cobaltstrike | c0455cd80d89f5c56b3e0191f32039387e29b83a13743f23cc3e72deeba9811d

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

57923ceb7635bf48ac49bc31c0594da0
SHA1

8f20403595715c756523db9adf2c36310686cee9
SHA256

c0455cd80d89f5c56b3e0191f32039387e29b83a13743f23cc3e72deeba9811d
SHA512

38186127faeb539b7318323061e18cd5c55afd79b34cc40810a4a08f84570523f0fafed2433920daab20452671bb437e64327ba13a8383be4bbc72fdc9b80ecd
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002345c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2f-91.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db32-96.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69a-116.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345d-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-136.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69c-127.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001db34-109.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3732-19-0x00007FF67D320000-0x00007FF67D671000-memory.dmp	xmrig
behavioral2/memory/3052-71-0x00007FF786A80000-0x00007FF786DD1000-memory.dmp	xmrig
behavioral2/memory/2536-74-0x00007FF70B360000-0x00007FF70B6B1000-memory.dmp	xmrig
behavioral2/memory/1404-81-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	xmrig
behavioral2/memory/1860-84-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp	xmrig
behavioral2/memory/4656-86-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp	xmrig
behavioral2/memory/4788-130-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp	xmrig
behavioral2/memory/4728-131-0x00007FF6502F0000-0x00007FF650641000-memory.dmp	xmrig
behavioral2/memory/1664-125-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp	xmrig
behavioral2/memory/440-124-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp	xmrig
behavioral2/memory/2268-119-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp	xmrig
behavioral2/memory/2516-114-0x00007FF7C35C0000-0x00007FF7C3911000-memory.dmp	xmrig
behavioral2/memory/3220-112-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp	xmrig
behavioral2/memory/3732-101-0x00007FF67D320000-0x00007FF67D671000-memory.dmp	xmrig
behavioral2/memory/3232-148-0x00007FF6495B0000-0x00007FF649901000-memory.dmp	xmrig
behavioral2/memory/216-152-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp	xmrig
behavioral2/memory/1768-151-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp	xmrig
behavioral2/memory/1404-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	xmrig
behavioral2/memory/976-153-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp	xmrig
behavioral2/memory/392-154-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp	xmrig
behavioral2/memory/4748-155-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp	xmrig
behavioral2/memory/2120-161-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp	xmrig
behavioral2/memory/4056-162-0x00007FF76B500000-0x00007FF76B851000-memory.dmp	xmrig
behavioral2/memory/2256-163-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	xmrig
behavioral2/memory/1404-164-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	xmrig
behavioral2/memory/1860-220-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp	xmrig
behavioral2/memory/4656-222-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp	xmrig
behavioral2/memory/3732-225-0x00007FF67D320000-0x00007FF67D671000-memory.dmp	xmrig
behavioral2/memory/3220-226-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp	xmrig
behavioral2/memory/2268-230-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp	xmrig
behavioral2/memory/440-229-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp	xmrig
behavioral2/memory/1664-236-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp	xmrig
behavioral2/memory/4788-238-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp	xmrig
behavioral2/memory/3052-240-0x00007FF786A80000-0x00007FF786DD1000-memory.dmp	xmrig
behavioral2/memory/2536-242-0x00007FF70B360000-0x00007FF70B6B1000-memory.dmp	xmrig
behavioral2/memory/3232-244-0x00007FF6495B0000-0x00007FF649901000-memory.dmp	xmrig
behavioral2/memory/1768-247-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp	xmrig
behavioral2/memory/4728-248-0x00007FF6502F0000-0x00007FF650641000-memory.dmp	xmrig
behavioral2/memory/216-257-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp	xmrig
behavioral2/memory/976-259-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp	xmrig
behavioral2/memory/392-261-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp	xmrig
behavioral2/memory/2516-263-0x00007FF7C35C0000-0x00007FF7C3911000-memory.dmp	xmrig
behavioral2/memory/2256-266-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	xmrig
behavioral2/memory/4748-267-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp	xmrig
behavioral2/memory/4056-270-0x00007FF76B500000-0x00007FF76B851000-memory.dmp	xmrig
behavioral2/memory/2120-271-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1860	wJvvxsP.exe
4656	LKFOdXI.exe
3732	KvJzlix.exe
3220	xdjCyCD.exe
2268	CbyrpaX.exe
440	LDaCbzh.exe
1664	qkwLNqS.exe
4788	fcdELdk.exe
3052	TlrwvEN.exe
3232	zPZfzNr.exe
4728	YwjOYNg.exe
2536	VnQOtVp.exe
1768	pCUNQHt.exe
216	noGDscd.exe
976	nkIFYcX.exe
392	xeUjghK.exe
2516	IsJKFzG.exe
4748	vAnbxlA.exe
2256	nchqZwp.exe
2120	hMQxGTZ.exe
4056	McPTpDm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1404-0-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx
behavioral2/files/0x000800000002345c-4.dat	upx
behavioral2/files/0x0007000000023461-9.dat	upx
behavioral2/memory/4656-12-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp	upx
