cobaltstrike | db71dbe29d6766f51767893f071bbb84d432e5ddbf78147396fdf1ed62a56524

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7f28abee9eba9514ee33eb155235a707
SHA1

ec8fcf38599bc12bc51ec2f208b5382ce74fb6e8
SHA256

db71dbe29d6766f51767893f071bbb84d432e5ddbf78147396fdf1ed62a56524
SHA512

e45b2c4ec7b958414df38f891863b968eacb074b69f69ceb6f8c912607d2b601fe8e669816cedc75e4019c6ce35de841f11413cd39f881e1bb34ce627263358e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023461-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-24.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346e-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-65.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-108.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-35.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2640-118-0x00007FF787130000-0x00007FF787481000-memory.dmp	xmrig
behavioral2/memory/4840-126-0x00007FF71CFA0000-0x00007FF71D2F1000-memory.dmp	xmrig
behavioral2/memory/1716-131-0x00007FF79C6E0000-0x00007FF79CA31000-memory.dmp	xmrig
behavioral2/memory/4996-130-0x00007FF6D89E0000-0x00007FF6D8D31000-memory.dmp	xmrig
behavioral2/memory/3164-129-0x00007FF6A14A0000-0x00007FF6A17F1000-memory.dmp	xmrig
behavioral2/memory/4368-125-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp	xmrig
behavioral2/memory/1452-119-0x00007FF6E4690000-0x00007FF6E49E1000-memory.dmp	xmrig
behavioral2/memory/1632-105-0x00007FF6D89C0000-0x00007FF6D8D11000-memory.dmp	xmrig
behavioral2/memory/2996-91-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp	xmrig
behavioral2/memory/1316-73-0x00007FF646350000-0x00007FF6466A1000-memory.dmp	xmrig
behavioral2/memory/4176-66-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	xmrig
behavioral2/memory/1492-40-0x00007FF61F660000-0x00007FF61F9B1000-memory.dmp	xmrig
behavioral2/memory/4616-132-0x00007FF7184B0000-0x00007FF718801000-memory.dmp	xmrig
behavioral2/memory/4176-133-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	xmrig
behavioral2/memory/4196-137-0x00007FF6104E0000-0x00007FF610831000-memory.dmp	xmrig
behavioral2/memory/3928-144-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp	xmrig
behavioral2/memory/4584-150-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp	xmrig
behavioral2/memory/3196-148-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp	xmrig
behavioral2/memory/3984-145-0x00007FF7230B0000-0x00007FF723401000-memory.dmp	xmrig
behavioral2/memory/4204-143-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	xmrig
behavioral2/memory/2740-146-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp	xmrig
behavioral2/memory/2984-142-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp	xmrig
behavioral2/memory/4456-141-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp	xmrig
behavioral2/memory/4176-156-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	xmrig
behavioral2/memory/1316-212-0x00007FF646350000-0x00007FF6466A1000-memory.dmp	xmrig
behavioral2/memory/2996-214-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp	xmrig
behavioral2/memory/4368-216-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp	xmrig
behavioral2/memory/4616-218-0x00007FF7184B0000-0x00007FF718801000-memory.dmp	xmrig
behavioral2/memory/4196-220-0x00007FF6104E0000-0x00007FF610831000-memory.dmp	xmrig
behavioral2/memory/1492-222-0x00007FF61F660000-0x00007FF61F9B1000-memory.dmp	xmrig
behavioral2/memory/4456-224-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp	xmrig
behavioral2/memory/2984-226-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp	xmrig
behavioral2/memory/4204-239-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	xmrig
behavioral2/memory/1632-242-0x00007FF6D89C0000-0x00007FF6D8D11000-memory.dmp	xmrig
behavioral2/memory/3928-245-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp	xmrig
behavioral2/memory/3984-244-0x00007FF7230B0000-0x00007FF723401000-memory.dmp	xmrig
behavioral2/memory/4584-247-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp	xmrig
behavioral2/memory/2740-259-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp	xmrig
behavioral2/memory/1716-261-0x00007FF79C6E0000-0x00007FF79CA31000-memory.dmp	xmrig
behavioral2/memory/3164-263-0x00007FF6A14A0000-0x00007FF6A17F1000-memory.dmp	xmrig
behavioral2/memory/2640-258-0x00007FF787130000-0x00007FF787481000-memory.dmp	xmrig
behavioral2/memory/4996-252-0x00007FF6D89E0000-0x00007FF6D8D31000-memory.dmp	xmrig
behavioral2/memory/4840-250-0x00007FF71CFA0000-0x00007FF71D2F1000-memory.dmp	xmrig
behavioral2/memory/3196-256-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp	xmrig
behavioral2/memory/1452-254-0x00007FF6E4690000-0x00007FF6E49E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1316	ZnhFuPB.exe
2996	xfgkPUZ.exe
4368	FYQegbg.exe
4616	DBGULVz.exe
4196	yrpVOUv.exe
1492	FmEeyXd.exe
4456	XCwqjhw.exe
2984	tduUrfc.exe
4204	QjahOKm.exe
3928	PwoMEhv.exe
3984	fngvXxH.exe
2740	coZidYP.exe
1632	ZGaRfmK.exe
3196	Totwums.exe
3164	BXJOVng.exe
4584	KPZvkiK.exe
2640	DWkEsAX.exe
1452	BLVezSv.exe
4996	OvioSQq.exe
4840	QrXbmSL.exe
1716	yntRKeZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4176-0-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	upx
behavioral2/files/0x0009000000023461-6.dat	upx
behavioral2/files/0x0007000000023469-11.dat	upx
behavioral2/memory/4368-18-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp	upx
behavioral2/memory/2996-13-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp	upx
behavioral2/files/0x0007000000023468-12.dat	upx
behavioral2/memory/4616-25-0x00007FF7184B0000-0x00007FF718801000-memory.dmp	upx
