cobaltstrike | c98e38671207ed64c795f6b83fee0b14163b804d42520e08dd240b555d70dc20

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

948e83230eaf0a826a040cf130417f70
SHA1

8024415cc6a9dc123193654898edcab6231469b2
SHA256

c98e38671207ed64c795f6b83fee0b14163b804d42520e08dd240b555d70dc20
SHA512

bd6a5578bef13b1f5153edc7967648341290087e6905644e4b47ea1f0ca1be4a43ce88fdb127f99d0e2a4d048ced877de01dc0589f96129ee6ec3271692eb8e7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023450-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023451-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-30.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-78.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4044-28-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp	xmrig
behavioral2/memory/440-43-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	xmrig
behavioral2/memory/4400-34-0x00007FF697220000-0x00007FF697571000-memory.dmp	xmrig
behavioral2/memory/3572-59-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp	xmrig
behavioral2/memory/556-66-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp	xmrig
behavioral2/memory/2380-76-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp	xmrig
behavioral2/memory/3200-81-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp	xmrig
behavioral2/memory/3872-80-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp	xmrig
behavioral2/memory/1256-67-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp	xmrig
behavioral2/memory/1340-56-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	xmrig
behavioral2/memory/4760-124-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	xmrig
behavioral2/memory/3636-125-0x00007FF7590C0000-0x00007FF759411000-memory.dmp	xmrig
behavioral2/memory/4908-126-0x00007FF612DF0000-0x00007FF613141000-memory.dmp	xmrig
behavioral2/memory/1968-127-0x00007FF713970000-0x00007FF713CC1000-memory.dmp	xmrig
behavioral2/memory/4344-129-0x00007FF75F9C0000-0x00007FF75FD11000-memory.dmp	xmrig
behavioral2/memory/2732-131-0x00007FF788140000-0x00007FF788491000-memory.dmp	xmrig
behavioral2/memory/3532-130-0x00007FF6E97A0000-0x00007FF6E9AF1000-memory.dmp	xmrig
behavioral2/memory/1864-128-0x00007FF79D950000-0x00007FF79DCA1000-memory.dmp	xmrig
behavioral2/memory/2728-136-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp	xmrig
behavioral2/memory/1340-132-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	xmrig
behavioral2/memory/980-141-0x00007FF618790000-0x00007FF618AE1000-memory.dmp	xmrig
behavioral2/memory/2468-146-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp	xmrig
behavioral2/memory/1668-144-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp	xmrig
behavioral2/memory/3872-145-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp	xmrig
behavioral2/memory/1340-155-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	xmrig
behavioral2/memory/556-204-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp	xmrig
behavioral2/memory/2380-206-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp	xmrig
behavioral2/memory/3200-214-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp	xmrig
behavioral2/memory/4044-216-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp	xmrig
behavioral2/memory/4400-218-0x00007FF697220000-0x00007FF697571000-memory.dmp	xmrig
behavioral2/memory/440-220-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	xmrig
behavioral2/memory/2728-222-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp	xmrig
behavioral2/memory/980-224-0x00007FF618790000-0x00007FF618AE1000-memory.dmp	xmrig
behavioral2/memory/3572-230-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp	xmrig
behavioral2/memory/1256-232-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp	xmrig
behavioral2/memory/1668-234-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp	xmrig
behavioral2/memory/3872-244-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp	xmrig
behavioral2/memory/2468-246-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp	xmrig
behavioral2/memory/2732-248-0x00007FF788140000-0x00007FF788491000-memory.dmp	xmrig
behavioral2/memory/4760-250-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	xmrig
behavioral2/memory/3636-252-0x00007FF7590C0000-0x00007FF759411000-memory.dmp	xmrig
behavioral2/memory/4908-254-0x00007FF612DF0000-0x00007FF613141000-memory.dmp	xmrig
behavioral2/memory/1968-256-0x00007FF713970000-0x00007FF713CC1000-memory.dmp	xmrig
behavioral2/memory/1864-258-0x00007FF79D950000-0x00007FF79DCA1000-memory.dmp	xmrig
behavioral2/memory/4344-260-0x00007FF75F9C0000-0x00007FF75FD11000-memory.dmp	xmrig
behavioral2/memory/3532-262-0x00007FF6E97A0000-0x00007FF6E9AF1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
556	pUINfpP.exe
2380	ohoJNPq.exe
3200	kETGNsB.exe
4044	MygKcFo.exe
4400	rmUVeZF.exe
440	aMqLOJT.exe
2728	uYsKRqn.exe
980	NlpqCPu.exe
3572	OndAhHT.exe
1256	flkHNpb.exe
1668	fOoyXhA.exe
3872	tnlxaNz.exe
2468	NAfMACx.exe
2732	wVcdYJF.exe
4760	iJRjHRv.exe
3636	AzfrWHC.exe
4908	rRxONUa.exe
1968	SRqPWac.exe
1864	pIQbkYk.exe
4344	CMFCqzr.exe
3532	zHxLAXL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1340-0-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	upx
behavioral2/files/0x0008000000023450-4.dat	upx
behavioral2/files/0x0007000000023454-12.dat	upx
behavioral2/memory/2380-13-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp	upx
behavioral2/files/0x0007000000023455-11.dat	upx
behavioral2/memory/556-7-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp	upx
behavioral2/files/0x0008000000023451-24.dat	upx