behavioral2/memory/3732-19-0x00007FF67D320000-0x00007FF67D671000-memory.dmp	upx
behavioral2/files/0x0007000000023462-22.dat	upx
behavioral2/files/0x0007000000023463-28.dat	upx
behavioral2/memory/3220-24-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-13.dat	upx
behavioral2/memory/1860-11-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp	upx
behavioral2/files/0x0007000000023464-32.dat	upx
behavioral2/files/0x0007000000023465-54.dat	upx
behavioral2/memory/4728-61-0x00007FF6502F0000-0x00007FF650641000-memory.dmp	upx
behavioral2/memory/3052-71-0x00007FF786A80000-0x00007FF786DD1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-75.dat	upx
behavioral2/memory/1768-78-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp	upx
behavioral2/files/0x000700000002346b-77.dat	upx
behavioral2/memory/2536-74-0x00007FF70B360000-0x00007FF70B6B1000-memory.dmp	upx
behavioral2/memory/3232-73-0x00007FF6495B0000-0x00007FF649901000-memory.dmp	upx
behavioral2/files/0x0007000000023469-72.dat	upx
behavioral2/files/0x000700000002346a-69.dat	upx
behavioral2/files/0x0007000000023467-65.dat	upx
behavioral2/memory/4788-60-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp	upx
behavioral2/memory/1664-51-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp	upx
behavioral2/files/0x0007000000023466-50.dat	upx
behavioral2/memory/440-36-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp	upx
behavioral2/memory/2268-30-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp	upx
behavioral2/memory/1404-81-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx
behavioral2/memory/1860-84-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp	upx
behavioral2/files/0x000700000002346c-85.dat	upx
behavioral2/files/0x000500000001db2f-91.dat	upx
behavioral2/memory/216-87-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp	upx
behavioral2/memory/4656-86-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp	upx
behavioral2/files/0x000400000001db32-96.dat	upx
behavioral2/files/0x000200000001e69a-116.dat	upx
behavioral2/files/0x000800000002345d-122.dat	upx
behavioral2/memory/4788-130-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp	upx
behavioral2/memory/4056-133-0x00007FF76B500000-0x00007FF76B851000-memory.dmp	upx
behavioral2/files/0x000700000002346d-136.dat	upx
behavioral2/memory/2120-132-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp	upx
behavioral2/memory/4728-131-0x00007FF6502F0000-0x00007FF650641000-memory.dmp	upx
behavioral2/files/0x000200000001e69c-127.dat	upx
behavioral2/memory/1664-125-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp	upx
behavioral2/memory/440-124-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp	upx
behavioral2/memory/2256-123-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	upx
behavioral2/memory/2268-119-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp	upx
behavioral2/memory/4748-115-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp	upx
behavioral2/memory/2516-114-0x00007FF7C35C0000-0x00007FF7C3911000-memory.dmp	upx
behavioral2/memory/3220-112-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp	upx
behavioral2/files/0x000600000001db34-109.dat	upx
behavioral2/memory/392-102-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp	upx
behavioral2/memory/3732-101-0x00007FF67D320000-0x00007FF67D671000-memory.dmp	upx
behavioral2/memory/976-95-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp	upx
behavioral2/memory/3232-148-0x00007FF6495B0000-0x00007FF649901000-memory.dmp	upx
behavioral2/memory/216-152-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp	upx
behavioral2/memory/1768-151-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp	upx
behavioral2/memory/1404-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx
behavioral2/memory/976-153-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp	upx
behavioral2/memory/392-154-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp	upx
behavioral2/memory/4748-155-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp	upx
behavioral2/memory/2120-161-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp	upx
behavioral2/memory/4056-162-0x00007FF76B500000-0x00007FF76B851000-memory.dmp	upx
behavioral2/memory/2256-163-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp	upx
behavioral2/memory/1404-164-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YwjOYNg.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IsJKFzG.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wJvvxsP.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xdjCyCD.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CbyrpaX.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDaCbzh.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAnbxlA.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nchqZwp.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMQxGTZ.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LKFOdXI.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlrwvEN.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnQOtVp.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\noGDscd.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zPZfzNr.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nkIFYcX.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xeUjghK.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\McPTpDm.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KvJzlix.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qkwLNqS.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcdELdk.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pCUNQHt.exe	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1860	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1404 wrote to memory of 1860	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1404 wrote to memory of 4656	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1404 wrote to memory of 4656	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1404 wrote to memory of 3732	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1404 wrote to memory of 3732	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1404 wrote to memory of 3220	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1404 wrote to memory of 3220	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1404 wrote to memory of 2268	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1404 wrote to memory of 2268	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1404 wrote to memory of 440	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1404 wrote to memory of 440	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1404 wrote to memory of 1664	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1404 wrote to memory of 1664	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1404 wrote to memory of 4788	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1404 wrote to memory of 4788	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1404 wrote to memory of 3052	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1404 wrote to memory of 3052	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1404 wrote to memory of 3232	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1404 wrote to memory of 3232	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1404 wrote to memory of 4728	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1404 wrote to memory of 4728	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1404 wrote to memory of 2536	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1404 wrote to memory of 2536	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1404 wrote to memory of 1768	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1404 wrote to memory of 1768	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1404 wrote to memory of 216	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1404 wrote to memory of 216	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1404 wrote to memory of 976	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1404 wrote to memory of 976	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1404 wrote to memory of 392	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1404 wrote to memory of 392	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1404 wrote to memory of 2516	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1404 wrote to memory of 2516	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1404 wrote to memory of 4748	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1404 wrote to memory of 4748	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1404 wrote to memory of 2256	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1404 wrote to memory of 2256	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1404 wrote to memory of 2120	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1404 wrote to memory of 2120	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1404 wrote to memory of 4056	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1404 wrote to memory of 4056	1404	2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_57923ceb7635bf48ac49bc31c0594da0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System\wJvvxsP.exe
  C:\Windows\System\wJvvxsP.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\LKFOdXI.exe
  C:\Windows\System\LKFOdXI.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\KvJzlix.exe
  C:\Windows\System\KvJzlix.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\xdjCyCD.exe
  C:\Windows\System\xdjCyCD.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\CbyrpaX.exe
  C:\Windows\System\CbyrpaX.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\LDaCbzh.exe
  C:\Windows\System\LDaCbzh.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\qkwLNqS.exe
  C:\Windows\System\qkwLNqS.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\fcdELdk.exe
  C:\Windows\System\fcdELdk.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\TlrwvEN.exe
  C:\Windows\System\TlrwvEN.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\zPZfzNr.exe
  C:\Windows\System\zPZfzNr.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\YwjOYNg.exe
  C:\Windows\System\YwjOYNg.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\VnQOtVp.exe
  C:\Windows\System\VnQOtVp.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\pCUNQHt.exe
  C:\Windows\System\pCUNQHt.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\noGDscd.exe
  C:\Windows\System\noGDscd.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\nkIFYcX.exe
  C:\Windows\System\nkIFYcX.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\xeUjghK.exe
  C:\Windows\System\xeUjghK.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\IsJKFzG.exe
  C:\Windows\System\IsJKFzG.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\vAnbxlA.exe
  C:\Windows\System\vAnbxlA.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\nchqZwp.exe
  C:\Windows\System\nchqZwp.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\hMQxGTZ.exe
  C:\Windows\System\hMQxGTZ.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\McPTpDm.exe
  C:\Windows\System\McPTpDm.exe
  2⤵
  - Executes dropped EXE
  PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbyrpaX.exe

