cobaltstrike | 35f19889c8d7cbb9d2656187d9529da7fefb6811e88806a28711428ee0aedbf2

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e8661848c25e30e4aee55c3e18c58d35
SHA1

c6f599f292ed6ca0874c585754d07f77b8503bb8
SHA256

35f19889c8d7cbb9d2656187d9529da7fefb6811e88806a28711428ee0aedbf2
SHA512

8348c9484826ea870a03f7b37ec2e79cdc36bcb6c9925c3854ea6a42b1f63934c6c696284e542ac996e85bbe813762c674f5fa084abcdc9662563c5dc8ccd13f
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibd56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023455-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-8.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-25.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-115.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b0-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3608-63-0x00007FF70A3D0000-0x00007FF70A721000-memory.dmp	xmrig
behavioral2/memory/4572-17-0x00007FF779620000-0x00007FF779971000-memory.dmp	xmrig
behavioral2/memory/2684-100-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp	xmrig
behavioral2/memory/4840-101-0x00007FF7B7E00000-0x00007FF7B8151000-memory.dmp	xmrig
behavioral2/memory/3708-111-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp	xmrig
behavioral2/memory/2576-120-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp	xmrig
behavioral2/memory/644-129-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp	xmrig
behavioral2/memory/880-126-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp	xmrig
behavioral2/memory/2836-121-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp	xmrig
behavioral2/memory/964-118-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp	xmrig
behavioral2/memory/4008-108-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp	xmrig
behavioral2/memory/516-84-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp	xmrig
behavioral2/memory/4808-136-0x00007FF755910000-0x00007FF755C61000-memory.dmp	xmrig
behavioral2/memory/2924-142-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp	xmrig
behavioral2/memory/3560-145-0x00007FF6C52E0000-0x00007FF6C5631000-memory.dmp	xmrig
behavioral2/memory/1828-150-0x00007FF740A20000-0x00007FF740D71000-memory.dmp	xmrig
behavioral2/memory/1136-151-0x00007FF695330000-0x00007FF695681000-memory.dmp	xmrig
behavioral2/memory/4776-152-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp	xmrig
behavioral2/memory/3364-153-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp	xmrig
behavioral2/memory/3708-158-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp	xmrig
behavioral2/memory/928-159-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp	xmrig
behavioral2/memory/2500-161-0x00007FF649840000-0x00007FF649B91000-memory.dmp	xmrig
behavioral2/memory/4236-160-0x00007FF6332C0000-0x00007FF633611000-memory.dmp	xmrig
behavioral2/memory/516-163-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp	xmrig
behavioral2/memory/2684-221-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp	xmrig
behavioral2/memory/4572-223-0x00007FF779620000-0x00007FF779971000-memory.dmp	xmrig
behavioral2/memory/4008-225-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp	xmrig
behavioral2/memory/964-227-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp	xmrig
behavioral2/memory/2576-229-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp	xmrig
behavioral2/memory/2836-231-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp	xmrig
behavioral2/memory/880-233-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp	xmrig
behavioral2/memory/4808-237-0x00007FF755910000-0x00007FF755C61000-memory.dmp	xmrig
behavioral2/memory/3608-235-0x00007FF70A3D0000-0x00007FF70A721000-memory.dmp	xmrig
behavioral2/memory/644-239-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp	xmrig
behavioral2/memory/2924-241-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp	xmrig
behavioral2/memory/1828-250-0x00007FF740A20000-0x00007FF740D71000-memory.dmp	xmrig
behavioral2/memory/1136-252-0x00007FF695330000-0x00007FF695681000-memory.dmp	xmrig
behavioral2/memory/4776-254-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp	xmrig
behavioral2/memory/4840-256-0x00007FF7B7E00000-0x00007FF7B8151000-memory.dmp	xmrig
behavioral2/memory/3364-258-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp	xmrig
behavioral2/memory/3708-262-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp	xmrig
behavioral2/memory/4236-264-0x00007FF6332C0000-0x00007FF633611000-memory.dmp	xmrig
behavioral2/memory/2500-266-0x00007FF649840000-0x00007FF649B91000-memory.dmp	xmrig
behavioral2/memory/928-268-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp	xmrig
behavioral2/memory/3560-271-0x00007FF6C52E0000-0x00007FF6C5631000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2684	APHadZA.exe
4572	nVNubFB.exe
4008	CSAocZH.exe
964	BPUGSPE.exe
2576	SBIBXEs.exe
2836	BVJyTPe.exe
4808	ywYmwIX.exe
880	oxBLVRI.exe
3608	QAjhApZ.exe
644	bwPVPKE.exe
2924	KqlTHLT.exe
1828	phdebcz.exe
1136	AsJQmzw.exe
4776	rNoZEOj.exe
3364	YQxAEle.exe
4840	QprwpeS.exe
3708	sNtHuQa.exe
928	WEinzRX.exe
4236	ITRKklb.exe
2500	gRSvyvg.exe
3560	kNbXnsF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/516-0-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp	upx
behavioral2/files/0x0009000000023455-6.dat	upx
behavioral2/files/0x00070000000234b4-8.dat	upx
behavioral2/files/0x00070000000234b3-11.dat	upx
behavioral2/memory/4008-20-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-31.dat	upx