behavioral2/memory/4044-28-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp	upx
behavioral2/files/0x0007000000023458-42.dat	upx
behavioral2/memory/980-48-0x00007FF618790000-0x00007FF618AE1000-memory.dmp	upx
behavioral2/files/0x0007000000023459-49.dat	upx
behavioral2/memory/2728-44-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp	upx
behavioral2/memory/440-43-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	upx
behavioral2/files/0x0007000000023457-37.dat	upx
behavioral2/memory/4400-34-0x00007FF697220000-0x00007FF697571000-memory.dmp	upx
behavioral2/files/0x0007000000023456-30.dat	upx
behavioral2/memory/3200-18-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp	upx
behavioral2/memory/3572-59-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp	upx
behavioral2/files/0x000700000002345a-54.dat	upx
behavioral2/files/0x000700000002345b-60.dat	upx
behavioral2/files/0x000700000002345c-64.dat	upx
behavioral2/memory/556-66-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp	upx
behavioral2/memory/1668-73-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp	upx
behavioral2/memory/2380-76-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp	upx
behavioral2/files/0x000700000002345f-85.dat	upx
behavioral2/files/0x0007000000023461-96.dat	upx
behavioral2/files/0x0007000000023462-104.dat	upx
behavioral2/files/0x0007000000023463-110.dat	upx
behavioral2/files/0x0007000000023466-121.dat	upx
behavioral2/files/0x0007000000023465-119.dat	upx
behavioral2/files/0x0007000000023464-115.dat	upx
behavioral2/files/0x0007000000023460-94.dat	upx
behavioral2/files/0x000700000002345e-83.dat	upx
behavioral2/memory/3200-81-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp	upx
behavioral2/memory/3872-80-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp	upx
behavioral2/files/0x000700000002345d-78.dat	upx
behavioral2/memory/1256-67-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp	upx
behavioral2/memory/1340-56-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	upx
behavioral2/memory/2468-123-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp	upx
behavioral2/memory/4760-124-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp	upx
behavioral2/memory/3636-125-0x00007FF7590C0000-0x00007FF759411000-memory.dmp	upx
behavioral2/memory/4908-126-0x00007FF612DF0000-0x00007FF613141000-memory.dmp	upx
behavioral2/memory/1968-127-0x00007FF713970000-0x00007FF713CC1000-memory.dmp	upx
behavioral2/memory/4344-129-0x00007FF75F9C0000-0x00007FF75FD11000-memory.dmp	upx
behavioral2/memory/2732-131-0x00007FF788140000-0x00007FF788491000-memory.dmp	upx
behavioral2/memory/3532-130-0x00007FF6E97A0000-0x00007FF6E9AF1000-memory.dmp	upx
behavioral2/memory/1864-128-0x00007FF79D950000-0x00007FF79DCA1000-memory.dmp	upx
behavioral2/memory/2728-136-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp	upx
behavioral2/memory/1340-132-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	upx
behavioral2/memory/980-141-0x00007FF618790000-0x00007FF618AE1000-memory.dmp	upx
behavioral2/memory/2468-146-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp	upx
behavioral2/memory/1668-144-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp	upx
behavioral2/memory/3872-145-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp	upx
behavioral2/memory/1340-155-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp	upx
behavioral2/memory/556-204-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp	upx
behavioral2/memory/2380-206-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp	upx
behavioral2/memory/3200-214-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp	upx
behavioral2/memory/4044-216-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp	upx
behavioral2/memory/4400-218-0x00007FF697220000-0x00007FF697571000-memory.dmp	upx
behavioral2/memory/440-220-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp	upx
behavioral2/memory/2728-222-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp	upx
behavioral2/memory/980-224-0x00007FF618790000-0x00007FF618AE1000-memory.dmp	upx
behavioral2/memory/3572-230-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp	upx
behavioral2/memory/1256-232-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rRxONUa.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohoJNPq.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rmUVeZF.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMqLOJT.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\flkHNpb.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tnlxaNz.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pUINfpP.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MygKcFo.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIQbkYk.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zHxLAXL.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kETGNsB.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYsKRqn.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wVcdYJF.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AzfrWHC.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SRqPWac.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CMFCqzr.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlpqCPu.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OndAhHT.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fOoyXhA.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAfMACx.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iJRjHRv.exe	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 556	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1340 wrote to memory of 556	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1340 wrote to memory of 2380	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1340 wrote to memory of 2380	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1340 wrote to memory of 3200	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1340 wrote to memory of 3200	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1340 wrote to memory of 4044	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1340 wrote to memory of 4044	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1340 wrote to memory of 4400	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1340 wrote to memory of 4400	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1340 wrote to memory of 440	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1340 wrote to memory of 440	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1340 wrote to memory of 2728	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1340 wrote to memory of 2728	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1340 wrote to memory of 980	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1340 wrote to memory of 980	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1340 wrote to memory of 3572	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1340 wrote to memory of 3572	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1340 wrote to memory of 1256	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1340 wrote to memory of 1256	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1340 wrote to memory of 1668	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1340 wrote to memory of 1668	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1340 wrote to memory of 3872	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1340 wrote to memory of 3872	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1340 wrote to memory of 2468	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1340 wrote to memory of 2468	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1340 wrote to memory of 2732	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1340 wrote to memory of 2732	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1340 wrote to memory of 4760	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1340 wrote to memory of 4760	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1340 wrote to memory of 3636	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1340 wrote to memory of 3636	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1340 wrote to memory of 4908	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1340 wrote to memory of 4908	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1340 wrote to memory of 1968	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1340 wrote to memory of 1968	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1340 wrote to memory of 1864	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1340 wrote to memory of 1864	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1340 wrote to memory of 4344	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1340 wrote to memory of 4344	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1340 wrote to memory of 3532	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1340 wrote to memory of 3532	1340	2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_948e83230eaf0a826a040cf130417f70_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System\pUINfpP.exe
  C:\Windows\System\pUINfpP.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\ohoJNPq.exe
  C:\Windows\System\ohoJNPq.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\kETGNsB.exe
  C:\Windows\System\kETGNsB.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\MygKcFo.exe
  C:\Windows\System\MygKcFo.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\rmUVeZF.exe
  C:\Windows\System\rmUVeZF.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\aMqLOJT.exe
  C:\Windows\System\aMqLOJT.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\uYsKRqn.exe
  C:\Windows\System\uYsKRqn.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\NlpqCPu.exe
  C:\Windows\System\NlpqCPu.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\OndAhHT.exe
  C:\Windows\System\OndAhHT.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\flkHNpb.exe
  C:\Windows\System\flkHNpb.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\fOoyXhA.exe
  C:\Windows\System\fOoyXhA.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\tnlxaNz.exe
  C:\Windows\System\tnlxaNz.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\NAfMACx.exe
  C:\Windows\System\NAfMACx.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\wVcdYJF.exe
  C:\Windows\System\wVcdYJF.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\iJRjHRv.exe
  C:\Windows\System\iJRjHRv.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\AzfrWHC.exe
  C:\Windows\System\AzfrWHC.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\rRxONUa.exe
  C:\Windows\System\rRxONUa.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\SRqPWac.exe
  C:\Windows\System\SRqPWac.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\pIQbkYk.exe
  C:\Windows\System\pIQbkYk.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\CMFCqzr.exe
  C:\Windows\System\CMFCqzr.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\zHxLAXL.exe
  C:\Windows\System\zHxLAXL.exe
  2⤵
  - Executes dropped EXE
  PID:3532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AzfrWHC.exe

