cobaltstrike | 6bf733deece8372ee2ac329909be55e49907131549401627841690e811e369aa

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

90b3bb47335961e8a536b53b3680a036
SHA1

4179f823c3c31b127a469249dbd2237cd3bb9bd8
SHA256

6bf733deece8372ee2ac329909be55e49907131549401627841690e811e369aa
SHA512

328cad8a5393e3faf379273221e0b9d8f916d9efd1a7c4324d5ad384fd890297a3e16aeb1a786baefebefc060a883e84dd5c649def500bf8fbcd84d27bff461d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234f0-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f5-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f7-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f8-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fa-47.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234f1-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023500-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023501-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023502-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023504-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023503-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ff-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fe-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fd-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fc-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fb-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f9-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f6-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023507-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023505-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1880-88-0x00007FF646CF0000-0x00007FF647041000-memory.dmp	xmrig
behavioral2/memory/964-91-0x00007FF7D0F70000-0x00007FF7D12C1000-memory.dmp	xmrig
behavioral2/memory/4796-107-0x00007FF68C680000-0x00007FF68C9D1000-memory.dmp	xmrig
behavioral2/memory/1460-110-0x00007FF633C40000-0x00007FF633F91000-memory.dmp	xmrig
behavioral2/memory/3196-114-0x00007FF780FC0000-0x00007FF781311000-memory.dmp	xmrig
behavioral2/memory/4840-111-0x00007FF7E4920000-0x00007FF7E4C71000-memory.dmp	xmrig
behavioral2/memory/1200-106-0x00007FF67BBC0000-0x00007FF67BF11000-memory.dmp	xmrig
behavioral2/memory/4152-105-0x00007FF727830000-0x00007FF727B81000-memory.dmp	xmrig
behavioral2/memory/3248-125-0x00007FF754160000-0x00007FF7544B1000-memory.dmp	xmrig
behavioral2/memory/1412-128-0x00007FF725280000-0x00007FF7255D1000-memory.dmp	xmrig
behavioral2/memory/4628-130-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp	xmrig
behavioral2/memory/1328-129-0x00007FF7ABB40000-0x00007FF7ABE91000-memory.dmp	xmrig
behavioral2/memory/4284-117-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	xmrig
behavioral2/memory/4284-131-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	xmrig
behavioral2/memory/1628-135-0x00007FF789C20000-0x00007FF789F71000-memory.dmp	xmrig
behavioral2/memory/3348-133-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp	xmrig
behavioral2/memory/3924-138-0x00007FF656E40000-0x00007FF657191000-memory.dmp	xmrig
behavioral2/memory/4248-140-0x00007FF7300C0000-0x00007FF730411000-memory.dmp	xmrig
behavioral2/memory/228-142-0x00007FF607070000-0x00007FF6073C1000-memory.dmp	xmrig
behavioral2/memory/4408-141-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp	xmrig
behavioral2/memory/3940-139-0x00007FF655CF0000-0x00007FF656041000-memory.dmp	xmrig
behavioral2/memory/4280-152-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp	xmrig
behavioral2/memory/832-151-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp	xmrig
behavioral2/memory/4284-155-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	xmrig
behavioral2/memory/3248-210-0x00007FF754160000-0x00007FF7544B1000-memory.dmp	xmrig
behavioral2/memory/4628-212-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp	xmrig
behavioral2/memory/3348-214-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp	xmrig
behavioral2/memory/1628-216-0x00007FF789C20000-0x00007FF789F71000-memory.dmp	xmrig
behavioral2/memory/3924-218-0x00007FF656E40000-0x00007FF657191000-memory.dmp	xmrig
behavioral2/memory/4248-220-0x00007FF7300C0000-0x00007FF730411000-memory.dmp	xmrig
behavioral2/memory/3940-222-0x00007FF655CF0000-0x00007FF656041000-memory.dmp	xmrig
behavioral2/memory/4408-232-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp	xmrig