Filesize
5.2MB

MD5
1999f4faf568c85a8fb648dadf468348

SHA1
29dd8baf6f4f709acae840c709b0bd0b85934120

SHA256
125805d109dff4c5bcc50b8261059ac115bea2eb9e7fba293a2ddbb764b419dc

SHA512
2612ba4119e6bfc7ed32d6cb8d407aa5f1f3721b7011a3ab4698247921ae3903049e14b6270a73e4d49ff77f8d8ccd2e71cdb33432c2ca46c2e175d0f19ed4d1

Download Submit
C:\Windows\System\IsJKFzG.exe

Filesize
5.2MB

MD5
6d18647bc2c3bd1987931f5c4b0a72ed

SHA1
647824745b490eeb445b2421449743ee54f5716d

SHA256
3784efa694086476a41707cdb6c102743ed818f5793824351136ba9a45da485d

SHA512
6d7f7d08d8a060ed12a1c17b0b3547b311d86023871614b9ce91f5f4554127c9c0d8240d938f6556d43d0bda8f3af62eac30877f6a176fdb4849cb1dc23de111

Download Submit
C:\Windows\System\KvJzlix.exe

Filesize
5.2MB

MD5
68e44cbc6aef709699ff783898cf317c

SHA1
97af42a0401753b946b582e56dbc5a39a8f5a1ee

SHA256
01944513c8a6f961c0a3fb21eeafbf76e1fd5f7354378c243080af3e22d960f4

SHA512
7740714f38005d40fd17ef720133971caabbcbc97bdada6e659c6059f031e5ec9150510931b9558f450764523fdf51c7b28d3a869f469b5d3ef14e5b8f4b6d9e

Download Submit
C:\Windows\System\LDaCbzh.exe

Filesize
5.2MB

MD5
c93b1c2105e3061664986f0c2de40150

SHA1
b02056adad42f5c56d25eaf641467a8b22e1c7f5

SHA256
ffb3f1947b440835c95f858a7accbf560c36ec02abd59ea2296a291978179d7e

SHA512
e0bc92fd134d70a3fec245f883e82f73cfad00a73b82e37625f76d32a9cbfa29441b3df69998c6c8dfbab98b5d5121ebcace87abeda954e86434b014201e82b5

Download Submit
C:\Windows\System\LKFOdXI.exe

Filesize
5.2MB

MD5
7126c21a793b2854a27c1b480dc9841b

SHA1
bf583ac6f8cfeee7bb478b573c28286b94ff3683

SHA256
824feaf5b75da1c7bfe0d9c23aa8ad72a1c7b0fef62d75103ea29772433234f2

SHA512
db75a6fe712ec439aedf0ba569be4af43d95de747ef48c29cc8e9e3ec83628091a9c55034d687c98ff019e10295aa398cee5306f49b68ff966196ccabdc4424a

Download Submit
C:\Windows\System\McPTpDm.exe

Filesize
5.2MB

MD5
c39459ea77b7f8573e6e8c8ac3912ecc

SHA1
7f690230b32590a8ac25306f55c7e542130e3097

SHA256
41f42f2a91e8fb14859818e23e8fe260812dabd6fc9b123042fbc128c92496cf

SHA512
e458e39110462d492a715a8a2fda8da8ab50c1b13508d8d5c49011d427ff46e979ec088d5374e65ca6f9a54355afdfd6b784288b0b54a4130b11e5d215182c07

Download Submit
C:\Windows\System\TlrwvEN.exe

Filesize
5.2MB

MD5
651c2c34763377b57adef2a5b2e29d10

SHA1
7d64a7c2450299338b04c3f0db540b48286876fd

SHA256
312e33b120ab98d0e9697fb6db27f29ea98dd64a42449023fd2b854b64fed866

SHA512
4c9d5c0d7047eebf7c598b1deaed52f60d47e3a16d2a105a6d415b44fbfea448c473a6dfe77eaf07cdfa23e8acdf5a2da8bf77ea18457567ab5fceaaa5e8bc0b

Download Submit
C:\Windows\System\VnQOtVp.exe

Filesize
5.2MB

MD5
820a64843e42fc6f8348db075e9b807b

SHA1
2c1fa56551b60ba064d4f17e744365b620c975c7

SHA256
291a63e43c7b1228e003220d26a2d5f1cd6ba7fdcd5e3ef685376a96edcd779c

SHA512
2f47a1a49a2effb4c3817ac556150783272e41ef223c40fd503809ba6b2de213921b45c3f9e397c85b2ac41b87057a8070ada7ea75c64eeee5ab573393e2ec7e

