cobaltstrike | ecc094941280562e8dfeb979ff5facfaed33365fdae81cb7928f26d3abc825b1

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

10ef892d81a870ab489ff3c740ee5ef4
SHA1

380235ce0b3adc307c032db7b76a60da16f7f863
SHA256

ecc094941280562e8dfeb979ff5facfaed33365fdae81cb7928f26d3abc825b1
SHA512

eef80310949e38cbf4d478c6b1ba908e0c75a1888aa62c3d8602c5341a56aa85bc7717f6a5042d7365404c1b23cb58d94bd1e0ed48957c311d4eb7c3ba327589
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibd56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023476-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-103.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023480-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023495-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2400-17-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp	xmrig
behavioral2/memory/3272-80-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp	xmrig
behavioral2/memory/2180-45-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	xmrig
behavioral2/memory/1772-30-0x00007FF604E30000-0x00007FF605181000-memory.dmp	xmrig
behavioral2/memory/4024-118-0x00007FF6017D0000-0x00007FF601B21000-memory.dmp	xmrig
behavioral2/memory/3412-120-0x00007FF7A53D0000-0x00007FF7A5721000-memory.dmp	xmrig
behavioral2/memory/1640-119-0x00007FF638580000-0x00007FF6388D1000-memory.dmp	xmrig
behavioral2/memory/2528-121-0x00007FF78CB80000-0x00007FF78CED1000-memory.dmp	xmrig
behavioral2/memory/4960-122-0x00007FF695320000-0x00007FF695671000-memory.dmp	xmrig
behavioral2/memory/3168-123-0x00007FF630DC0000-0x00007FF631111000-memory.dmp	xmrig
behavioral2/memory/4584-124-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	xmrig
behavioral2/memory/3148-125-0x00007FF6175B0000-0x00007FF617901000-memory.dmp	xmrig
behavioral2/memory/4364-126-0x00007FF636260000-0x00007FF6365B1000-memory.dmp	xmrig
behavioral2/memory/808-127-0x00007FF6B1FB0000-0x00007FF6B2301000-memory.dmp	xmrig
behavioral2/memory/3084-134-0x00007FF647C20000-0x00007FF647F71000-memory.dmp	xmrig
behavioral2/memory/2180-133-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	xmrig
behavioral2/memory/4416-136-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp	xmrig
behavioral2/memory/440-131-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp	xmrig
behavioral2/memory/8-129-0x00007FF787490000-0x00007FF7877E1000-memory.dmp	xmrig
behavioral2/memory/1888-128-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	xmrig
behavioral2/memory/3340-139-0x00007FF703CE0000-0x00007FF704031000-memory.dmp	xmrig
behavioral2/memory/4844-138-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	xmrig
behavioral2/memory/3972-143-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp	xmrig
behavioral2/memory/3272-141-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp	xmrig
behavioral2/memory/1888-150-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	xmrig
behavioral2/memory/1888-151-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	xmrig
behavioral2/memory/8-213-0x00007FF787490000-0x00007FF7877E1000-memory.dmp	xmrig
behavioral2/memory/2400-215-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp	xmrig
behavioral2/memory/440-217-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp	xmrig
behavioral2/memory/1772-219-0x00007FF604E30000-0x00007FF605181000-memory.dmp	xmrig
behavioral2/memory/2180-221-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	xmrig
behavioral2/memory/3084-223-0x00007FF647C20000-0x00007FF647F71000-memory.dmp	xmrig
behavioral2/memory/4960-225-0x00007FF695320000-0x00007FF695671000-memory.dmp	xmrig
behavioral2/memory/3168-227-0x00007FF630DC0000-0x00007FF631111000-memory.dmp	xmrig
behavioral2/memory/4844-231-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	xmrig
behavioral2/memory/3272-230-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp	xmrig
behavioral2/memory/4416-233-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp	xmrig
behavioral2/memory/3148-242-0x00007FF6175B0000-0x00007FF617901000-memory.dmp	xmrig
behavioral2/memory/3340-240-0x00007FF703CE0000-0x00007FF704031000-memory.dmp	xmrig
behavioral2/memory/3412-246-0x00007FF7A53D0000-0x00007FF7A5721000-memory.dmp	xmrig
behavioral2/memory/1640-256-0x00007FF638580000-0x00007FF6388D1000-memory.dmp	xmrig
behavioral2/memory/3972-258-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp	xmrig
behavioral2/memory/4364-255-0x00007FF636260000-0x00007FF6365B1000-memory.dmp	xmrig
behavioral2/memory/808-253-0x00007FF6B1FB0000-0x00007FF6B2301000-memory.dmp	xmrig
behavioral2/memory/4024-251-0x00007FF6017D0000-0x00007FF601B21000-memory.dmp	xmrig
behavioral2/memory/2528-249-0x00007FF78CB80000-0x00007FF78CED1000-memory.dmp	xmrig
behavioral2/memory/4584-245-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
8	GjewrxJ.exe
2400	DSnvJbb.exe
440	loUZwIS.exe
1772	CHsuuyC.exe
2180	ryluaCt.exe
3084	DCotPCT.exe
4960	RGjUPCU.exe
4416	cqAIeIR.exe
3168	LfEIzcS.exe
4844	MYDCsna.exe
4584	BwKzKLF.exe
3272	kqTcmgJ.exe
3340	qIRYLLj.exe
3148	BloRzSw.exe
3972	bIIgawV.exe
4364	adTZsAo.exe
808	SSAcfPh.exe
4024	XvZEVjJ.exe
1640	gtubcPg.exe
3412	zqORJKx.exe
2528	pefNWor.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1888-0-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	upx
behavioral2/files/0x000a000000023476-5.dat	upx
behavioral2/files/0x0007000000023484-9.dat	upx
behavioral2/files/0x0007000000023483-12.dat	upx
behavioral2/memory/8-11-0x00007FF787490000-0x00007FF7877E1000-memory.dmp	upx
behavioral2/memory/2400-17-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp	upx