Filesize
5.2MB

MD5
62f866c08c658d07497587d4b35dbda7

SHA1
5be69f689b40be61db557d90f0c8c09111f29731

SHA256
f3eaba14f0b56c781cfc9dc096a2a24d9ed7edae49f4161e2101041ff3c781f3

SHA512
b3dc88a741f47e24f35eaf2d6bfdf5700562a50d3091631fa70aee138d5aaef6340820f2fa21da61995a159359cf93eea4a747b8d180d19dfbe91e7a08e70a8c

Download Submit
C:\Windows\System\CMFCqzr.exe

Filesize
5.2MB

MD5
1ed76fcbf9a8c546d78d2e625b355057

SHA1
df207ecb910eb5222ec0c47b47ee21a8316b9e79

SHA256
c6c32ac0ade63d3fc6fb6a4b125cb16d17c823ece4d775a487637f6b75745543

SHA512
909fd4e4d7b43ecb4f7a13ab967579c03643cf1aa18c7db64a35356434e77b0599656c849d23234aa546e9e5ba1aa7cb60dc5a92352c21fe2a30d53458e5865c

Download Submit
C:\Windows\System\MygKcFo.exe

Filesize
5.2MB

MD5
27e0b970202fb567c93d93ec3e072872

SHA1
895d5802eb6465e8440fd7126c39a24446c5c87a

SHA256
62a5e58c10fbeac17ac0929cb8da55be79881abe5a68732019e8bd62d15119ba

SHA512
e21b615a65d4f3f85e1e15049a2fae7f2afd9575ce05c288bd80e214d63185fa6f8b3a408191109385944a7abbc9178e6fdc42e8b21741a72819bbd0c52f17cd

Download Submit
C:\Windows\System\NAfMACx.exe

Filesize
5.2MB

MD5
d8f8c056377c08bbb927a3bdcf0a891b

SHA1
31aa792f83d1d5216deec3f6c62f6688a2f0ae3e

SHA256
2eef9df923c58d1daeeb29d0eef96ef41616933e34134f2f88a5b615955697cd

SHA512
9713681d2335ca3540f6419aba20f7edb813dbdba434cbce3878ed68978e1d8c087715d546025c6bdf7f2530302a125c16df35efdc08e0f0679b82f6467ec21e

Download Submit
C:\Windows\System\NlpqCPu.exe

Filesize
5.2MB

MD5
6fc3c2ec18242dabca622bc767c2c85b

SHA1
54490bd4bceb8b62e6d282ddf66a05288af63ec0

SHA256
a5401f9018a7fb5808f5f4214e8054b0db6bfc2f5976ca10ccab10037dc9cf10

SHA512
1da5ca80d6861ad2fd62b579a09a83a01e2479cd0ed71cf30283ca5e41e4c89e2d3732fcb72fcaededde6345ae705f821e9cabdeaec2a23ec515cbeb1afd5166

Download Submit
C:\Windows\System\OndAhHT.exe

Filesize
5.2MB

MD5
2d37fd86631b50d987c6ebc4356f9a55

SHA1
648534172e05c478ea766bfe66de0390f95903b1

SHA256
0d75baad551e3e52d666edfc592663816c88dc8ac65c7678fd4081f5b8b5e929

SHA512
303829f9681c330b0cb32b177104e2c11c57f3ff0e0ffe1089cccdf0464a4a6c676d945c4c70df5c7d4657555903fd151bbf46e230493e3b40909b2fdc57793c

Download Submit
C:\Windows\System\SRqPWac.exe

Filesize
5.2MB

MD5
9aad5e379e52db8be362bd5266bbcec2

SHA1
02553ffc604226775c7af55573700e39a9117cae

SHA256
96f0ed63ddbfbbe41e245418991fccff60e1bdb54092cbcd6c89b4711ccd875e

SHA512
9162e6f7119984e4ba8653f8066e5674f31813b99d0173cef0d5b981d4e5569ac03a0e85aed59940ae7534de669d24d6f83bfd32022638fc4a6deca2e174b5c4