behavioral2/memory/1460-236-0x00007FF633C40000-0x00007FF633F91000-memory.dmp	xmrig
behavioral2/memory/228-234-0x00007FF607070000-0x00007FF6073C1000-memory.dmp	xmrig
behavioral2/memory/1880-238-0x00007FF646CF0000-0x00007FF647041000-memory.dmp	xmrig
behavioral2/memory/964-240-0x00007FF7D0F70000-0x00007FF7D12C1000-memory.dmp	xmrig
behavioral2/memory/4152-242-0x00007FF727830000-0x00007FF727B81000-memory.dmp	xmrig
behavioral2/memory/1200-244-0x00007FF67BBC0000-0x00007FF67BF11000-memory.dmp	xmrig
behavioral2/memory/4796-246-0x00007FF68C680000-0x00007FF68C9D1000-memory.dmp	xmrig
behavioral2/memory/4840-251-0x00007FF7E4920000-0x00007FF7E4C71000-memory.dmp	xmrig
behavioral2/memory/3196-253-0x00007FF780FC0000-0x00007FF781311000-memory.dmp	xmrig
behavioral2/memory/832-255-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp	xmrig
behavioral2/memory/4280-257-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp	xmrig
behavioral2/memory/1412-261-0x00007FF725280000-0x00007FF7255D1000-memory.dmp	xmrig
behavioral2/memory/1328-263-0x00007FF7ABB40000-0x00007FF7ABE91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3248	GmWUNiO.exe
4628	spGVbxI.exe
3348	gwLzsQT.exe
1628	SeWwwwU.exe
3924	sGphxvA.exe
3940	NkQedUy.exe
4248	rjWIutC.exe
4408	aCUwQSD.exe
228	fzoHwXS.exe
1460	MSxkGTd.exe
1880	zAjOqSG.exe
964	HnWAjOl.exe
4152	KtUCzRk.exe
1200	SgrWnnH.exe
4796	xukCJEu.exe
4840	RqFQjIu.exe
3196	jNjMyly.exe
832	HiGXTeW.exe
4280	bSTXVTZ.exe
1412	GWWjsYL.exe
1328	UzLwYIp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-0-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	upx
behavioral2/files/0x00080000000234f0-5.dat	upx
behavioral2/files/0x00070000000234f4-12.dat	upx
behavioral2/memory/4628-13-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp	upx
behavioral2/files/0x00070000000234f5-18.dat	upx
behavioral2/memory/3348-21-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp	upx
behavioral2/files/0x00070000000234f7-26.dat	upx
behavioral2/files/0x00070000000234f8-30.dat	upx
behavioral2/memory/4248-41-0x00007FF7300C0000-0x00007FF730411000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-47.dat	upx
behavioral2/files/0x00080000000234f1-78.dat	upx
behavioral2/memory/228-85-0x00007FF607070000-0x00007FF6073C1000-memory.dmp	upx
behavioral2/memory/1880-88-0x00007FF646CF0000-0x00007FF647041000-memory.dmp	upx
behavioral2/memory/964-91-0x00007FF7D0F70000-0x00007FF7D12C1000-memory.dmp	upx
behavioral2/files/0x0007000000023500-90.dat	upx
behavioral2/files/0x0007000000023501-86.dat	upx
behavioral2/files/0x0007000000023502-97.dat	upx
behavioral2/files/0x0007000000023504-104.dat	upx
behavioral2/memory/4796-107-0x00007FF68C680000-0x00007FF68C9D1000-memory.dmp	upx
behavioral2/memory/1460-110-0x00007FF633C40000-0x00007FF633F91000-memory.dmp	upx
behavioral2/memory/3196-114-0x00007FF780FC0000-0x00007FF781311000-memory.dmp	upx
behavioral2/files/0x0007000000023503-112.dat	upx
behavioral2/memory/4840-111-0x00007FF7E4920000-0x00007FF7E4C71000-memory.dmp	upx
behavioral2/memory/4280-109-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp	upx
behavioral2/memory/832-108-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp	upx
behavioral2/memory/1200-106-0x00007FF67BBC0000-0x00007FF67BF11000-memory.dmp	upx
behavioral2/memory/4152-105-0x00007FF727830000-0x00007FF727B81000-memory.dmp	upx
behavioral2/files/0x00070000000234ff-74.dat	upx
behavioral2/files/0x00070000000234fe-69.dat	upx
behavioral2/files/0x00070000000234fd-64.dat	upx
behavioral2/files/0x00070000000234fc-59.dat	upx
behavioral2/files/0x00070000000234fb-57.dat	upx
behavioral2/memory/4408-50-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp	upx
behavioral2/files/0x00070000000234f9-44.dat	upx
behavioral2/memory/3940-40-0x00007FF655CF0000-0x00007FF656041000-memory.dmp	upx
behavioral2/memory/3924-34-0x00007FF656E40000-0x00007FF657191000-memory.dmp	upx
behavioral2/memory/1628-28-0x00007FF789C20000-0x00007FF789F71000-memory.dmp	upx
behavioral2/files/0x00070000000234f6-32.dat	upx
behavioral2/memory/3248-8-0x00007FF754160000-0x00007FF7544B1000-memory.dmp	upx
behavioral2/memory/3248-125-0x00007FF754160000-0x00007FF7544B1000-memory.dmp	upx
behavioral2/files/0x0007000000023507-124.dat	upx
behavioral2/memory/1412-128-0x00007FF725280000-0x00007FF7255D1000-memory.dmp	upx