behavioral2/files/0x0007000000023485-22.dat	upx
behavioral2/files/0x000700000002348a-49.dat	upx
behavioral2/files/0x0007000000023487-48.dat	upx
behavioral2/files/0x000700000002348d-60.dat	upx
behavioral2/files/0x000700000002348f-73.dat	upx
behavioral2/files/0x0007000000023493-96.dat	upx
behavioral2/files/0x0007000000023490-103.dat	upx
behavioral2/files/0x0008000000023480-111.dat	upx
behavioral2/files/0x0007000000023495-115.dat	upx
behavioral2/files/0x0007000000023494-113.dat	upx
behavioral2/files/0x0007000000023492-107.dat	upx
behavioral2/files/0x0007000000023491-99.dat	upx
behavioral2/memory/3972-92-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp	upx
behavioral2/memory/3340-88-0x00007FF703CE0000-0x00007FF704031000-memory.dmp	upx
behavioral2/files/0x000700000002348c-84.dat	upx
behavioral2/memory/3272-80-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp	upx
behavioral2/files/0x000700000002348b-76.dat	upx
behavioral2/files/0x000700000002348e-74.dat	upx
behavioral2/memory/4844-68-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	upx
behavioral2/files/0x0007000000023488-59.dat	upx
behavioral2/memory/4416-58-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp	upx
behavioral2/files/0x0007000000023489-55.dat	upx
behavioral2/memory/3084-57-0x00007FF647C20000-0x00007FF647F71000-memory.dmp	upx
behavioral2/memory/2180-45-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	upx
behavioral2/files/0x0007000000023486-32.dat	upx
behavioral2/memory/1772-30-0x00007FF604E30000-0x00007FF605181000-memory.dmp	upx
behavioral2/memory/440-18-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp	upx
behavioral2/memory/4024-118-0x00007FF6017D0000-0x00007FF601B21000-memory.dmp	upx
behavioral2/memory/3412-120-0x00007FF7A53D0000-0x00007FF7A5721000-memory.dmp	upx
behavioral2/memory/1640-119-0x00007FF638580000-0x00007FF6388D1000-memory.dmp	upx
behavioral2/memory/2528-121-0x00007FF78CB80000-0x00007FF78CED1000-memory.dmp	upx
behavioral2/memory/4960-122-0x00007FF695320000-0x00007FF695671000-memory.dmp	upx
behavioral2/memory/3168-123-0x00007FF630DC0000-0x00007FF631111000-memory.dmp	upx
behavioral2/memory/4584-124-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp	upx
behavioral2/memory/3148-125-0x00007FF6175B0000-0x00007FF617901000-memory.dmp	upx
behavioral2/memory/4364-126-0x00007FF636260000-0x00007FF6365B1000-memory.dmp	upx
behavioral2/memory/808-127-0x00007FF6B1FB0000-0x00007FF6B2301000-memory.dmp	upx
behavioral2/memory/3084-134-0x00007FF647C20000-0x00007FF647F71000-memory.dmp	upx
behavioral2/memory/2180-133-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	upx
behavioral2/memory/4416-136-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp	upx
behavioral2/memory/440-131-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp	upx
behavioral2/memory/8-129-0x00007FF787490000-0x00007FF7877E1000-memory.dmp	upx
behavioral2/memory/1888-128-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	upx
behavioral2/memory/3340-139-0x00007FF703CE0000-0x00007FF704031000-memory.dmp	upx
behavioral2/memory/4844-138-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	upx
behavioral2/memory/3972-143-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp	upx
behavioral2/memory/3272-141-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp	upx
behavioral2/memory/1888-150-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	upx
behavioral2/memory/1888-151-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp	upx
behavioral2/memory/8-213-0x00007FF787490000-0x00007FF7877E1000-memory.dmp	upx
behavioral2/memory/2400-215-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp	upx
behavioral2/memory/440-217-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp	upx
behavioral2/memory/1772-219-0x00007FF604E30000-0x00007FF605181000-memory.dmp	upx
behavioral2/memory/2180-221-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp	upx
behavioral2/memory/3084-223-0x00007FF647C20000-0x00007FF647F71000-memory.dmp	upx
behavioral2/memory/4960-225-0x00007FF695320000-0x00007FF695671000-memory.dmp	upx
behavioral2/memory/3168-227-0x00007FF630DC0000-0x00007FF631111000-memory.dmp	upx
behavioral2/memory/4844-231-0x00007FF738EB0000-0x00007FF739201000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LfEIzcS.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SSAcfPh.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zqORJKx.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ryluaCt.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGjUPCU.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIRYLLj.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwKzKLF.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kqTcmgJ.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BloRzSw.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bIIgawV.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DSnvJbb.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MYDCsna.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqAIeIR.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\adTZsAo.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XvZEVjJ.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gtubcPg.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loUZwIS.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHsuuyC.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pefNWor.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GjewrxJ.