Download Submit
C:\Windows\System\aMqLOJT.exe

Filesize
5.2MB

MD5
888372b5cc4c2a7cecbc87fd4b8fdfd3

SHA1
8519ecde018ba4a0f98727057ff72b9e13f0e9d7

SHA256
009be1f022dd9276207c121809df0290c115ec1d5c588b804a10c4a4db6e3a16

SHA512
5345cb0d3464dd66c4d0c6c39e7cee90783307ffe47fc2b2de8dcca3490547dd07540be9deb4bb653f110cce5bd895b7c7e2fd3b9c80fa22835f8e7943bffa42

Download Submit
C:\Windows\System\fOoyXhA.exe

Filesize
5.2MB

MD5
7510dc53ea7194747fac62bb526f2573

SHA1
f003957c9530902d4ff7ad464df405adf55a2671

SHA256
8b352f112dd16a3cdedd2673eb1c7e7206eedf66baab77b41c70f6dfdba9a03b

SHA512
b63eaac9d9b2ce71655cc27321931ea288f12060211b96dddf22f037d0421006ca4b651adaaee3a1106f87a19e3a33ddd74faf923b203354d3ed2fb53924c630

Download Submit
C:\Windows\System\flkHNpb.exe

Filesize
5.2MB

MD5
0b3d2dfb721ecbfc6e082cb8f049092c

SHA1
e7456ee546e80b56895c1c9aa96787a99998ec81

SHA256
aa2e3cbcb25642a1f33564c42d53ff069e2fbebf41a1f1eb54b0d4d4d4e3406a

SHA512
5275397124572b4cfd56f5ecd33b1ca7067554c8e04f5b5660fad29b243c971c30caa7c238a47fc0ac6c7f0ef30c5862e4722e7371e2661604fa58312508dde7

Download Submit
C:\Windows\System\iJRjHRv.exe

Filesize
5.2MB

MD5
b588998d7e8e80fc37ba56b85554f2ba

SHA1
0bed02deeaddd0962ee118602482866200756289

SHA256
a3354d5bd29dbff1c0719e1e4f919b8b63d43f208392bdfdc9d5e50afef4ea13

SHA512
e339acac2391356e4148acbcfe37c3b95a1024198ee11edd0883f7f461d82f8c98c5155a7781aceb270c01877b774483897f3d29b7cb891fa2bbbfadb9c4d66f

Download Submit
C:\Windows\System\kETGNsB.exe

Filesize
5.2MB

MD5
e19cab698d4cf2ece5ea51e2ba39a86d

SHA1
10fb591e13ff104f0650db628ae506da8daa0386

SHA256
05db537c5eed23cd58cffe03bcf125f670324e6ff51cdca4926cb7dc4f62e654

SHA512
ac3693e9fd91b1ee961f5550d8317f9433623a3c99e54aae82ce71eb53678b2ddbac77cc3138fbdd247ed7b6694a392a7cf5ff6ac79b2ad6cacff3813ae5eabf

Download Submit
C:\Windows\System\ohoJNPq.exe

Filesize
5.2MB

MD5
f443262547ea20469f201d0c2da7fed5

SHA1
08ccdd3d6338519f59742d7cf414e352c884da23

SHA256
50fccc901b156996666c5cc77f9047544550bfc8fc0ba8225dd9b6c45331d82b

SHA512
c2ee4fd1413e23278189e8b4951803a802b4d51800e605116d2e66ea3f1dfa80cf7bcef1e13fee7172b4f5dc3fb7c6a44cef5dad5f55a95a17ee9d149d00f905

Download Submit
C:\Windows\System\pIQbkYk.exe

Filesize
5.2MB

MD5
92d88a68f298d55903ac1947fbcd1edd

SHA1
714b3621c77e01be54b22a2654387d99fc2687c9

SHA256
9c3a601efce207eec7f26ed2ee7c49b0291ca65a119bd0a43ee3c44966cea1b6

SHA512
0123e5277221ea0460723959b4c158cd847c2ecc93a97f926de8c29f91c12925fc14bbaac6e0d2a1d07414a918034965c6fc16c5b80b4fb9aa3aa449cf6c87e3