behavioral2/memory/4628-130-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp	upx
behavioral2/memory/1328-129-0x00007FF7ABB40000-0x00007FF7ABE91000-memory.dmp	upx
behavioral2/files/0x0007000000023505-122.dat	upx
behavioral2/memory/4284-117-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	upx
behavioral2/memory/4284-131-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	upx
behavioral2/memory/1628-135-0x00007FF789C20000-0x00007FF789F71000-memory.dmp	upx
behavioral2/memory/3348-133-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp	upx
behavioral2/memory/3924-138-0x00007FF656E40000-0x00007FF657191000-memory.dmp	upx
behavioral2/memory/4248-140-0x00007FF7300C0000-0x00007FF730411000-memory.dmp	upx
behavioral2/memory/228-142-0x00007FF607070000-0x00007FF6073C1000-memory.dmp	upx
behavioral2/memory/4408-141-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp	upx
behavioral2/memory/3940-139-0x00007FF655CF0000-0x00007FF656041000-memory.dmp	upx
behavioral2/memory/4280-152-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp	upx
behavioral2/memory/832-151-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp	upx
behavioral2/memory/4284-155-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp	upx
behavioral2/memory/3248-210-0x00007FF754160000-0x00007FF7544B1000-memory.dmp	upx
behavioral2/memory/4628-212-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp	upx
behavioral2/memory/3348-214-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp	upx
behavioral2/memory/1628-216-0x00007FF789C20000-0x00007FF789F71000-memory.dmp	upx
behavioral2/memory/3924-218-0x00007FF656E40000-0x00007FF657191000-memory.dmp	upx
behavioral2/memory/4248-220-0x00007FF7300C0000-0x00007FF730411000-memory.dmp	upx
behavioral2/memory/3940-222-0x00007FF655CF0000-0x00007FF656041000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jNjMyly.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bSTXVTZ.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGphxvA.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rjWIutC.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSxkGTd.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fzoHwXS.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HnWAjOl.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtUCzRk.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SgrWnnH.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqFQjIu.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmWUNiO.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gwLzsQT.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SeWwwwU.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UzLwYIp.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zAjOqSG.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xukCJEu.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HiGXTeW.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GWWjsYL.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\spGVbxI.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkQedUy.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aCUwQSD.exe	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3248	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4284 wrote to memory of 3248	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4284 wrote to memory of 4628	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4284 wrote to memory of 4628	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4284 wrote to memory of 3348	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4284 wrote to memory of 3348	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4284 wrote to memory of 1628	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4284 wrote to memory of 1628	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4284 wrote to memory of 3924	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4284 wrote to memory of 3924	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4284 wrote to memory of 3940	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4284 wrote to memory of 3940	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4284 wrote to memory of 4248	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4284 wrote to memory of 4248	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4284 wrote to memory of 4408	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4284 wrote to memory