behavioral2/memory/2576-36-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-43.dat	upx
behavioral2/files/0x00070000000234ba-59.dat	upx
behavioral2/files/0x00070000000234bb-64.dat	upx
behavioral2/files/0x00070000000234bc-67.dat	upx
behavioral2/memory/2924-66-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp	upx
behavioral2/memory/3608-63-0x00007FF70A3D0000-0x00007FF70A721000-memory.dmp	upx
behavioral2/memory/644-62-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp	upx
behavioral2/memory/880-55-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp	upx
behavioral2/files/0x00070000000234b8-47.dat	upx
behavioral2/memory/4808-44-0x00007FF755910000-0x00007FF755C61000-memory.dmp	upx
behavioral2/memory/2836-41-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-38.dat	upx
behavioral2/memory/964-28-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-25.dat	upx
behavioral2/memory/4572-17-0x00007FF779620000-0x00007FF779971000-memory.dmp	upx
behavioral2/memory/2684-9-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp	upx
behavioral2/memory/1828-78-0x00007FF740A20000-0x00007FF740D71000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-83.dat	upx
behavioral2/files/0x00070000000234bf-89.dat	upx
behavioral2/memory/2684-100-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp	upx
behavioral2/memory/4840-101-0x00007FF7B7E00000-0x00007FF7B8151000-memory.dmp	upx
behavioral2/memory/3364-99-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-97.dat	upx
behavioral2/memory/4776-88-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-104.dat	upx
behavioral2/memory/3708-111-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp	upx
behavioral2/memory/2576-120-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp	upx
behavioral2/memory/2500-125-0x00007FF649840000-0x00007FF649B91000-memory.dmp	upx
behavioral2/memory/644-129-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-127.dat	upx
behavioral2/memory/880-126-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-123.dat	upx
behavioral2/memory/4236-122-0x00007FF6332C0000-0x00007FF633611000-memory.dmp	upx
behavioral2/memory/2836-121-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp	upx
behavioral2/memory/964-118-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp	upx
behavioral2/memory/928-117-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-115.dat	upx
behavioral2/memory/4008-108-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp	upx
behavioral2/memory/1136-85-0x00007FF695330000-0x00007FF695681000-memory.dmp	upx
behavioral2/memory/516-84-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp	upx
behavioral2/files/0x00080000000234b0-86.dat	upx
behavioral2/files/0x00070000000234bd-77.dat	upx
behavioral2/memory/4808-136-0x00007FF755910000-0x00007FF755C61000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-140.dat	upx
behavioral2/memory/2924-142-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp	upx
behavioral2/memory/3560-145-0x00007FF6C52E0000-0x00007FF6C5631000-memory.dmp	upx
behavioral2/memory/1828-150-0x00007FF740A20000-0x00007FF740D71000-memory.dmp	upx
behavioral2/memory/1136-151-0x00007FF695330000-0x00007FF695681000-memory.dmp	upx
behavioral2/memory/4776-152-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp	upx
behavioral2/memory/3364-153-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp	upx
behavioral2/memory/3708-158-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp	upx
behavioral2/memory/928-159-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp	upx
behavioral2/memory/2500-161-0x00007FF649840000-0x00007FF649B91000-memory.dmp	upx
behavioral2/memory/4236-160-0x00007FF6332C0000-0x00007FF633611000-memory.dmp	upx
behavioral2/memory/516-163-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp	upx
behavioral2/memory/2684-221-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp	upx
behavioral2/memory/4572-223-0x00007FF779620000-0x00007FF779971000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BVJyTPe.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ywYmwIX.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QAjhApZ.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\phdebcz.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsJQmzw.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVNubFB.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CSAocZH.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBIBXEs.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRSvyvg.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bwPVPKE.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqlTHLT.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WEinzRX.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\APHadZA.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPUGSPE.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxBLVRI.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YQxAEle.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNbXnsF.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ITRKklb.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rNoZEOj.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QprwpeS.