e24734b5472e8d8b528393ab57f581c2c08c53ffc84d48c7231186c526dee

SHA512
26e282f550ecd82d6a25e1bf1228e9c38ed8f1e90b16f52c1b000dd61d69e0ef51868ea6aef330453b35d131cad8e15a3710f252d9b82c4d5430f9a1aa3dcdb8

Download Submit
C:\Windows\System\gXPerCY.exe

Filesize
5.2MB

MD5
bddae7743c20faa0014fd85747fedb06

SHA1
4896bd1ad6699072d7f0ddd9d0200a34d98cd0da

SHA256
1ff5c0f89178767491d508d44fb1790af0183e4c22ef6b61e7f24be629877e1e

SHA512
985c32301c447b326ac3474643d2fd816cf817cfcdf3db9b5268f7749b5e262ab67f786c3a5a2c7852986b75dd98829694d70a0cb725f30ddb12c0bdce72177e

Download Submit
C:\Windows\System\gnDGnHy.exe

Filesize
5.2MB

MD5
98db07b09e919b3083eb4dbedbde8121

SHA1
b6aa279070ff7f06f384706754140667fb23be37

SHA256
55218839c2c8506851aa615f990e47aa136191fca7cf03b4baee98295de75cd1

SHA512
ecfa75004c5c84e7dea1636d9b2455a05fe2d2f685f19a3dcda138e7e417e751d49e38b57e99ae1c8443264c7270b34b13f3d2a031fa9b232f5532fa40092ea7

Download Submit
C:\Windows\System\kfabTMK.exe

Filesize
5.2MB

MD5
06ef13b52e388a3929e3ef75efd73937

SHA1
b2dd1beb1d30c5e090154c3a3c8c67899d5a22bf

SHA256
2148258db1d8dd8af7b0a10ecb9dcb597b19a68d8c32eb67e1821810fabbaf7f

SHA512
e7af7ab60da057c7725de4053be7345e142c05620a8d5d7e1caae9e721afb34e34ca1aa27ca91b97e6d5eb736431b3815b50094ffa5356a93398e2f08ba2d640

Download Submit
C:\Windows\System\lIQPeay.exe

Filesize
5.2MB

MD5
9981bcb47e0cd84697886c4495f4cde6

SHA1
01771c271c4c1a1173f15ef43ef647e2856e5da9

SHA256
8a2c027e0428596046c37a4392f044c36be4d176d81e1b33e8d72d1d9f1cf853

SHA512
129899c1f79bb2f3de6ce3491be81856cb9cc00f35b40cd3b81655dafd833fbbca193a1933344c488eeda71f759daa8c3fe212b65a21d84d7303acaa2a1e7411

Download Submit
C:\Windows\System\mKvoUUn.exe

Filesize
5.2MB

MD5
dfe17d67558207c939cd51c350168423

SHA1
7daa2187737dba722eaf7d749f09886436693398

SHA256
175001118b3d88bf34e63d9d48f7654c535690eb30a6ecda3f5c3a0e29f7ccfa

SHA512
e3094ab549a1dd499c88aa8299266646921b59afd14e9a33eef5fb45cd74d3d71b806306bf9222f0d2c1df15f030eea589f0bba2bf016d49b857afdc26ab7517

Download Submit
C:\Windows\System\mXusPHV.exe

Filesize
5.2MB

MD5
1e849e72db2fd09dad5771e0bd8cfd4d

SHA1
2e34b18002048dfd9ed80d05dced3f515ead98be

SHA256
e24a14428835f456eb7f9aae51c2cb346a3e3a0f8ed39a928a87aef205fff898

SHA512
91c6e97a94d6c5ee3e42ecbbc2b978f1d94155b10cd85b3f9bda612f63db46f4ef91277ccc3080daaf13c48759f8ea75fed6eba8ef0f0a503b771898801d142a