of 4408	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4284 wrote to memory of 228	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4284 wrote to memory of 228	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4284 wrote to memory of 1460	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4284 wrote to memory of 1460	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4284 wrote to memory of 1880	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4284 wrote to memory of 1880	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4284 wrote to memory of 964	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4284 wrote to memory of 964	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4284 wrote to memory of 4152	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4284 wrote to memory of 4152	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4284 wrote to memory of 1200	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4284 wrote to memory of 1200	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4284 wrote to memory of 4796	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4284 wrote to memory of 4796	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4284 wrote to memory of 4840	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4284 wrote to memory of 4840	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4284 wrote to memory of 3196	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4284 wrote to memory of 3196	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4284 wrote to memory of 832	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4284 wrote to memory of 832	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4284 wrote to memory of 4280	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4284 wrote to memory of 4280	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4284 wrote to memory of 1412	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4284 wrote to memory of 1412	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4284 wrote to memory of 1328	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4284 wrote to memory of 1328	4284	2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_90b3bb47335961e8a536b53b3680a036_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\System\GmWUNiO.exe
  C:\Windows\System\GmWUNiO.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\spGVbxI.exe
  C:\Windows\System\spGVbxI.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\gwLzsQT.exe
  C:\Windows\System\gwLzsQT.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\SeWwwwU.exe
  C:\Windows\System\SeWwwwU.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\sGphxvA.exe
  C:\Windows\System\sGphxvA.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\NkQedUy.exe
  C:\Windows\System\NkQedUy.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\rjWIutC.exe
  C:\Windows\System\rjWIutC.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\aCUwQSD.exe
  C:\Windows\System\aCUwQSD.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\fzoHwXS.exe
  C:\Windows\System\fzoHwXS.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\MSxkGTd.exe
  C:\Windows\System\MSxkGTd.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\zAjOqSG.exe
  C:\Windows\System\zAjOqSG.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\HnWAjOl.exe
  C:\Windows\System\HnWAjOl.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\KtUCzRk.exe
  C:\Windows\System\KtUCzRk.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\SgrWnnH.exe
  C:\Windows\System\SgrWnnH.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\xukCJEu.exe
  C:\Windows\System\xukCJEu.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\RqFQjIu.exe
  C:\Windows\System\RqFQjIu.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\jNjMyly.exe
  C:\Windows\System\jNjMyly.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\HiGXTeW.exe
  C:\Windows\System\HiGXTeW.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\bSTXVTZ.exe
  C:\Windows\System\bSTXVTZ.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\GWWjsYL.exe
  C:\Windows\System\GWWjsYL.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\UzLwYIp.exe
  C:\Windows\System\UzLwYIp.exe
  2⤵
  - Executes dropped EXE
  PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GWWjsYL.exe