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNtHuQa.exe	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2684	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 516 wrote to memory of 2684	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 516 wrote to memory of 4572	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 516 wrote to memory of 4572	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 516 wrote to memory of 4008	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 516 wrote to memory of 4008	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 516 wrote to memory of 964	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 516 wrote to memory of 964	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 516 wrote to memory of 2576	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 516 wrote to memory of 2576	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 516 wrote to memory of 2836	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 516 wrote to memory of 2836	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 516 wrote to memory of 4808	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 516 wrote to memory of 4808	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 516 wrote to memory of 880	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 516 wrote to memory of 880	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 516 wrote to memory of 3608	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 516 wrote to memory of 3608	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 516 wrote to memory of 644	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 516 wrote to memory of 644	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 516 wrote to memory of 2924	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 516 wrote to memory of 2924	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 516 wrote to memory of 1828	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 516 wrote to memory of 1828	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 516 wrote to memory of 1136	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 516 wrote to memory of 1136	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 516 wrote to memory of 4776	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 516 wrote to memory of 4776	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 516 wrote to memory of 3364	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 516 wrote to memory of 3364	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 516 wrote to memory of 4840	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 516 wrote to memory of 4840	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 516 wrote to memory of 3708	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 516 wrote to memory of 3708	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 516 wrote to memory of 928	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 516 wrote to memory of 928	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 516 wrote to memory of 4236	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 516 wrote to memory of 4236	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 516 wrote to memory of 2500	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 516 wrote to memory of 2500	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 516 wrote to memory of 3560	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 516 wrote to memory of 3560	516	2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_e8661848c25e30e4aee55c3e18c58d35_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\System\APHadZA.exe
  C:\Windows\System\APHadZA.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\nVNubFB.exe
  C:\Windows\System\nVNubFB.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\CSAocZH.exe
  C:\Windows\System\CSAocZH.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\BPUGSPE.exe
  C:\Windows\System\BPUGSPE.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\SBIBXEs.exe
  C:\Windows\System\SBIBXEs.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\BVJyTPe.exe
  C:\Windows\System\BVJyTPe.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\ywYmwIX.exe
  C:\Windows\System\ywYmwIX.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\oxBLVRI.exe
  C:\Windows\System\oxBLVRI.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\QAjhApZ.exe
  C:\Windows\System\QAjhApZ.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\bwPVPKE.exe
  C:\Windows\System\bwPVPKE.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\KqlTHLT.exe
  C:\Windows\System\KqlTHLT.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\phdebcz.exe
  C:\Windows\System\phdebcz.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\AsJQmzw.exe
  C:\Windows\System\AsJQmzw.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\rNoZEOj.exe
  C:\Windows\System\rNoZEOj.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\YQxAEle.exe
  C:\Windows\System\YQxAEle.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\QprwpeS.exe
  C:\Windows\System\QprwpeS.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\sNtHuQa.exe
  C:\Windows\System\sNtHuQa.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\WEinzRX.exe
  C:\Windows\System\WEinzRX.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\ITRKklb.exe
  C:\Windows\System\ITRKklb.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\gRSvyvg.exe
  C:\Windows\System\gRSvyvg.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\kNbXnsF.exe
  C:\Windows\System\kNbXnsF.exe
  2⤵
  - Executes dropped EXE
  PID:3560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\APHadZA.exe