Download Submit
C:\Windows\System\pUINfpP.exe

Filesize
5.2MB

MD5
626ba8ac2df3dec5262c9019693c2bb0

SHA1
7ab81012b7f1b07b63b852c45e05f473e93b3e4f

SHA256
9726ec4bb99fcfa14077f6d9197ea803c14983ffcab2a4a46fba9113bf1c1c11

SHA512
45b2f2547ae8099ef31c30db87c45c12b643d50729b13dda880079a9986c04f5d160681a8b2d1716f09f4fe445d7389c1bd32fa41a1d597b491424bc4d401deb

Download Submit
C:\Windows\System\rRxONUa.exe

Filesize
5.2MB

MD5
cdfbe1995685a688f653613a450d7441

SHA1
187ade4c8d22387109a94826c69d5b9b029b6a82

SHA256
c013743697d119e079050fe79baaa65051ac981acdc3a02d6285d8c1d5c2df81

SHA512
c9c9641c96e31518924753a9c664dd8d17cd1250ddfb5e56138384f3d94d8eb0d0b8e39d92804e3aca75b75373fe3f15b043b261180246b496f7e51589bceb80

Download Submit
C:\Windows\System\rmUVeZF.exe

Filesize
5.2MB

MD5
e8e9eb1d6ce14814b5c5e8a0694129d2

SHA1
2ead0b0dd5e13cc4e1c994ff561442188884e93c

SHA256
e8e443d8c010320199fe648db8fda1228bd8528d10a631c4454922fc9a4b5d33

SHA512
14db6156dcd9b0684d9fd7c327c68296879ac18c1e2ae47d6defc9f6c9583d5cdd6b84c2cdbc9ff0e6f232724b3984b4cc50b337a1a341cdfc98a48fe0702369

Download Submit
C:\Windows\System\tnlxaNz.exe

Filesize
5.2MB

MD5
9ecf6b55bb4afcb6adb55ceaf09d6c36

SHA1
5ac2a211d95c5eac985fc465bdcbeb0256e16d56

SHA256
b9a68af9de64aa8831d8eacbadd6b3dcd4cf58ab997007478c01c492f861570e

SHA512
6e4b3b092c322907276a35ace6380f1498815a1c07eebc7ec95eeed861f8817ad1c7392b329826dbfc88dc5e09ca08212f7cf456c8ec4f11cd0112a2f07e9b2c

Download Submit
C:\Windows\System\uYsKRqn.exe

Filesize
5.2MB

MD5
5c7829b28dd2342922fcb139f93a8207

SHA1
9ac967032fb58a7eccee2c4fee206a742ed74faf

SHA256
e57a7363d86fde770b1c28508dcd8247dc8b230d7010fa543f110fee91a3a54c

SHA512
88fc70c7c81ac46e1238034e74601efd053f08aea1a74e76d3413c24785d12ec8e2cc59eba7b35ab376361972bc3e6b4c2e9519d5bfecb576f735c1e665100a6

Download Submit
C:\Windows\System\wVcdYJF.exe

Filesize
5.2MB

MD5
3ca29796fd15e16b8d3ef6ccd7d01437

SHA1
495a504496fa39ec7ce56569d8a448bdb5de41b7

SHA256
e25223165812c0944bc1780a5529fda11c5f856d0e3ad029b4dde7ff6f59461a

SHA512
a6686648faa6d46b835d54161da9068817875d1b09890b154fd986fc9093a18b4a2ecb336ebcfab8be5ecab9484816e6bbfd8f64ae6df476dc6128f14476d317

Download Submit
C:\Windows\System\zHxLAXL.exe

Filesize
5.2MB

MD5
df70a80e76c51eb50970fb520c4fb60f

SHA1
3c422fc20b0812b9081943e5ad310d7997a24dee

SHA256
3bedc879d686c275d7d60967a4c730fef33fc5ed97ca8a718c09a2f18e77e485

SHA512
01aa27c9957f504da43c4cf62d8b0f38bcac82cfb4fa6ce7124675e5e6a2ae996b86fa4b7ccbfc14eaeea77dc4ee89fa78920fdb500ba6a85943bc45a5856045

Download Submit
memory/440-43-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/440-220-0x00007FF7CE770000-0x00007FF7CEAC1000-memory.dmp