Download Submit
C:\Windows\System\YwjOYNg.exe

Filesize
5.2MB

MD5
fe5a1d8bd69754dbc747ff729df12992

SHA1
1f4105a2415e5251871e81dc3f2f8e7ab36d44c3

SHA256
20e0626cb4195483f60c051d92da391686eb9ff62988f5e1b5daeecf74dc8655

SHA512
a74b6b2a476a843146130f35fa064905cc7ca644dadeb3b64ab2565e4a415e7bb060bec355784aa3d9b0977a54750fbc3935eeba37f0d640030ee053a8ee47fa

Download Submit
C:\Windows\System\fcdELdk.exe

Filesize
5.2MB

MD5
d66d5c736257b0b939a2c2b307ec5955

SHA1
b4f9047a245422e8559dab9f166bb0b80dfb5852

SHA256
28d2ff8187c9bc64cbbc4b4348d7f63dc6af8415431341a858439ad7edeb74a7

SHA512
8eb81993c1f02b460092ac9ecfcc9a06a9ecffb8f8ae4b85085857a2d9291a4e7c76f4a43549f88bc9e294586f59a8ea8cd6cc2fed1b613ba8a3d64f8ac053d4

Download Submit
C:\Windows\System\hMQxGTZ.exe

Filesize
5.2MB

MD5
4b88b90aa5db8a5e60398b8797af198c

SHA1
44180e3a0316133c7568a5f67ac019eab2b3019d

SHA256
b35c10a189027528eb0ab17055a28664d2f7e1881f4151bdb6f518189828bd7b

SHA512
da0726ea57b3647facb19a8d0c12a26f94feb6c1476eef0b25f10a64670ee9d8c20d96f6b3b20cb27912ea46cdcf4ba0812d29fa31df13264006603c7209e34c

Download Submit
C:\Windows\System\nchqZwp.exe

Filesize
5.2MB

MD5
f27cc458e115c9cf5bd1c4292d9b77ed

SHA1
643a8179cc86700ba182b7006025620a3edc9704

SHA256
01f7dd1c14db280cda942377e218956fbcd681bb8f0bb5cb1ec7607b778ec8f9

SHA512
2918252fc10c0e080c5f9fea70acc52efe7e902355ca95b6441e26cb2d00d37851095a5d9534a2671bb001f6f3b8048c213a649bb61395293f212fe86c80789d

Download Submit
C:\Windows\System\nkIFYcX.exe

Filesize
5.2MB

MD5
148b0cdddb02e9e67c16d624715885fa

SHA1
fe66c3ea0587f7d84a43c500b8a4eaa559d50538

SHA256
dbe7ecb8ffdd7798eb830be9245940d1c5a403424bcbad7f763e5abff6073e0c

SHA512
595181a983cc02dc9ebdb77037eff4e629462e0f71fae3c5ccf15f05b408e0d19340ad67d7fd6b1eb278674052f65382c3b5b375691a07875e166df62ebf1bf9

Download Submit
C:\Windows\System\noGDscd.exe

Filesize
5.2MB

MD5
2992e6c35ece36688905255fd201b4d4

SHA1
21510662739c65b7b88afcfb90d71ffb4f901a9f

SHA256
01d1405a08b0e598c70a0d13ca696ab5508b906d38a0f08c26e8dbfe8de3ba22

SHA512
dd256a410cc60b55231c89c033dc62f17bf0ae9dfc957cd64e246d59c1e37d2dae958aac7e886780dbf78c20776082ea7b6eae988affef47dfe27c374b960564

Download Submit
C:\Windows\System\pCUNQHt.exe

Filesize
5.2MB

MD5
1eeb50cdd72829d771c1119760e53435

SHA1
010cea1d5633972bddb82544c78f8bf3254a5a8e

SHA256
0d1b6f23857ceb309a5280cfcbf325bf1a3c32305074b79825d6dca71155bad1

SHA512
68ef9833c0cc9b598fed392489c3be745f0e53e6a9e0cbaef3b4abed892af981f89ceed61796cc515e9ed8f0ad34400eb40c68ca037901ad733133df2d1162ac