Filesize
5.2MB

MD5
a30ab631b8b9f181aa801ad660f7e03f

SHA1
274522c62243e778db1905adb45d3a8055320aea

SHA256
a13ebb2d0d3e091eeddc70bbe9ffa7b98b52c973ff5fedd9b9f6b7d9c8722227

SHA512
ce53d5f7ca9103791340b63816b1a91d0cfd911d50726854775d75bb0cad72ca3845ba39d654e5840c39716d2a76813b03d9cd76b8fffeffc85777d13f6ba786

Download Submit
C:\Windows\System\GmWUNiO.exe

Filesize
5.2MB

MD5
576c6ce98796397e5805ce2b46510620

SHA1
9298a0db7fec211b3768f59ca22eb2bf360bdb2b

SHA256
06ecc4e2d9e252a9ed1dc4c77eaaf0097108f532bc31e55d970546f98b9f78e8

SHA512
829d40acee5af37e2369615dbc8c2ba8233c7c4861d04e8ab5309835d3b08d963f2cbabc1ea0e1a1677f9fd4daa731791da500265032284e8d718d931af012ec

Download Submit
C:\Windows\System\HiGXTeW.exe

Filesize
5.2MB

MD5
c11055acacee222e6ea391157c07fd5a

SHA1
c84657a4126ca9cd61d741eb838b6c02531864e4

SHA256
45ce98c12097ae03488cdb97217f8e2a7331ccdf58e330726a0478150aff194e

SHA512
111f24891e7f92e0e44727a33922cb1092ee1937ca53b6135b599f98ca7eeeefe1d688eb2f01ffd9398bbb16525711fd10643000d99b50c1ee7a91e889955e42

Download Submit
C:\Windows\System\HnWAjOl.exe

Filesize
5.2MB

MD5
f123902197438bd78d98a02360df40c3

SHA1
9e94b957b1265e10ac3523fa409ee89564a772ac

SHA256
228da10bc82569eb7cf559c15ce75e97f2e91af88c4a385c4793c5a7f7301609

SHA512
214d933b122b53c4848a15870057849aaffcbcf09921124c4b04825d6bbbb84b826633403010d1f7531cf35bc42a7c5dcb617f6157d289e225d8ddef1995caf1

Download Submit
C:\Windows\System\KtUCzRk.exe

Filesize
5.2MB

MD5
4158b106fcec137d1bbf4f6192696f66

SHA1
403e7a6c3b1362f0cdeea3fdb2dd8e21428718fc

SHA256
86a11cbfd0b13a79be72d9c692277d24faf44818fdabff1aad411276d63309c6

SHA512
ec0023594128a51b8551a9c66cdc79be14d57487371461ba9c02b8761c28757021271cc51b125eec5950e3c84c04f151a1d9e128e5c288786a505066f2c1646e

Download Submit
C:\Windows\System\MSxkGTd.exe

Filesize
5.2MB

MD5
cfaa845554a7d0d5fdee85566adfe69f

SHA1
95c41364cfe73fecc140c5af4a9147d19510b683

SHA256
8a97e4c21ea56eabb987238370b51590a20b909eba999600e0521a396c5288e3

SHA512
3a15ffd4bcde29f028ad7270ee549765a2217a76497c145602314ed17ed4a1bb67b7547cff28a53e872e9f0ae067d47466b387f4a9622c5e80c82321f9565dfc

Download Submit
C:\Windows\System\NkQedUy.exe

Filesize
5.2MB

MD5
315f79822c2d73177f50facab63885c8

SHA1
31b4241e2efcc8b552b7803b2b8c4203efe58698

SHA256
01bc2910ec139657820c07b51c5bb35b0e0f50bfa14e2a3f4c8312f6e2ea0469

SHA512
996fa9a1eae08e69583539e0f26c932e776c7e68f1627b1bc4e47081a952d987e9204c22f166c598ec48e444c69f241281c84bbc62ddb8bfc0b2d0b79d672eb2

Download Submit
C:\Windows\System\RqFQjIu.exe

Filesize
5.2MB

MD5
01256d6cf46870472af506043df98b69

SHA1
c64763d2a8b0cb239e1c61ee07f0254e57326a81

SHA256
8413b77a01023620fe5b198dbb8743b44d02b0a92207c3b235ff37ea7fae3db2

SHA512
e167c543f7132904a3f1d6d8e78c02a45ab1c96879ccda2001592cb798fa757d992a5b3687b859770aa2f835cc61d31bb0304ba7d9923cc2bc7cf668d69b7c43

Download Submit
C:\Windows\System\SeWwwwU.exe

Filesize
5.2MB

MD5
bdff8ff2c5926285819dcf6fb88e3b8c

SHA1
adaa7ff73b8e31280011e699fcecadc368ef3b0b

SHA256
7ff3a18cc806145ad7d3335913b42177948b3630cbad30d7f185bf1a2fc9a39e

SHA512
d80091e8acdd577d2ab0776f887ed8970c36478c28f9701ca931573f5f65b1fe79074914df8f9ffb457066407d8cbf2a108c8600b9333f58aeb5fc53cbb57af8