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCotPCT.exe	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 8	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1888 wrote to memory of 8	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1888 wrote to memory of 2400	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1888 wrote to memory of 2400	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1888 wrote to memory of 440	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1888 wrote to memory of 440	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1888 wrote to memory of 1772	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1888 wrote to memory of 1772	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1888 wrote to memory of 2180	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1888 wrote to memory of 2180	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1888 wrote to memory of 3084	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1888 wrote to memory of 3084	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1888 wrote to memory of 4960	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1888 wrote to memory of 4960	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1888 wrote to memory of 4416	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1888 wrote to memory of 4416	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1888 wrote to memory of 3168	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1888 wrote to memory of 3168	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1888 wrote to memory of 4844	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1888 wrote to memory of 4844	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1888 wrote to memory of 3340	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1888 wrote to memory of 3340	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1888 wrote to memory of 4584	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1888 wrote to memory of 4584	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1888 wrote to memory of 3272	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1888 wrote to memory of 3272	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1888 wrote to memory of 3148	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1888 wrote to memory of 3148	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1888 wrote to memory of 3972	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1888 wrote to memory of 3972	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1888 wrote to memory of 4364	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1888 wrote to memory of 4364	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1888 wrote to memory of 808	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1888 wrote to memory of 808	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1888 wrote to memory of 4024	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1888 wrote to memory of 4024	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1888 wrote to memory of 1640	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1888 wrote to memory of 1640	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1888 wrote to memory of 3412	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1888 wrote to memory of 3412	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1888 wrote to memory of 2528	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1888 wrote to memory of 2528	1888	2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_10ef892d81a870ab489ff3c740ee5ef4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System\GjewrxJ.exe
  C:\Windows\System\GjewrxJ.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\DSnvJbb.exe
  C:\Windows\System\DSnvJbb.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\loUZwIS.exe
  C:\Windows\System\loUZwIS.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\CHsuuyC.exe
  C:\Windows\System\CHsuuyC.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\ryluaCt.exe
  C:\Windows\System\ryluaCt.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\DCotPCT.exe
  C:\Windows\System\DCotPCT.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\RGjUPCU.exe
  C:\Windows\System\RGjUPCU.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\cqAIeIR.exe
  C:\Windows\System\cqAIeIR.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\LfEIzcS.exe
  C:\Windows\System\LfEIzcS.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\MYDCsna.exe
  C:\Windows\System\MYDCsna.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\qIRYLLj.exe
  C:\Windows\System\qIRYLLj.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\BwKzKLF.exe
  C:\Windows\System\BwKzKLF.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\kqTcmgJ.exe
  C:\Windows\System\kqTcmgJ.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\BloRzSw.exe
  C:\Windows\System\BloRzSw.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\bIIgawV.exe
  C:\Windows\System\bIIgawV.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\adTZsAo.exe
  C:\Windows\System\adTZsAo.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\SSAcfPh.exe
  C:\Windows\System\SSAcfPh.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\XvZEVjJ.exe
  C:\Windows\System\XvZEVjJ.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\gtubcPg.exe
  C:\Windows\System\gtubcPg.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\zqORJKx.exe
  C:\Windows\System\zqORJKx.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\pefNWor.exe
  C:\Windows\System\pefNWor.exe
  2⤵
  - Executes dropped EXE
  PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BloRzSw.exe