behavioral2/files/0x000700000002346a-24.dat	upx
behavioral2/files/0x000700000002346b-29.dat	upx
behavioral2/memory/4196-36-0x00007FF6104E0000-0x00007FF610831000-memory.dmp	upx
behavioral2/memory/4456-45-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp	upx
behavioral2/files/0x000700000002346e-44.dat	upx
behavioral2/files/0x000700000002346f-56.dat	upx
behavioral2/memory/4204-55-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	upx
behavioral2/memory/2984-54-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp	upx
behavioral2/files/0x0007000000023471-65.dat	upx
behavioral2/memory/3196-89-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp	upx
behavioral2/files/0x0008000000023465-108.dat	upx
behavioral2/memory/2640-118-0x00007FF787130000-0x00007FF787481000-memory.dmp	upx
behavioral2/memory/4840-126-0x00007FF71CFA0000-0x00007FF71D2F1000-memory.dmp	upx
behavioral2/memory/1716-131-0x00007FF79C6E0000-0x00007FF79CA31000-memory.dmp	upx
behavioral2/memory/4996-130-0x00007FF6D89E0000-0x00007FF6D8D31000-memory.dmp	upx
behavioral2/memory/3164-129-0x00007FF6A14A0000-0x00007FF6A17F1000-memory.dmp	upx
behavioral2/files/0x000700000002347a-127.dat	upx
behavioral2/memory/4368-125-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp	upx
behavioral2/files/0x0007000000023479-122.dat	upx
behavioral2/files/0x0007000000023478-120.dat	upx
behavioral2/memory/1452-119-0x00007FF6E4690000-0x00007FF6E49E1000-memory.dmp	upx
behavioral2/files/0x0007000000023475-115.dat	upx
behavioral2/memory/4584-113-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp	upx
behavioral2/files/0x0007000000023477-111.dat	upx
behavioral2/memory/1632-105-0x00007FF6D89C0000-0x00007FF6D8D11000-memory.dmp	upx
behavioral2/files/0x0007000000023476-101.dat	upx
behavioral2/files/0x0007000000023472-93.dat	upx
behavioral2/files/0x0007000000023474-106.dat	upx
behavioral2/files/0x0007000000023473-84.dat	upx
behavioral2/memory/2996-91-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp	upx
behavioral2/memory/3984-72-0x00007FF7230B0000-0x00007FF723401000-memory.dmp	upx
behavioral2/memory/2740-76-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp	upx
behavioral2/memory/1316-73-0x00007FF646350000-0x00007FF6466A1000-memory.dmp	upx
behavioral2/memory/4176-66-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	upx
behavioral2/files/0x0007000000023470-67.dat	upx
behavioral2/memory/3928-62-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp	upx
behavioral2/files/0x000700000002346d-47.dat	upx
behavioral2/memory/1492-40-0x00007FF61F660000-0x00007FF61F9B1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-35.dat	upx
behavioral2/memory/1316-8-0x00007FF646350000-0x00007FF6466A1000-memory.dmp	upx
behavioral2/memory/4616-132-0x00007FF7184B0000-0x00007FF718801000-memory.dmp	upx
behavioral2/memory/4176-133-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	upx
behavioral2/memory/4196-137-0x00007FF6104E0000-0x00007FF610831000-memory.dmp	upx
behavioral2/memory/3928-144-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp	upx
behavioral2/memory/4584-150-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp	upx
behavioral2/memory/3196-148-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp	upx
behavioral2/memory/3984-145-0x00007FF7230B0000-0x00007FF723401000-memory.dmp	upx
behavioral2/memory/4204-143-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	upx
behavioral2/memory/2740-146-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp	upx
behavioral2/memory/2984-142-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp	upx
behavioral2/memory/4456-141-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp	upx
behavioral2/memory/4176-156-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp	upx
behavioral2/memory/1316-212-0x00007FF646350000-0x00007FF6466A1000-memory.dmp	upx
behavioral2/memory/2996-214-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp	upx
behavioral2/memory/4368-216-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp	upx
behavioral2/memory/4616-218-0x00007FF7184B0000-0x00007FF718801000-memory.dmp	upx
behavioral2/memory/4196-220-0x00007FF6104E0000-0x00007FF610831000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yntRKeZ.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjahOKm.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fngvXxH.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\coZidYP.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OvioSQq.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yrpVOUv.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGaRfmK.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPZvkiK.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PwoMEhv.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Totwums.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXJOVng.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DWkEsAX.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZnhFuPB.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYQegbg.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DBGULVz.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tduUrfc.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QrXbmSL.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xfgkPUZ.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FmEeyXd.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCwqjhw.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLVezSv.exe	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1316	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4176 wrote to memory of 1316	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4176 wrote to memory of 2996	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4176 wrote to memory of 2996	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4176 wrote to memory of 4368	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4176 wrote to memory of 4368	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4176 wrote to memory of 4616	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4176 wrote to memory of 4616	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4176 wrote to memory of 4196	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4176 wrote to memory of 4196	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4176 wrote to memory of 1492	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4176 wrote to memory of 1492	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4176 wrote to memory of 4456	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4176 wrote to memory of 4456	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4176 wrote to memory of 2984	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4176 wrote to memory of 2984	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4176 wrote to memory of 4204	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4176 wrote to memory of 4204	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4176 wrote to memory of 3928	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4176 wrote to memory of 3928	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4176 wrote to memory of 3984	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4176 wrote to memory of 3984	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4176 wrote to memory of 2740	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4176 wrote to memory of 2740	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4176 wrote to memory of 1632	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4176 wrote to memory of 1632	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4176 wrote to memory of 3196	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4176 wrote to memory of 3196	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4176 wrote to memory of 3164	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4176 wrote to memory of 3164	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4176 wrote to memory of 4584	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4176 wrote to memory of 4584	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4176 wrote to memory of 2640	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4176 wrote to memory of 2640	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4176 wrote to memory of 1452	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4176 wrote to memory of 1452	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4176 wrote to memory of 4996	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4176 wrote to memory of 4996	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4176 wrote to memory of 4840	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4176 wrote to memory of 4840	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4176 wrote to memory of 1716	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4176 wrote to memory of 1716	4176	2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_7f28abee9eba9514ee33eb155235a707_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\System\ZnhFuPB.exe
  C:\Windows\System\ZnhFuPB.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\xfgkPUZ.exe
  C:\Windows\System\xfgkPUZ.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\FYQegbg.exe
  C:\Windows\System\FYQegbg.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\DBGULVz.exe
  C:\Windows\System\DBGULVz.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\yrpVOUv.exe
  C:\Windows\System\yrpVOUv.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\FmEeyXd.exe
  C:\Windows\System\FmEeyXd.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\XCwqjhw.exe
  C:\Windows\System\XCwqjhw.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\tduUrfc.exe
  C:\Windows\System\tduUrfc.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\QjahOKm.exe
  C:\Windows\System\QjahOKm.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\PwoMEhv.exe
  C:\Windows\System\PwoMEhv.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\fngvXxH.exe
  C:\Windows\System\fngvXxH.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\coZidYP.exe
  C:\Windows\System\coZidYP.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\ZGaRfmK.exe
  C:\Windows\System\ZGaRfmK.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\Totwums.exe
  C:\Windows\System\Totwums.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\BXJOVng.exe
  C:\Windows\System\BXJOVng.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\KPZvkiK.exe
  C:\Windows\System\KPZvkiK.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\DWkEsAX.exe
  C:\Windows\System\DWkEsAX.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\BLVezSv.exe
  C:\Windows\System\BLVezSv.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\OvioSQq.exe
  C:\Windows\System\OvioSQq.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\QrXbmSL.exe
  C:\Windows\System\QrXbmSL.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\yntRKeZ.exe
  C:\Windows\System\yntRKeZ.exe
  2⤵
  - Executes dropped EXE
  PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BLVezSv.exe