Download Submit
C:\Windows\System\SgrWnnH.exe

Filesize
5.2MB

MD5
33a0b9c53fb1b2318514157ac973384f

SHA1
92ea8880e45974197a2719deceb0f9bf01112dfb

SHA256
76e131a011ad1fe1fd7547e972cb34d9eec08f8738aba6068ef1e1e254257879

SHA512
897356306a7e6541dd1b37ed7748e85c55e15643c5b61f7107bad53d49bdfdbb833a2717800e37225b5cb0ac6199575760993c8361d4fe36d69a21c848154455

Download Submit
C:\Windows\System\UzLwYIp.exe

Filesize
5.2MB

MD5
e4140cad9a6abebda716abe59caf811c

SHA1
84b7c7506b9dffc6913479128523016b18f086d3

SHA256
91f8e5f76a62956f9c16d61fd2de5056058cabd56ff944caa111e6882ba2341a

SHA512
0243015ab6b5134fdd676ab6bbe03f9c8944d25a1aeab9ccf4357b549e658c2e3853865d9a0e77eb22229065980dafa5340799e93a574378884cb817a6e816b1

Download Submit
C:\Windows\System\aCUwQSD.exe

Filesize
5.2MB

MD5
9bf91f31ae889d98c36c8594767efd67

SHA1
135382daba86b765936e964b1d4434ce80343675

SHA256
fce6c7f545cd17ac46d1fa464cb94655f7cd218bb54856b6120856f304b7c661

SHA512
122a6b74c6efd65852dd0f334267ff18c9aca1e2e0500023389ed60cb4915d46bc735f268acac392c5bce37b6a18281e6d204aa6e4894ecc39e65b385e2f1e07

Download Submit
C:\Windows\System\bSTXVTZ.exe

Filesize
5.2MB

MD5
c38522d689a976e512f2c6bebd2a4b40

SHA1
1bd376b3dc004dce38c8ccf7b0b1fd15d0301dd7

SHA256
40b2f6ce0f949ecccb502b74b3cb684b28c9c86bfd1a46e550266739e51bc787

SHA512
c9bbaf1a1d51abfb989c542a93e7236ffa7678c5fe93e520d7784167a1475dd0673dba4692c1521f05d9a951ebf140ee31457a142e008e64a465c2d5380aec75

Download Submit
C:\Windows\System\fzoHwXS.exe

Filesize
5.2MB

MD5
9935679e751a0ccbafd00952d2f7f9e0

SHA1
60804ee3d29d9556fc2f1cae509d3c2216c5baff

SHA256
4fa3d72846e8e0f28ecb1a66160b185082fe1d0dc1ce73caa173e27c49fb2acd

SHA512
7a8aa1903d5af9602cbfe3eac4be22e554281f238e0eba56541b7df55e5a02b4fcefb19589845bfdeb26fcb1a3d48137fee6ea334d44ee523b6c7a492348cdf3

Download Submit
C:\Windows\System\gwLzsQT.exe

Filesize
5.2MB

MD5
754240c9751d845a9b8c0ca55bbbea74

SHA1
089762f7325841152228fdd952cc5acb2461105f

SHA256
a92ba1ec444dbe256aae889c1e2a2675395f1b610f5450b4c8c069ea7c87d3c0

SHA512
957fb51696e0b192b295aa8b9d40ce3065923af931449bc94775fc1b54ac1272955ea9165bd7308706972a5bd66f4341f2497be4ed4c1b16090cca1c869d7203

Download Submit
C:\Windows\System\jNjMyly.exe

Filesize
5.2MB

MD5
8c3471c2936e668f1a0e43705b83e506

SHA1
31a7c190a3d6e31dae67c3913cd4060898b82a50

SHA256
9557f9098cefe253e93f717da7709184a9d891c5ee398677219a7514b086cf33

SHA512
ee043b8d6c56c6648506074bd84273d7114082a04919ea34f08ab3b4744568405dfa80ea53f07e4cf191a1cce1d3a577219e2fac2e04112dcdc563fcf40d03f4

Download Submit
C:\Windows\System\rjWIutC.exe

Filesize
5.2MB

MD5
122b4b1614b50bc9fa9c901c7fdc72fe

SHA1
79a3c4512519497b0cd23adf1bbc90074cd8eed9

SHA256
c56489bf34e10ad8dc478eae174eea48f7a0c8a0fa2b8c6ef2bf899b6a3c37a2

SHA512
f9caf62d79c1cdace27ffab7e1e35c2426dffc5a3de1280856922b333a66f7cf69795d5435f3f6302763c4379356dd6d6201cac500470cb3f73d9d29f0e32ce5