Filesize
5.2MB

MD5
12eaeda5f1cb6564a70251bc57943655

SHA1
40eafa695a94ab5414b43c8fc37075fa3de2eb10

SHA256
38f3a1029320d5d579611ba1c1ec8b574ce56bfd0741c815169063cd4ea88d8f

SHA512
6bbfe8f002e0985a493af1f9ff7a4268e84b916047468cc6ad83323f590b878b3e22edf5492c0a7df79f57aa1b0c48d01befd719608f8b0abc38827351df3ec9

Download Submit
C:\Windows\System\BwKzKLF.exe

Filesize
5.2MB

MD5
1341ce7da99cc47b1179f14539442602

SHA1
f75d0f197529a3abbc2d5192d5e61d78a5d4b83c

SHA256
3676a382a9a48b57ce7675018d15fb8266f0474c72f579895208134e44b15d0e

SHA512
413ed5ca826bbddce3c1bd4ee69bc752eb6f15238dad51211cfa63753577b767874025d4bf26e1b0bf4a105fab16ebf2dc7a01eb81fd4d9d760e7d1b82bc14a8

Download Submit
C:\Windows\System\CHsuuyC.exe

Filesize
5.2MB

MD5
36038e67fc31faefe2ca1a07953d24b8

SHA1
60d80ec09f880b293a09ea7e62838890517370ef

SHA256
392a39f6af361012c0cbdc7600ce369b0f84ec1d6da9cf08f53db8ae5608a8aa

SHA512
1ba4924307a0b5d6c666b38ad6b7a2c03ed105c18e0b992badde4f13e4af50b38dbcac6c95d8d245a7bc914ea038725aa16ae309a744c999427ccbd95e36a07c