Filesize
5.2MB

MD5
6f57f80af3df36bd1b324ef33c1c7d03

SHA1
f671cdb0f35a18bb9bd7cb89b70268d06653763c

SHA256
a716bf0090887972faa686a38b1bf070eb03b6af4f1bb59bf2c6ee4eeba9d5b7

SHA512
18cb3d6060c1ed52f1935bde884ebc06cd434b0d295c06860b7717ef6b2434401198da49d4d4b4ce3bc437bdc2a1e6d450e79e9819381bf1921561f6de6bda73

Download Submit
C:\Windows\System\BXJOVng.exe

Filesize
5.2MB

MD5
2cbb0620e8822e2e69d9d5e4e6a72122

SHA1
ab272dd35f819d9db479d87b5de4a99145390b22

SHA256
97ce553c228d4254eefd8b9fe42e224d97c6bdff84390d67e7c0ce839d763716

SHA512
38d02efbd99c98dac5f93d4bf5eec5fc04ee49d3333f0bd4beb825930f25e0cfe94a199d3efc21921ef35b83f6816e478e67d5e7601c39fcd1c18b21a1d09425

Download Submit
C:\Windows\System\DBGULVz.exe

Filesize
5.2MB

MD5
88d62184fb42451ae9a60cf9e4c8981e

SHA1
b988cabaf8583ed57de228c7f83921db9167c8b0

SHA256
516daa215c50209305616acf3398b94ede1e43db5fc12de6d6a37e400517482d

SHA512
44c9878a48cadf685c2e0b9956be05ac352c6148872271c79bdd80b26566e87fd0564bf0c73ce98230f81f118ed214b9a04f9282bdc4fb8116ca5ba75b2b6544