Download Submit
C:\Windows\System\sGphxvA.exe

Filesize
5.2MB

MD5
a0a61f8d74ada550001413c672553d13

SHA1
11711d68fe8ecbbd5ea5395ed39d2319c356a4a9

SHA256
bf2c2d9564f56ec92ebfbad9caf99540329183438c4c210410fb710e96c55fcc

SHA512
7230a7859109a242cd940c014c7f3ed696a9545fd7ab0e5ea4bf62c1e0cc5dc9c790405f7a4eebda13f885c7ac460263c8b49c4ef47ffbd8e8da17d541f96327

Download Submit
C:\Windows\System\spGVbxI.exe

Filesize
5.2MB

MD5
1325932adec1086d1f3d6992576fbaef

SHA1
172f5ffaee2308c9c63a09abc1c55ed1c38a7397

SHA256
580f0c810eef0b17092e0fd975cfdd05b47e16d67ccbb12c187176318ceb1994

SHA512
00993651b29cd896a67f8d227ada500dad28413115283449f5b19c14f9f62968977be70731915f9f49f33505a812c005f7b764eb8d8445491d910d85656a6f53

Download Submit
C:\Windows\System\xukCJEu.exe

Filesize
5.2MB

MD5
d0169420c258ddf0d7674fb9c867bdec

SHA1
d890fca96b8a1b9c6adb5edc51a19a722044f650

SHA256
608dd4faa28a363e702e279b5a4b35c94f0ee7339363e9cb8a0cc8d1e7adecb9

SHA512
45c8fdea4857bd5ddbae8c6c05af99e739c4cfe3b131d31c7f0ffe7622f55afa2a7179fb5fe4b9c228490d9ce0b803279f2947a61ada4d001d2c830ea99c82aa

Download Submit
C:\Windows\System\zAjOqSG.exe

Filesize
5.2MB

MD5
8c98c2adce29e5fffd223a2ab27f4223

SHA1
48b60c8b8ca2facd0b26a3444d066dfed39e4027

SHA256
d20f5fa72d11a7cd0796d231390fdaf06cbd68ca8439490b0efd2e0ecd08990e

SHA512
b54439af141917153469ec2eaf0192c2a5fbf42021a6cc3515b0c64da27383b88e6b31e25bb9e33b58c9c10268f5376ae7a732d5c7b40e3881eda4b429f4b583

Download Submit
memory/228-234-0x00007FF607070000-0x00007FF6073C1000-memory.dmp

Filesize
3.3MB

Download
memory/228-142-0x00007FF607070000-0x00007FF6073C1000-memory.dmp

Filesize
3.3MB

Download
memory/228-85-0x00007FF607070000-0x00007FF6073C1000-memory.dmp

Filesize
3.3MB

Download
memory/832-151-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp

Filesize
3.3MB

Download
memory/832-108-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp

Filesize
3.3MB

Download
memory/832-255-0x00007FF7A3550000-0x00007FF7A38A1000-memory.dmp

Filesize
3.3MB

Download
memory/964-240-0x00007FF7D0F70000-0x00007FF7D12C1000-memory.dmp

Filesize
3.3MB

Download
memory/964-91-0x00007FF7D0F70000-0x00007FF7D12C1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-244-0x00007FF67BBC0000-0x00007FF67BF11000-memory.dmp

Filesize
3.3MB

Download
memory/1200-106-0x00007FF67BBC0000-0x00007FF67BF11000-memory.dmp

Filesize
3.3MB

Download
memory/1328-129-0x00007FF7ABB40000-0x00007FF7ABE91000-memory.dmp

Filesize
3.3MB

Download
memory/1328-263-0x00007FF7ABB40000-0x00007FF7ABE91000-memory.dmp

Filesize
3.3MB

Download
memory/1412-261-0x00007FF725280000-0x00007FF7255D1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-128-0x00007FF725280000-0x00007FF7255D1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-236-0x00007FF633C40000-0x00007FF633F91000-memory.dmp