Filesize
5.2MB

MD5
b87ad2a178364c93735c809656a15088

SHA1
a897c18998b9989b587503807092bf8ef148367c

SHA256
aae5df782acdbd9a2c6a1065a9468e8cefad0ab327fb235112f01f873ca96920

SHA512
daad3673f9476885bffe1ce349ddc783f05f699bc018ab2947da074f88012afa3fbcc26b3907fa80e56975f2abe2bc4828aa802c8320ae2db84458551c7c7416

Download Submit
C:\Windows\System\AsJQmzw.exe

Filesize
5.2MB

MD5
ab0dcd16c5b34494c3d064609399d5d9

SHA1
0017cb448c35645fbe3d44a8ed881901e201423e

SHA256
a44ac0d970595a1e7dbc73d229d45e7a0d4e46d5d385bc7305a1a2cb55548d0b

SHA512
c8e95aa1cc6f99b248b216afbae7061b84c0f53cbe6e316e68455dc5ca493e898e795fcb1173e8a31164b4f472fd23dd0c392f26ca77e081521f20a1efaf5fc5

Download Submit
C:\Windows\System\BPUGSPE.exe

Filesize
5.2MB

MD5
07826fb781fd6d1e43835e78d5931394

SHA1
4e1cba8823adcc4c2f47c9ef593094a4364e3537

SHA256
ca1e842f5958fb99dfb1921ec402fffe4949779e1b7fbf7b8ac93c7cbf53ceb4

SHA512
e7e4200dffab14fedcc45c8490933ee55bd35c3fef93d89baa32edc304e2e6ab20f08cdbc169d28fa3eee96ab125e4635358b7b023af36f05125990b3da6c813

Download Submit
C:\Windows\System\BVJyTPe.exe

Filesize
5.2MB

MD5
c937ed99291e3363bb4278617ac40b28

SHA1
a53a23f265b122fa3dd64010fa52dc39e8ccc208

SHA256
c6176e6482a844dba71117e7428825ed3cf5d2fd56f5e847e405b0cbd7cd7697

SHA512
f3f5a3737b80fef10a0bb6b6bf43d76479ef678ec017cedb4ac39c0c4b42742abc385910510b8343ba23def0eeb4a30bb9daa4129fa3701bf8fbcd1669015a7d

Download Submit
C:\Windows\System\CSAocZH.exe

Filesize
5.2MB

MD5
beb6733708d4f8e7b008e573412d694c

SHA1
e39699ab5e71ec251d09591c01cba02f31a28939

SHA256
2ac02297a423d5fc6454ce67910f1a6fa9da90fcef074eeb205265fec19e68d5

SHA512
5bbc16017f54d43b8af615afffd4852d7f8d763ce5239338687cea95ddf96a3402e57512fd84ef8cb619f443076af9a574baebba98509a51a18fb8e584aef0e7

Download Submit
C:\Windows\System\ITRKklb.exe

Filesize
5.2MB

MD5
433aeac0a3955b4a2fff51e0e93c68ea

SHA1
ad8dd25fd8368ef3d0e1c215121859818096ff25

SHA256
7199647c4170ef334252e3d9902c42c567e0032e4fa9b1e976ede1e343815c2c

SHA512
4886e1cb10e8e7432cab54f4ab5ab5d60c182be1d649f64ab1d685d645d914319505e4b610a516446a24f3d39f6b7d4467ffd3942c36d1fbc5c3eed5ef4e28ad

Download Submit
C:\Windows\System\KqlTHLT.exe

Filesize
5.2MB

MD5
c4615280ee7fceee6b3ab2c07afce95a

SHA1
fc629456e0fc23c1e1179c4ae14411552d07e7d3

SHA256
c1dbbfce42dc330ef830b34d40edc462f92ce8a74113e13a7a0e60a343163fc0

SHA512
85ed0103589107eb12637530f73062fc7c15ec0f5bee5a956f3bd8e4d88e0f27e8960a6c2347cc852d3fe53694018262b0a970cb9acb32f6f12aaf8489abbf06