Download Submit
C:\Windows\System\qkwLNqS.exe

Filesize
5.2MB

MD5
99af2083b50e9ab363dbebf14bfc28a5

SHA1
5dd2b6b5039b1defbf4431a47506a517bee24882

SHA256
f73b1c4bedc0e68a4c9730bda1c894e76abdbfd3e41ad0428a6eb89f50407558

SHA512
ede6960cdf02027e51e61bb55b783c17e3c138e1f054fd652ac8483c59b9e57d3c13b23e21779f9e93bb6cb5692cccade44ff2de28a47a6b9354a365702bb399

Download Submit
C:\Windows\System\vAnbxlA.exe

Filesize
5.2MB

MD5
81fbdfea9da4bbc0440a8761c41f55e7

SHA1
95ec61901c06e7d285f9c1a2be3f5553fc554f59

SHA256
7e0a36d9759ec5870da4c8a5391b1c0a46a0dfcf7d4ca3886752d641a4326901

SHA512
64a4fe3574c2a2daa80c06c543fe8bcdcf2684624255cc79322621f93b332214d9f9d619d619b402d2aed2ec08f9eb5ce35c1af945a2f93545f75ad3a4d899dc

Download Submit
C:\Windows\System\wJvvxsP.exe

Filesize
5.2MB

MD5
475288d32f0b77501741a38facdbed36

SHA1
60bdbab79655ade77bde23ef9e9be4d7634a3798

SHA256
571134a401c2b6282dfe1487678420d53bfc690c2ee52ae066a2debba2e727be

SHA512
f903c52e4ef1bb5502e19d51268b687fa503d22af8f41b2d6771db733cbd57900f48439ed6c9b505d23f217c3ca9a33ecd0982ab0852d300968dd04088168018

Download Submit
C:\Windows\System\xdjCyCD.exe

Filesize
5.2MB

MD5
1e8119c65daba89d8cb2cddf70a73077

SHA1
ca0cf86b4a6915e2879d08648dfc0ee4c3443f18

SHA256
ecd624a28d9e7a9ccf08dddd621137f5fee9bd25828db845e58fe10775f6ee19

SHA512
4b0c9755d4e585d19418469db9f390bfd58dcee5bc939c14cb997587c8dff5c532d05379d9782d7c92496a0438d75099dab0bc313f79bd2f3d89bd696488c983

Download Submit
C:\Windows\System\xeUjghK.exe

Filesize
5.2MB

MD5
8e22e2c40e68cfa7530bf02426a4f51e

SHA1
b6bfc20e589b0cf3dbbdf64ff63316ec584d253f

SHA256
938e6fe9b54b82fc5745a86a25b68ad8142eac4403c645848501d35601ac55bd

SHA512
30d47930698c670b14ba32a6aa979cdc1abad0a27772d00003c541bad2a1ac55b677c20c92eefc36c7c5a0957028d4179f9f1eb286a0ec48f8daa37691eb8a3e

Download Submit
C:\Windows\System\zPZfzNr.exe

Filesize
5.2MB

MD5
5a482614079c19d4e4a5f94401200ca3

SHA1
e554f26d3fb8590b499901c533fdb58044754803

SHA256
2ff8d60057039f239466b43ea8d16d859a0825d5793b0b93b5cb4f02def605d2

SHA512
9eba19af7c429ad0ec318ffc1bb80a9ad396a7290071ebc64e37dba17f522e568f91eb6b4f4662a92eba22f691a6991f82cb0adbad973639ec90bb759c0d7306

Download Submit
memory/216-257-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp

Filesize
3.3MB

Download
memory/216-87-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp

Filesize
3.3MB

Download
memory/216-152-0x00007FF6B26D0000-0x00007FF6B2A21000-memory.dmp

Filesize
3.3MB

Download
memory/392-261-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp

Filesize
3.3MB

Download
memory/392-102-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp

Filesize
3.3MB

Download
memory/392-154-0x00007FF6FEAF0000-0x00007FF6FEE41000-memory.dmp

Filesize
3.3MB

Download
memory/440-124-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp

Filesize
3.3MB

Download
memory/440-36-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp

Filesize
3.3MB

Download
memory/440-229-0x00007FF7759A0000-0x00007FF775CF1000-memory.dmp

Filesize
3.3MB

Download
memory/976-259-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp

Filesize
3.3MB

Download
memory/976-95-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp

Filesize
3.3MB

Download
memory/976-153-0x00007FF7E1A30000-0x00007FF7E1D81000-memory.dmp

Filesize
3.3MB

Download
memory/1404-81-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/1404-1-0x00000238EF680000-0x00000238EF690000-memory.dmp