Download Submit
C:\Windows\System\DWkEsAX.exe

Filesize
5.2MB

MD5
4ec53f18057a6bf47bd45add0939be3c

SHA1
6a7f972e28e660dfe9451a14b9219b44170aaee5

SHA256
20f2e606c65eb0559dcbfd3936ec614d9c7d7f80deabf946d223b1595182d11b

SHA512
e7bf81e98086e89d31b379d1a9193f6b00ece7b8dbbc8b6df61ebb1e672ce12ecab7e71dbbc1920106dcd26ffed39c51ed08a99d3a9bed3ac1e61fa4caab5727

Download Submit
C:\Windows\System\FYQegbg.exe

Filesize
5.2MB

MD5
2d3dc9ddd2878aa8c05ed6429bfe7b9c

SHA1
6efb342641bebefcf3ba9af8ee7430fa1827a60e

SHA256
6df1813010e8ed2b4bd6d6d1ecaa6acec30db87e878671b76075ebb34a741847

SHA512
ca2d96b11bc0019a47b6dec59107e25fc16da8256f5794f7629fe4b609d4a4c1b2d2fb096186453c6eb457affc1d94de2a8711d63ca061a208afc757e773db88

Download Submit
C:\Windows\System\FmEeyXd.exe

Filesize
5.2MB

MD5
936610b34f841452ff66c5e04597b4f4

SHA1
b6f09c416f0f2ad5dc4cb6fa14433137349945c4

SHA256
66c6614ac0262f6d2ebc8c5ddef622da29560de4cac70194fee9f90628c253a6

SHA512
90a6e5083a6b1361a82288944da76903a6b071f5be739c7c0686b3b59f35ef43df33544feace56e40180d7d5da6c69bc5006040ec1fbdc80fe378cde6ebcb4b0

Download Submit
C:\Windows\System\KPZvkiK.exe

Filesize
5.2MB

MD5
c34dcf9c9b7a431a2fe1a14a92930d89

SHA1
89b37e13f04bd13ebe508e8ca7540d60f96a192b

SHA256
8ecad60738b2c7d6e6a75e8c576ad69ee8fb2ea5d67a8a69a6db8755f60ce015

SHA512
09928ffdd076eac1dac42eeda8847f3bbbaea53bf4844781608e20d318f6d4e26692a72a0cfec341f3f7cc4c526a1fd53e1228e48c9319984a53e274bc4d2986

Download Submit
C:\Windows\System\OvioSQq.exe

Filesize
5.2MB

MD5
e37be213eb3ec628c4001256c220f64f

SHA1
464d6ecbeab4c8469741a23d6f3a1ef9eaea0cea

SHA256
69e715ba4d52910e1473dd1d618176d70aadb4ce776702be431f9653da6aff77

SHA512
05b9c4186cd9ce9717737d69cc264a6cbb9a6a0fa8447c6416cdb5de606a5f3801590bc0f0e1e4831f8a386f264ecdc02df11b09187b71b260d2713656027777

Download Submit
C:\Windows\System\PwoMEhv.exe

Filesize
5.2MB

MD5
4ac2083d8024dc2bdd86c8216c4a0463

SHA1
5b82150ce8c5e7b20b548697e829a66f5b406ac5

SHA256
1ab1971edbfa6e88bec226eff50fe35268f1f64b81908524dce507e55ae83953

SHA512
366e0fc29e2642725f365f227033be5a23abdf26362933cd92df4ab58138ab1c3f82fe4c4e16641ffd88b7f515293a1b65aa360ad50d712deecb8246b6085da3