Download Submit
C:\Windows\System\DCotPCT.exe

Filesize
5.2MB

MD5
28538c26553d99091cba82dfd85aa913

SHA1
6c66501fbb3e0b26badc0e225cf9c5488ec5519b

SHA256
96ef0458960c9b256eca5c0da9b9362ec5a4b92676e130ca268a2027b8503100

SHA512
d5700790bcd0479e6c47b563b709132ab990d5090e3dd84bf6dba0c325c032379a90765be33b641c282376083ddfa9ddbcc9abe7bd19bf7343bdbe8a132ed8cd

Download Submit
C:\Windows\System\DSnvJbb.exe

Filesize
5.2MB

MD5
265ec5a8b3f895b59c440d1a6d3b1c3f

SHA1
cfb3b24790e98fbf9e3c6815b125a7599870cd9b

SHA256
7803fac509816b4c19803bd7de6d8cf67b04c7c462b744e17b744bb74045371d

SHA512
c7dc3c0fff585499b639544473a0fd5ac67f6e1d77c292d826059559a3f94c90c16b9f64d2acc9556df5f66c0216a0344771065a915bf9020e3ab1dc5440fd4f

Download Submit
C:\Windows\System\GjewrxJ.exe

Filesize
5.2MB

MD5
43763eca0d8c30358f5e31312b0c2cb3

SHA1
a577d233136edabea23f52230f0c83a77d582912

SHA256
63c84da78e81942f9ed132014848a7393b7c08cf877df5e7dbd7887b2bbd948b

SHA512
ad856be3d7c4628b07d2b2a8c37a23ddbe1e8bf74a82056ad91385574c8c4b31e9e14b2538436580da6a4d98b9278e2d194c66763f7983c3df55c204959ece4d

Download Submit
C:\Windows\System\LfEIzcS.exe

Filesize
5.2MB

MD5
1367ef13c6b4385b98e6bf453f1b52cf

SHA1
22243f577e01c64f6ed82ff5761f490f5bb719df

SHA256
6da9dec501b61cbd12271642ff310510074c575dea3940c4b8c8b1c537fa7612

SHA512
7cc213a5200ec933e8e4874d2fd874d2a8af15fe7b6d74fef0ac368eba948a93e1917b122c35941da7681a7d46ad77765587bac91f86d68de01a938abb4e1222

Download Submit
C:\Windows\System\MYDCsna.exe

Filesize
5.2MB

MD5
5f0a91fb777947b3b1fe7d5db1eea89b

SHA1
d0760f09c7b654a242bd77363857529250f5732c

SHA256
d2849b66c3575112c48219f8c8592e2761287c694325f523e8901a7eb6c6d85a

SHA512
6d73872aad25866799bff09bb7687dbc0acaafac81def654c1f794d5fab3a3bf8e3df78d5dd7eca4517cea51206c6530de0e1a8b42e038b28ae00228d374f918

Download Submit
C:\Windows\System\RGjUPCU.exe

Filesize
5.2MB

MD5
c79aa8cd7f68d8f2d8150a7fd506da96

SHA1
4b8ace81c2caa4ecfa84ef3ddd76f2bf1a33dc77

SHA256
13fb78ea89018f18d19314b8f01dca2029edaacd487f8407cd2d71921eebe2ec

SHA512
7592ab40d2a88223d6fbdf53f83b1c5df499e8cafb8f004c20a9686a59c1b55465bdc7e0c796e41045fa53e6e5e5b91218713bee313eac78dc99dc3c19593df2

Download Submit
C:\Windows\System\SSAcfPh.exe

Filesize
5.2MB

MD5
54ce744dc6cd65cca4b6b42af2ec1105

SHA1
35c83524f0d3c9c0ea6aa1fd0a274b34d3549bde

SHA256
3767e163b7ce4335531c1ec15f1ee0f239a3a143e04d7254e0ad5806bd4561a7

SHA512
5063563e98d4e2c3ac3bd91fbd8b49e80cf81929fcf94ef3bd266bccbe1a37cf34f720b8f9943e7185b0f8c20288efa683e2eaa2b26a4ae479028e0ee3cb5a55