Download Submit
C:\Windows\System\ndaJTax.exe

Filesize
5.2MB

MD5
12ecf4c9a37b9926bf5ab2af237e3521

SHA1
364256eadf22dc67ceae3f1567cded7dafd99521

SHA256
3ecf63f70eba019c1dd34e0bf9d01e8d6cc5e3c30259d49cc204f323cc5e651c

SHA512
307c08f913393db80f556d21b0345cfb71408c30caa21f943abf575f7c1bdcd2fec310186226016ecd36c89d23e303e6e91f83cc1d768936eb31dbdca355e325

Download Submit
C:\Windows\System\rySsmOt.exe

Filesize
5.2MB

MD5
908b6ed0007151c5752fd7afab349ada

SHA1
8ddf902bd5c7b39529e9065d4c2fbd924722e3f7

SHA256
7fdc19a9e801774b8eb216e63a179863fa0acbde14acfe4b8ee095d73438968e

SHA512
a3569c866d82ab4caaea82e4fa9e87870a6ef816c0d0b3f215f37b44092e6fe9622468a669b9606b0a0ba5c7e8153b61221071bdb1271856db41ea59d8f71b01

Download Submit
C:\Windows\System\tpIUQEs.exe

Filesize
5.2MB

MD5
ebe2830cb0bebd5d6580bbde979e917f

SHA1
19c7bc80a70c52f9dbdf126d4a28a205009d5c65

SHA256
ae342cdcf5d6b1ab1eb24ff526d169724bb1b4eec4cfd8eea844eb5162b7f3f1

SHA512
6280b1436ff662f8fb75f0854297dcc720343192fd01ae80db69502610b49fd9ae21a01c85c81a640c840641eb79375a0045e9752e3db905970fc0795a6b2a09

Download Submit
C:\Windows\System\vyRlXXU.exe

Filesize
5.2MB

MD5
c8091fe8d2f3f0c2c364ef52c3d95f53

SHA1
9e3a31ac6d86e60d82ef54b6b411c170dd8b3910

SHA256
32e4705ffc8840c3cd1893113e5fb87aeb15a8d564d752ea1443e83f7af32cdf

SHA512
e99433860707fd47dc7c2bb6e0644e2329fb5f960194126eab0baaaedc47138020bea7e39b7628dca9a5d55bc65cff815d86fbb20f668b87c0ca0094087672ad

Download Submit
C:\Windows\System\wsFYTfZ.exe

Filesize
5.2MB

MD5
1d7560034d013a4a3b15d0f4db9a7a6e

SHA1
0d5bb335df5dad7f0d3c089edb78a6032010ad14

SHA256
3088030c18215cfc7bda07cd858d683da9af5834465a0d0a8a531c7d6f22cdd1

SHA512
37ea19a6f2681692dceb3f62c4640e1ddaac2b3c68aca40cc941ccfaf0ae3a6f0ecefc43591f1e310d60dcbb86b06306ebb3307a190abac5dc8e00eac6d94b7a

Download Submit
memory/448-0-0x00007FF789270000-0x00007FF7895C1000-memory.dmp

Filesize
3.3MB

Download
memory/448-159-0x00007FF789270000-0x00007FF7895C1000-memory.dmp

Filesize
3.3MB

Download
memory/448-1-0x000001D5E8B80000-0x000001D5E8B90000-memory.dmp

Filesize
64KB

Download
memory/448-78-0x00007FF789270000-0x00007FF7895C1000-memory.dmp

Filesize
3.3MB

Download
memory/448-134-0x00007FF789270000-0x00007FF7895C1000-memory.dmp

Filesize
3.3MB

Download
memory/452-129-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp

Filesize
3.3MB

Download
memory/452-12-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp

Filesize
3.3MB

Download
memory/452-215-0x00007FF6BE950000-0x00007FF6BECA1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-249-0x00007FF669C20000-0x00007FF669F71000-memory.dmp

Filesize
3.3MB

Download
memory/1252-118-0x00007FF669C20000-0x00007FF669F71000-memory.dmp

Filesize
3.3MB

Download
memory/1296-121-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1296-154-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1296-266-0x00007FF7D18D0000-0x00007FF7D1C21000-memory.dmp