Download Submit
C:\Windows\System\QjahOKm.exe

Filesize
5.2MB

MD5
c6802283a9d39846078b0534ebdc5bb0

SHA1
f067e6ce56e4b17f4e59e19935c1b567205cf1e0

SHA256
f7262aa8f212d8031619835131d79e8475138d7cd24e491ea27982e6c070840d

SHA512
1fd21469eb4244aa444afeab6348d693a9ed12ba9f63c5d45a2aa399edc24a2018f7d2928e485a0b59db8df4c30b4bd61550943857fc82d7d88c9a3489d941d0

Download Submit
C:\Windows\System\QrXbmSL.exe

Filesize
5.2MB

MD5
6bcf330e6e62d8fdb16031131c9a25eb

SHA1
1633d1069f5ea59832357c14d86b00294cd30052

SHA256
ca7f88200f715b16b85d7cf98a4ff85e1650aa5daa645f98755dfbef4ff57ea0

SHA512
b20c1b3986d41a0e3d950df3c916376508cf8016cad4f7cdb0dd8c731eb37cf6ba375fda20514a74da075fe91ac826d6276e0dd3a1957dfe7d6760d78d3166cd

Download Submit
C:\Windows\System\Totwums.exe

Filesize
5.2MB

MD5
f4cb66970cc9fd5020b96e14dca96598

SHA1
e84bd1afdb0e77d23739078833b8418004ee04db

SHA256
aa7843094f8abe48388f84c9ce4c1cba84a50bc53b0d0ad85ff2d4a63dd198c0

SHA512
b7c503c5e46bc47a4a1fad128ad768b0173d2970ba296ac78f165b5f1dfb28824ddf40e81e9b6bec8dd18212d042a577025b527440dfd2825f0b353c6a37543e

Download Submit
C:\Windows\System\XCwqjhw.exe

Filesize
5.2MB

MD5
e7c4fca7b2ca67bff9d0ccb6e3b4878b

SHA1
a46a7c71ab430a0e213643c849e63d6fa0beefe1

SHA256
acee94b4d655ae52db912b38878d33e96dddcf8be33a9896bbf779079263b897

SHA512
e2ff0b80285840c3a7f0ef645d6975b8b38c1a14b7b91e98944d2a89aa127f634865ad1e9c0335c4087a481dd46ee5ec8988febe256bfd20bf901a9eef7e13d1

Download Submit
C:\Windows\System\ZGaRfmK.exe

Filesize
5.2MB

MD5
1b8d674f0de87ee2376165fd3ad70f54

SHA1
5c51eb29591bf45af167ca311aca90c052d41b25

SHA256
33977731446f2ec1012ce2d2bf217d0400a81be574e3f11d5e007e8f7fe63622

SHA512
aceee06e6f7feaa8f54191ca0cb0fa7c281455937fba9d77809221b633166bd36bd203bdcd9fefd165aa6b29f2736bc0b1ebeab58bf8b4a45c4fae975a626275

Download Submit
C:\Windows\System\ZnhFuPB.exe

Filesize
5.2MB

MD5
f6a79d34f46b776ab588469346b2cf86

SHA1
6ebe7cff57d7fb0f5a0c7161a9db6206c21b518f

SHA256
7937d9b3eff28a9104a4f8af58afb5dd585e178a116fec642de2cf8783c19853

SHA512
2771c0619af9760cc1ab1257530dd1d9c5e104c9c511a1dc54e3018ec96a84080a3245803c4937af76a361fd347a133f15ced542d6a6601a51f148847d0631d6

Download Submit
C:\Windows\System\coZidYP.exe

Filesize
5.2MB

MD5
7aef84609e0993acadfa530564cf940d

SHA1
bb21c197598f506e9fdb2c7d18655df82a3ceede

SHA256
6caea779e4321a9cf6203d2cf87348cf535810a770336e398651f0d2df973a1a

SHA512
399fed0137ec09eab44a78b03f881713843b923187effcb30eb5e7e3c655e9b59bdb85f79709f015c83442fa30bb4958b68e03fcba179b086d54aef347147c9f