Download Submit
C:\Windows\System\XvZEVjJ.exe

Filesize
5.2MB

MD5
7548426d6871c76c49c46f2c8ce6ff9f

SHA1
afac5ed055609276e3a2da5a79491fc9722e9e0b

SHA256
16c60d17cdd2ad4c0caa051c5d8eac2ff529a3ddd329d1f6f5b4102e1ea34980

SHA512
61b476aa4f34c9c6cd611d962399ddef8ce106727cdabfc668b8b69303b8da8a01a7032cfb6f5b6435a0e24e6653fba10d0758f05aba3d5f5d1e341247305d98

Download Submit
C:\Windows\System\adTZsAo.exe

Filesize
5.2MB

MD5
8211a8282f38f3c0f87a864fd8e01d44

SHA1
50587f1aefd15ad144526d98e6f1bf3041a81df2

SHA256
b5f92d0df017296307bbce0f4d80ec0091e140ea43b653ce4e3b1529870b07bc

SHA512
9dc7d9211531197b078fc7a46753c98bb11e2fa462fbf0afc302fd26cf495fcf1ea9868cd5ffa1d3a0e28262441b836bbb8d701b9feed95f82d5b1d073e3aed3

Download Submit
C:\Windows\System\bIIgawV.exe

Filesize
5.2MB

MD5
a312d3f194958b4e8f1e7232c18da859

SHA1
fd605f03643a89ed7377955263b8e312bdf30008

SHA256
e52a1dae16cfd26e5bf38d330b55acbc139a158a8dcc043681d3688e26f3be39

SHA512
6118e2efa8d4f3e84a603bffc23da0ad1e72dcc1330b60b906f5d66cacaff486203d2ff6151f3e4ede3eb700082b4d6156d86b1e3635285317767a69dc217fbd

Download Submit
C:\Windows\System\cqAIeIR.exe

Filesize
5.2MB

MD5
15286a570e3f5018240500c136c290c9

SHA1
e98f35ba8f1330ebaeefa96917bc0f2fc2503428

SHA256
f3c63617499cba0221fe74c873592ef026ef523ef90ecedad6c94ab7479b9792

SHA512
2b9fa5cf5a12cfce0b27b4bab72dd54a49f0143bff50e276d49f5d30cb6637c5a1c9cc14244c3c8fa36d19c7231004bfc168c0cc27ca8107ecfc2452c941d3c6

Download Submit
C:\Windows\System\gtubcPg.exe

Filesize
5.2MB

MD5
cc2a3a6e0b8da8cdeed5e769860c75ee

SHA1
46f87e8df985b2bd1ec842dc440ed4cfa52745c8

SHA256
9b2aabdff08190fcf4a9ab63f03c151cad1314d91fe031192b9fedd2fd4ec1de

SHA512
b5ef03421b1cb6805d2d39c52d10d585960e71a96922b9d31014a0705b5aed49ad6dca2bff3042c07a8a5f8e981886275864dacca5fa8988fc0b982b40e69097

Download Submit
C:\Windows\System\kqTcmgJ.exe

Filesize
5.2MB

MD5
659465fe8fbc9f353e7e85eedc082c5d

SHA1
4b99e571a1ee67f6860e454a23957070d3cdae4f

SHA256
0b8b4383138d77edac74fa46c0713295892c86918233ba132e83075f1123da25

SHA512
685d828aa99a1dce0b601d419690b47d7650cf8be5a641d9669ea2b02ca9fa51a8b8db2ff41cbea62f5ca945032af52cefb08a0ab0757ff09679db8b7a615a4b

Download Submit
C:\Windows\System\loUZwIS.exe

Filesize
5.2MB

MD5
207e2fe417916d776d303809e46770ec

SHA1
0b92b79aa77fba76dc4e60d684441a3da73159fc

SHA256
274aa7e185fd4871da187a88be32f818909f73bbe2d74bebcd92469a9ea59f18

SHA512
7d021a9bd138b161afa7963c8579355c730229542408f2f243b7a5155d9f80861acd380133ab369a652170427e6b20fdf86975a283e7bb0494534f2bd72b19d8