Filesize
64KB

Download
memory/1404-0-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/1404-138-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/1404-164-0x00007FF7D6BC0000-0x00007FF7D6F11000-memory.dmp

Filesize
3.3MB

Download
memory/1664-125-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-236-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-51-0x00007FF63CA80000-0x00007FF63CDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-151-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp

Filesize
3.3MB

Download
memory/1768-247-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp

Filesize
3.3MB

Download
memory/1768-78-0x00007FF6E0AE0000-0x00007FF6E0E31000-memory.dmp

Filesize
3.3MB

Download
memory/1860-84-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp

Filesize
3.3MB

Download
memory/1860-11-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp

Filesize
3.3MB

Download
memory/1860-220-0x00007FF6D2F00000-0x00007FF6D3251000-memory.dmp

Filesize
3.3MB

Download
memory/2120-161-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-132-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-271-0x00007FF6BC460000-0x00007FF6BC7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-266-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-163-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-123-0x00007FF6BB870000-0x00007FF6BBBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-30-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp

Filesize
3.3MB

Download
memory/2268-230-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp

Filesize
3.3MB

Download
memory/2268-119-0x00007FF7E4040000-0x00007FF7E4391000-memory.dmp

Filesize
3.3MB

Download
memory/2516-114-0x00007FF7C35C0000-0x00007FF7C3911000-memory.dmp

Filesize
3.3MB

Download
memory/2516-263-0x00007FF7C35C0000-0x00007FF7C3911000-memory.dmp

Filesize
3.3MB

Download
memory/2536-74-0x00007FF70B360000-0x00007FF70B6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-242-0x00007FF70B360000-0x00007FF70B6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-240-0x00007FF786A80000-0x00007FF786DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-71-0x00007FF786A80000-0x00007FF786DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-226-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-24-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-112-0x00007FF6DC380000-0x00007FF6DC6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-148-0x00007FF6495B0000-0x00007FF649901000-memory.dmp

Filesize
3.3MB

Download
memory/3232-244-0x00007FF6495B0000-0x00007FF649901000-memory.dmp

Filesize
3.3MB

Download
memory/3232-73-0x00007FF6495B0000-0x00007FF649901000-memory.dmp

Filesize
3.3MB

Download
memory/3732-225-0x00007FF67D320000-0x00007FF67D671000-memory.dmp

Filesize
3.3MB

Download
memory/3732-19-0x00007FF67D320000-0x00007FF67D671000-memory.dmp

Filesize
3.3MB

Download
memory/3732-101-0x00007FF67D320000-0x00007FF67D671000-memory.dmp

Filesize
3.3MB

Download
memory/4056-162-0x00007FF76B500000-0x00007FF76B851000-memory.dmp

Filesize
3.3MB

Download
memory/4056-133-0x00007FF76B500000-0x00007FF76B851000-memory.dmp

Filesize
3.3MB

Download
memory/4056-270-0x00007FF76B500000-0x00007FF76B851000-memory.dmp

Filesize
3.3MB

Download
memory/4656-222-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp

Filesize
3.3MB

Download
memory/4656-12-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp

Filesize
3.3MB

Download
memory/4656-86-0x00007FF7AA020000-0x00007FF7AA371000-memory.dmp

Filesize
3.3MB

Download
memory/4728-61-0x00007FF6502F0000-0x00007FF650641000-memory.dmp

Filesize
3.3MB

Download
memory/4728-248-0x00007FF6502F0000-0x00007FF650641000-memory.dmp

Filesize
3.3MB

Download
memory/4728-131-0x00007FF6502F0000-0x00007FF650641000-memory.dmp

Filesize
3.3MB

Download
memory/4748-155-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp

Filesize
3.3MB

Download
memory/4748-267-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp

Filesize
3.3MB

Download
memory/4748-115-0x00007FF7A0D40000-0x00007FF7A1091000-memory.dmp

Filesize
3.3MB

Download
memory/4788-238-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-60-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4788-130-0x00007FF759B60000-0x00007FF759EB1000-memory.dmp

Filesize
3.3MB

Download