Filesize
3.3MB

Download
memory/1440-150-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp

Filesize
3.3MB

Download
memory/1440-96-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp

Filesize
3.3MB

Download
memory/1440-250-0x00007FF7B6740000-0x00007FF7B6A91000-memory.dmp

Filesize
3.3MB

Download
memory/1584-117-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp

Filesize
3.3MB

Download
memory/1584-8-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp

Filesize
3.3MB

Download
memory/1584-207-0x00007FF6A0340000-0x00007FF6A0691000-memory.dmp

Filesize
3.3MB

Download
memory/1752-219-0x00007FF646000000-0x00007FF646351000-memory.dmp

Filesize
3.3MB

Download
memory/1752-25-0x00007FF646000000-0x00007FF646351000-memory.dmp

Filesize
3.3MB

Download
memory/1752-132-0x00007FF646000000-0x00007FF646351000-memory.dmp

Filesize
3.3MB

Download
memory/1844-113-0x00007FF737C20000-0x00007FF737F71000-memory.dmp

Filesize
3.3MB

Download
memory/1844-156-0x00007FF737C20000-0x00007FF737F71000-memory.dmp

Filesize
3.3MB

Download
memory/1844-264-0x00007FF737C20000-0x00007FF737F71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-243-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-59-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-143-0x00007FF78DD70000-0x00007FF78E0C1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-244-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-54-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-145-0x00007FF6FFEA0000-0x00007FF7001F1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-263-0x00007FF668B70000-0x00007FF668EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-128-0x00007FF668B70000-0x00007FF668EC1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-246-0x00007FF6ED390000-0x00007FF6ED6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-87-0x00007FF6ED390000-0x00007FF6ED6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-68-0x00007FF638EA0000-0x00007FF6391F1000-memory.dmp

Filesize
3.3MB

Download
memory/3464-240-0x00007FF638EA0000-0x00007FF6391F1000-memory.dmp

Filesize
3.3MB

Download
memory/3548-112-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp

Filesize
3.3MB

Download
memory/3548-259-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp

Filesize
3.3MB

Download
memory/3548-155-0x00007FF6A3EF0000-0x00007FF6A4241000-memory.dmp

Filesize
3.3MB

Download
memory/4036-77-0x00007FF655410000-0x00007FF655761000-memory.dmp

Filesize
3.3MB

Download
memory/4036-149-0x00007FF655410000-0x00007FF655761000-memory.dmp

Filesize
3.3MB

Download
memory/4036-253-0x00007FF655410000-0x00007FF655761000-memory.dmp

Filesize
3.3MB

Download
memory/4148-38-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp

Filesize
3.3MB

Download
memory/4148-235-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp

Filesize
3.3MB

Download
memory/4148-135-0x00007FF6CB040000-0x00007FF6CB391000-memory.dmp

Filesize
3.3MB

Download
memory/4400-122-0x00007FF61ED70000-0x00007FF61F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4400-256-0x00007FF61ED70000-0x00007FF61F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-142-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp

Filesize
3.3MB

Download
memory/4456-238-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp

Filesize
3.3MB

Download
memory/4456-47-0x00007FF6C3340000-0x00007FF6C3691000-memory.dmp

Filesize
3.3MB

Download
memory/4736-254-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp

Filesize
3.3MB

Download
memory/4736-106-0x00007FF6B5170000-0x00007FF6B54C1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-261-0x00007FF740020000-0x00007FF740371000-memory.dmp

Filesize
3.3MB

Download
memory/4784-127-0x00007FF740020000-0x00007FF740371000-memory.dmp

Filesize
3.3MB

Download
memory/4816-131-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-18-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-217-0x00007FF642CA0000-0x00007FF642FF1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-133-0x00007FF7010D0000-0x00007FF701421000-memory.dmp

Filesize
3.3MB

Download
memory/5040-30-0x00007FF7010D0000-0x00007FF701421000-memory.dmp

Filesize
3.3MB

Download
memory/5040-221-0x00007FF7010D0000-0x00007FF701421000-memory.dmp

Filesize
3.3MB

Download