Download Submit
C:\Windows\System\pefNWor.exe

Filesize
5.2MB

MD5
bf763ce0638402c51dc0d794e3f89be9

SHA1
d2d66e3c4001bc296531ab695b8cca028dafa94d

SHA256
0c6879a240c0382e2c08172745d2134dafa71f21aea0297925ff7909911ce38c

SHA512
5e57ead7f69d3ac29f559d873ff702e964143c43372d0f8179f75296c734acb75b5e19cefb5fb5ea61aea0d0614d29a97502b57b5b55fd817d12b32375a4fb04

Download Submit
C:\Windows\System\qIRYLLj.exe

Filesize
5.2MB

MD5
f621270d65e941c91511ef0a6f83681a

SHA1
deeda1e854ac41e6663ca06b244bdfb61e146acc

SHA256
c4cfb54ff498f31b329fdced1bb4b44b3c0e7cd2f3bee44fd2779b0682ad1e43

SHA512
6389e9e1ec8864d91a0d030cd02d88ce4483876ae39840f086de25f414b3560e2cb1c06c26d49eb4c58140d4ef26519340324b8b78528a60dbb07bb8de75937a

Download Submit
C:\Windows\System\ryluaCt.exe

Filesize
5.2MB

MD5
185dad26cea4b545de6eb09d8d562b5a

SHA1
8da3762ad9314d611e579343e1de843fb59c904e

SHA256
b3a18e3839e0f7b7dcc05d5130a5cb9a1c53ec0996e32b0bf728f376c14fa5dc

SHA512
6c4ef63861d4e357fa9179d0ef419e014a47ef2537e90d6353a879b60c8ae88ff9b7a9c86ad32fdeb86b844f94b540e02fe503e9f37237de46da06bb2225518b

Download Submit
C:\Windows\System\zqORJKx.exe

Filesize
5.2MB

MD5
980691007152e5ef03d27ef3f2449088

SHA1
7062cd13598d7152f36e775977c29b4641e2e087

SHA256
b5ed789da4786cc45ea55815a345bb231979dedb64b5c71a7e4f2fe60ced32cf

SHA512
825e0bb62cbd324025cbbc33fdee59f8708e72afc9ebb73e481913e43876117e216907c5b39bcb4a5bde26f7161077ee6cb3a6f64065a46d15a206dbc37ae600