Download Submit
C:\Windows\System\fngvXxH.exe

Filesize
5.2MB

MD5
f00eb7c3ddbfdb22df2c459bc51c5476

SHA1
f2d0abb1bca3fe8bd26748211766c8aee9846f7b

SHA256
f73a54121a3356573922a01a8bf023d7e1a3e7c30f826eaba1647327e824b89c

SHA512
5070292a0f7b2b2658642faf07cf5587f1b34f29b1a270e2ad449c99e1c0a897107d51f0522f9973b3683b325357108adf082816f67fea1123afd2dbd87ca5c3

Download Submit
C:\Windows\System\tduUrfc.exe

Filesize
5.2MB

MD5
1656d4c2fdb2be40983e4a74268af70c

SHA1
0a7f8c7721fa6a852f6dc0bb6f13e2abc49dab3e

SHA256
564d4df036d65d54357f60c76681a749e7ee80f5b1815a9ab5194ac2bd8f104c

SHA512
a500fdf2beff485c4e50a9f7485ed0eaaf4263741bf071b93d3f85b42d9d57e3a1d849dff902b6111c7ab31177384f44bd3d41fc6336f8ee6aeeaaca58bbf7da

Download Submit
C:\Windows\System\xfgkPUZ.exe

Filesize
5.2MB

MD5
6d167e6a71701a5f80b1c01ae2e11760

SHA1
8cf25bdb98ba79318feea22b96112e1087d6d4b4

SHA256
9a2133bb194f3ce11d5f45810609156f752da2da20a932cbb9959dc856a55040

SHA512
74c6b6e9413f468b67500bed076dd03d21550c2c95b1f74bc6d93b3fe1642c75ae66c0c35f9d4016be788a01958270fc808b9b2cfab13caae65d40924e7dd3c4

Download Submit
C:\Windows\System\yntRKeZ.exe

Filesize
5.2MB

MD5
b5a2945073511cdf882a640085593f17

SHA1
646bfff489e6a1c14fb81d0bbe834b40d22b2638

SHA256
4587bf8a8b3a66fa802c5d369f0a605982767ff5a5067784d3d850a56c00cf39

SHA512
40c83834aba81cac7ac2fefdc6ed70348d73020ddc883395359f7829352601dec25451dfd657aa3d55d43efba5c25e3f59917b7022be4ff7203b44abd8ac007d

Download Submit
C:\Windows\System\yrpVOUv.exe

Filesize
5.2MB

MD5
ff194dbd25ba5037b00ce12c7c8afd80

SHA1
73539cdb8ffe56c73123b56063aed62f77b8e442

SHA256
338b27a3272b8a7def2965b61bc130775627478b7fb93c8c24e543ef465500fc

SHA512
41ab815e9cb9d16b1bc2488d1c94f16808b5a43d1022aafb60d3847fa1aa79001ba482362c9f532936da6959f935a8f90aa5f19701eb939db1ae42891b29ada7

Download Submit
memory/1316-8-0x00007FF646350000-0x00007FF6466A1000-memory.dmp

Filesize
3.3MB

Download
memory/1316-212-0x00007FF646350000-0x00007FF6466A1000-memory.dmp

Filesize
3.3MB

Download
memory/1316-73-0x00007FF646350000-0x00007FF6466A1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-254-0x00007FF6E4690000-0x00007FF6E49E1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-119-0x00007FF6E4690000-0x00007FF6E49E1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-222-0x00007FF61F660000-0x00007FF61F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-40-0x00007FF61F660000-0x00007FF61F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-242-0x00007FF6D89C0000-0x00007FF6D8D11000-memory.dmp