Filesize
3.3MB

Download
memory/556-66-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp

Filesize
3.3MB

Download
memory/556-204-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp

Filesize
3.3MB

Download
memory/556-7-0x00007FF6BF110000-0x00007FF6BF461000-memory.dmp

Filesize
3.3MB

Download
memory/980-224-0x00007FF618790000-0x00007FF618AE1000-memory.dmp

Filesize
3.3MB

Download
memory/980-141-0x00007FF618790000-0x00007FF618AE1000-memory.dmp

Filesize
3.3MB

Download
memory/980-48-0x00007FF618790000-0x00007FF618AE1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-67-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-232-0x00007FF6BF970000-0x00007FF6BFCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-56-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp

Filesize
3.3MB

Download
memory/1340-0-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp

Filesize
3.3MB

Download
memory/1340-1-0x000001F3936D0000-0x000001F3936E0000-memory.dmp

Filesize
64KB

Download
memory/1340-155-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp

Filesize
3.3MB

Download
memory/1340-132-0x00007FF6FB020000-0x00007FF6FB371000-memory.dmp

Filesize
3.3MB

Download
memory/1668-234-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-144-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-73-0x00007FF6F1390000-0x00007FF6F16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-128-0x00007FF79D950000-0x00007FF79DCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1864-258-0x00007FF79D950000-0x00007FF79DCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-127-0x00007FF713970000-0x00007FF713CC1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-256-0x00007FF713970000-0x00007FF713CC1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-13-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-206-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-76-0x00007FF6C8390000-0x00007FF6C86E1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-246-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp

Filesize
3.3MB

Download
memory/2468-123-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp

Filesize
3.3MB

Download
memory/2468-146-0x00007FF7D1CE0000-0x00007FF7D2031000-memory.dmp

Filesize
3.3MB

Download
memory/2728-136-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp

Filesize
3.3MB

Download
memory/2728-44-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp

Filesize
3.3MB

Download
memory/2728-222-0x00007FF6E04E0000-0x00007FF6E0831000-memory.dmp

Filesize
3.3MB

Download
memory/2732-131-0x00007FF788140000-0x00007FF788491000-memory.dmp

Filesize
3.3MB

Download
memory/2732-248-0x00007FF788140000-0x00007FF788491000-memory.dmp

Filesize
3.3MB

Download
memory/3200-214-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp

Filesize
3.3MB

Download
memory/3200-18-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp

Filesize
3.3MB

Download
memory/3200-81-0x00007FF63D8C0000-0x00007FF63DC11000-memory.dmp

Filesize
3.3MB

Download
memory/3532-130-0x00007FF6E97A0000-0x00007FF6E9AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-262-0x00007FF6E97A0000-0x00007FF6E9AF1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-230-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp

Filesize
3.3MB

Download
memory/3572-59-0x00007FF71BAF0000-0x00007FF71BE41000-memory.dmp

Filesize
3.3MB

Download
memory/3636-125-0x00007FF7590C0000-0x00007FF759411000-memory.dmp

Filesize
3.3MB

Download
memory/3636-252-0x00007FF7590C0000-0x00007FF759411000-memory.dmp

Filesize
3.3MB

Download
memory/3872-145-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp

Filesize
3.3MB

Download
memory/3872-244-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp

Filesize
3.3MB

Download
memory/3872-80-0x00007FF76EF20000-0x00007FF76F271000-memory.dmp

Filesize
3.3MB

Download
memory/4044-216-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp

Filesize
3.3MB

Download
memory/4044-28-0x00007FF6896F0000-0x00007FF689A41000-memory.dmp

Filesize
3.3MB

Download
memory/4344-260-0x00007FF75F9C0000-0x00007FF75FD11000-memory.dmp

Filesize
3.3MB

Download
memory/4344-129-0x00007FF75F9C0000-0x00007FF75FD11000-memory.dmp

Filesize
3.3MB

Download
memory/4400-34-0x00007FF697220000-0x00007FF697571000-memory.dmp

Filesize
3.3MB

Download
memory/4400-218-0x00007FF697220000-0x00007FF697571000-memory.dmp

Filesize
3.3MB

Download
memory/4760-124-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-250-0x00007FF686A60000-0x00007FF686DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-254-0x00007FF612DF0000-0x00007FF613141000-memory.dmp

Filesize
3.3MB

Download
memory/4908-126-0x00007FF612DF0000-0x00007FF613141000-memory.dmp

Filesize
3.3MB

Download