Download Submit
memory/8-129-0x00007FF787490000-0x00007FF7877E1000-memory.dmp

Filesize
3.3MB

Download
memory/8-213-0x00007FF787490000-0x00007FF7877E1000-memory.dmp

Filesize
3.3MB

Download
memory/8-11-0x00007FF787490000-0x00007FF7877E1000-memory.dmp

Filesize
3.3MB

Download
memory/440-217-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp

Filesize
3.3MB

Download
memory/440-18-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp

Filesize
3.3MB

Download
memory/440-131-0x00007FF607C50000-0x00007FF607FA1000-memory.dmp

Filesize
3.3MB

Download
memory/808-127-0x00007FF6B1FB0000-0x00007FF6B2301000-memory.dmp

Filesize
3.3MB

Download
memory/808-253-0x00007FF6B1FB0000-0x00007FF6B2301000-memory.dmp

Filesize
3.3MB

Download
memory/1640-256-0x00007FF638580000-0x00007FF6388D1000-memory.dmp

Filesize
3.3MB

Download
memory/1640-119-0x00007FF638580000-0x00007FF6388D1000-memory.dmp

Filesize
3.3MB

Download
memory/1772-219-0x00007FF604E30000-0x00007FF605181000-memory.dmp

Filesize
3.3MB

Download
memory/1772-30-0x00007FF604E30000-0x00007FF605181000-memory.dmp

Filesize
3.3MB

Download
memory/1888-150-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp

Filesize
3.3MB

Download
memory/1888-151-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp

Filesize
3.3MB

Download
memory/1888-128-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp

Filesize
3.3MB

Download
memory/1888-0-0x00007FF7C4120000-0x00007FF7C4471000-memory.dmp

Filesize
3.3MB

Download
memory/1888-1-0x000001E08E810000-0x000001E08E820000-memory.dmp

Filesize
64KB

Download
memory/2180-133-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp

Filesize
3.3MB

Download
memory/2180-221-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp

Filesize
3.3MB

Download
memory/2180-45-0x00007FF6D33B0000-0x00007FF6D3701000-memory.dmp

Filesize
3.3MB

Download
memory/2400-215-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp

Filesize
3.3MB

Download
memory/2400-17-0x00007FF7E33F0000-0x00007FF7E3741000-memory.dmp

Filesize
3.3MB

Download
memory/2528-121-0x00007FF78CB80000-0x00007FF78CED1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-249-0x00007FF78CB80000-0x00007FF78CED1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-57-0x00007FF647C20000-0x00007FF647F71000-memory.dmp

Filesize
3.3MB

Download
memory/3084-223-0x00007FF647C20000-0x00007FF647F71000-memory.dmp

Filesize
3.3MB

Download
memory/3084-134-0x00007FF647C20000-0x00007FF647F71000-memory.dmp

Filesize
3.3MB

Download
memory/3148-125-0x00007FF6175B0000-0x00007FF617901000-memory.dmp

Filesize
3.3MB

Download
memory/3148-242-0x00007FF6175B0000-0x00007FF617901000-memory.dmp

Filesize
3.3MB

Download
memory/3168-123-0x00007FF630DC0000-0x00007FF631111000-memory.dmp

Filesize
3.3MB

Download
memory/3168-227-0x00007FF630DC0000-0x00007FF631111000-memory.dmp

Filesize
3.3MB

Download
memory/3272-141-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp

Filesize
3.3MB

Download
memory/3272-80-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp

Filesize
3.3MB

Download
memory/3272-230-0x00007FF6CB640000-0x00007FF6CB991000-memory.dmp

Filesize
3.3MB

Download
memory/3340-88-0x00007FF703CE0000-0x00007FF704031000-memory.dmp

Filesize
3.3MB

Download
memory/3340-139-0x00007FF703CE0000-0x00007FF704031000-memory.dmp

Filesize
3.3MB

Download
memory/3340-240-0x00007FF703CE0000-0x00007FF704031000-memory.dmp

Filesize
3.3MB

Download
memory/3412-246-0x00007FF7A53D0000-0x00007FF7A5721000-memory.dmp

Filesize
3.3MB

Download
memory/3412-120-0x00007FF7A53D0000-0x00007FF7A5721000-memory.dmp

Filesize
3.3MB

Download
memory/3972-92-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

Filesize
3.3MB

Download
memory/3972-258-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

Filesize
3.3MB

Download
memory/3972-143-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

Filesize
3.3MB

Download
memory/4024-118-0x00007FF6017D0000-0x00007FF601B21000-memory.dmp

Filesize
3.3MB

Download
memory/4024-251-0x00007FF6017D0000-0x00007FF601B21000-memory.dmp

Filesize
3.3MB

Download
memory/4364-255-0x00007FF636260000-0x00007FF6365B1000-memory.dmp

Filesize
3.3MB

Download
memory/4364-126-0x00007FF636260000-0x00007FF6365B1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-136-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-58-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-233-0x00007FF77AD50000-0x00007FF77B0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-245-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp

Filesize
3.3MB

Download
memory/4584-124-0x00007FF6F9600000-0x00007FF6F9951000-memory.dmp

Filesize
3.3MB

Download
memory/4844-68-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/4844-138-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/4844-231-0x00007FF738EB0000-0x00007FF739201000-memory.dmp

Filesize
3.3MB

Download
memory/4960-122-0x00007FF695320000-0x00007FF695671000-memory.dmp

Filesize
3.3MB

Download
memory/4960-225-0x00007FF695320000-0x00007FF695671000-memory.dmp

Filesize
3.3MB

Download