Filesize
3.3MB

Download
memory/1460-110-0x00007FF633C40000-0x00007FF633F91000-memory.dmp

Filesize
3.3MB

Download
memory/1628-28-0x00007FF789C20000-0x00007FF789F71000-memory.dmp

Filesize
3.3MB

Download
memory/1628-135-0x00007FF789C20000-0x00007FF789F71000-memory.dmp

Filesize
3.3MB

Download
memory/1628-216-0x00007FF789C20000-0x00007FF789F71000-memory.dmp

Filesize
3.3MB

Download
memory/1880-238-0x00007FF646CF0000-0x00007FF647041000-memory.dmp

Filesize
3.3MB

Download
memory/1880-88-0x00007FF646CF0000-0x00007FF647041000-memory.dmp

Filesize
3.3MB

Download
memory/3196-253-0x00007FF780FC0000-0x00007FF781311000-memory.dmp

Filesize
3.3MB

Download
memory/3196-114-0x00007FF780FC0000-0x00007FF781311000-memory.dmp

Filesize
3.3MB

Download
memory/3248-210-0x00007FF754160000-0x00007FF7544B1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-8-0x00007FF754160000-0x00007FF7544B1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-125-0x00007FF754160000-0x00007FF7544B1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-21-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3348-214-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3348-133-0x00007FF7B77D0000-0x00007FF7B7B21000-memory.dmp

Filesize
3.3MB

Download
memory/3924-34-0x00007FF656E40000-0x00007FF657191000-memory.dmp

Filesize
3.3MB

Download
memory/3924-218-0x00007FF656E40000-0x00007FF657191000-memory.dmp

Filesize
3.3MB

Download
memory/3924-138-0x00007FF656E40000-0x00007FF657191000-memory.dmp

Filesize
3.3MB

Download
memory/3940-222-0x00007FF655CF0000-0x00007FF656041000-memory.dmp

Filesize
3.3MB

Download
memory/3940-139-0x00007FF655CF0000-0x00007FF656041000-memory.dmp

Filesize
3.3MB

Download
memory/3940-40-0x00007FF655CF0000-0x00007FF656041000-memory.dmp

Filesize
3.3MB

Download
memory/4152-105-0x00007FF727830000-0x00007FF727B81000-memory.dmp

Filesize
3.3MB

Download
memory/4152-242-0x00007FF727830000-0x00007FF727B81000-memory.dmp

Filesize
3.3MB

Download
memory/4248-140-0x00007FF7300C0000-0x00007FF730411000-memory.dmp

Filesize
3.3MB

Download
memory/4248-41-0x00007FF7300C0000-0x00007FF730411000-memory.dmp

Filesize
3.3MB

Download
memory/4248-220-0x00007FF7300C0000-0x00007FF730411000-memory.dmp

Filesize
3.3MB

Download
memory/4280-109-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-152-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp

Filesize
3.3MB

Download
memory/4280-257-0x00007FF7F8050000-0x00007FF7F83A1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-0-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-131-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-1-0x000001E767EB0000-0x000001E767EC0000-memory.dmp

Filesize
64KB

Download
memory/4284-117-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-155-0x00007FF72A370000-0x00007FF72A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-141-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-232-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-50-0x00007FF6CD370000-0x00007FF6CD6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-212-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp

Filesize
3.3MB

Download
memory/4628-130-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp

Filesize
3.3MB

Download
memory/4628-13-0x00007FF6D6F40000-0x00007FF6D7291000-memory.dmp

Filesize
3.3MB

Download
memory/4796-246-0x00007FF68C680000-0x00007FF68C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-107-0x00007FF68C680000-0x00007FF68C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-251-0x00007FF7E4920000-0x00007FF7E4C71000-memory.dmp

Filesize
3.3MB

Download
memory/4840-111-0x00007FF7E4920000-0x00007FF7E4C71000-memory.dmp

Filesize
3.3MB

Download