Filesize
3.3MB

Download
memory/1632-105-0x00007FF6D89C0000-0x00007FF6D8D11000-memory.dmp

Filesize
3.3MB

Download
memory/1716-131-0x00007FF79C6E0000-0x00007FF79CA31000-memory.dmp

Filesize
3.3MB

Download
memory/1716-261-0x00007FF79C6E0000-0x00007FF79CA31000-memory.dmp

Filesize
3.3MB

Download
memory/2640-258-0x00007FF787130000-0x00007FF787481000-memory.dmp

Filesize
3.3MB

Download
memory/2640-118-0x00007FF787130000-0x00007FF787481000-memory.dmp

Filesize
3.3MB

Download
memory/2740-76-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp

Filesize
3.3MB

Download
memory/2740-146-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp

Filesize
3.3MB

Download
memory/2740-259-0x00007FF65B9C0000-0x00007FF65BD11000-memory.dmp

Filesize
3.3MB

Download
memory/2984-142-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-54-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-226-0x00007FF6C7250000-0x00007FF6C75A1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-214-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp

Filesize
3.3MB

Download
memory/2996-91-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp

Filesize
3.3MB

Download
memory/2996-13-0x00007FF74B6E0000-0x00007FF74BA31000-memory.dmp

Filesize
3.3MB

Download
memory/3164-129-0x00007FF6A14A0000-0x00007FF6A17F1000-memory.dmp

Filesize
3.3MB

Download
memory/3164-263-0x00007FF6A14A0000-0x00007FF6A17F1000-memory.dmp

Filesize
3.3MB

Download
memory/3196-256-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp

Filesize
3.3MB

Download
memory/3196-89-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp

Filesize
3.3MB

Download
memory/3196-148-0x00007FF6E8D50000-0x00007FF6E90A1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-144-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp

Filesize
3.3MB

Download
memory/3928-62-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp

Filesize
3.3MB

Download
memory/3928-245-0x00007FF76AAD0000-0x00007FF76AE21000-memory.dmp

Filesize
3.3MB

Download
memory/3984-72-0x00007FF7230B0000-0x00007FF723401000-memory.dmp

Filesize
3.3MB

Download
memory/3984-244-0x00007FF7230B0000-0x00007FF723401000-memory.dmp

Filesize
3.3MB

Download
memory/3984-145-0x00007FF7230B0000-0x00007FF723401000-memory.dmp

Filesize
3.3MB

Download
memory/4176-133-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-1-0x0000022A9C170000-0x0000022A9C180000-memory.dmp

Filesize
64KB

Download
memory/4176-156-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-66-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-0-0x00007FF7DBC60000-0x00007FF7DBFB1000-memory.dmp

Filesize
3.3MB

Download
memory/4196-137-0x00007FF6104E0000-0x00007FF610831000-memory.dmp

Filesize
3.3MB

Download
memory/4196-220-0x00007FF6104E0000-0x00007FF610831000-memory.dmp

Filesize
3.3MB

Download
memory/4196-36-0x00007FF6104E0000-0x00007FF610831000-memory.dmp

Filesize
3.3MB

Download
memory/4204-239-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4204-143-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4204-55-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-216-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-18-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4368-125-0x00007FF74C360000-0x00007FF74C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-141-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-224-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-45-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-113-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-150-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-247-0x00007FF722D70000-0x00007FF7230C1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-25-0x00007FF7184B0000-0x00007FF718801000-memory.dmp

Filesize
3.3MB

Download
memory/4616-218-0x00007FF7184B0000-0x00007FF718801000-memory.dmp

Filesize
3.3MB

Download
memory/4616-132-0x00007FF7184B0000-0x00007FF718801000-memory.dmp

Filesize
3.3MB

Download
memory/4840-250-0x00007FF71CFA0000-0x00007FF71D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4840-126-0x00007FF71CFA0000-0x00007FF71D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-252-0x00007FF6D89E0000-0x00007FF6D8D31000-memory.dmp

Filesize
3.3MB

Download
memory/4996-130-0x00007FF6D89E0000-0x00007FF6D8D31000-memory.dmp

Filesize
3.3MB

Download