Download Submit
C:\Windows\System\QAjhApZ.exe

Filesize
5.2MB

MD5
26fdf385521f35e8103f81d4ceaa7667

SHA1
27be98163e0f4a5dead477820d8365a0d4b5ad61

SHA256
71e1e642445eaa909470c16f62fea79267f662a1dcfe633ee444d0f6a089f0a0

SHA512
a8ff20a3a556d7ea419435adc9fff1a43e7ba4b9b92c78bf4b8ae6d3f3c6b298dc3b7429d7a96f2fdd347c24c59472dffee2d1509d9e87cefd71f3043676904e

Download Submit
C:\Windows\System\QprwpeS.exe

Filesize
5.2MB

MD5
06f28756cb4b795c153b235eba0a17ce

SHA1
d205ad7413a5ba882ee117df0f6c8b288ab56eca

SHA256
b1523b2fc4dbdbf84c5c7c09e3ef79e3c14d3abc324821b993f0ed7e5f0c3296

SHA512
3fd2769c7c32a56e294cad343c2134dc0fb10ee0b69c8902022232ae8d319437f55f090e7637f8395c2f91135c366cbec5bbca82664dbe558d4cc141da549266

Download Submit
C:\Windows\System\SBIBXEs.exe

Filesize
5.2MB

MD5
adb99a4d7628188faab922a7d87952aa

SHA1
7f4ee27fbcd8021ca59b2cd1dfc5d51f614f9458

SHA256
083bfc43f69248ba4aee4f316c82b6909e8fc0ac130f1003a7b27058ee643712

SHA512
3f323fbf42aa95f66adb24ad6f597fac305b582f3a09d8fbe83e494ef78cb6a8b379b66d8b3dee290728b3ef82255bd1b6a924bf4188505b26630b2e5fea0d04

Download Submit
C:\Windows\System\WEinzRX.exe

Filesize
5.2MB

MD5
238896ce42877d2c1e465340a7440e4b

SHA1
13873c224fb370da67a9f5c4c74327416bcabb22

SHA256
9b9ca8bf55a7dd64d3e0a0e65110d561be34f66759fca78bf8c8953b41c2a351

SHA512
deab35f8f91ffe5e02b12bf4856c9c25ba90ffff3e4aabd89542417664f3319477db3f8a594b611d955fb7c39cb5d76c2834b136555b4d59c6cde1721fdda6a9

Download Submit
C:\Windows\System\YQxAEle.exe

Filesize
5.2MB

MD5
b192810b3196da31a68a4a646ea3fec1

SHA1
35af16b57cd1c5c603bacf59caf226b230855b85

SHA256
7c1f48a4f56742e8537d3720d893d967eea4ddb63c5e95a9c37dd0b356f091a0

SHA512
f9a6f0332db8b4b5a21f5d905f3a11260d8ee86a12a8de7df21931fbb10333e3d709838bf58eb0b664ea7047e9f4127eafc56930d25da7558a22c9030d9e4552

Download Submit
C:\Windows\System\bwPVPKE.exe

Filesize
5.2MB

MD5
d4ba32922351a6a330f45712d6d92026

SHA1
ea3a46bb096e655953aa20fd810159bf5afa06c8

SHA256
c4725f5a70c0bcd648dc0cea405f66630db34c2bdc9246cb0bd44dca40c34817

SHA512
ca16c8714834e1131a3b59f1ef91e39553a360ba670170857d0a15cba1ec74a2bf778bfe4fdc7e7b6da8f26e743e2087557a4df294020448fce73669f9ad33c4

Download Submit
C:\Windows\System\gRSvyvg.exe

Filesize
5.2MB

MD5
51a3b713009c8437f51cfb22b4bd5f59

SHA1
3f236b27291cfe308a8b3c9de54a2bc8199df1db

SHA256
317a52a4a53e29c812057292cf1e3483d14bab70ae46bc6d10d6d659a4b8b98e

SHA512
3b9e94b3271e4447049e69f25590b94314cd87fbebddda359659e4f056456c9d7c0a5c8cb77da6c0fb7f17ecd71f1667ec789beffad767c077d05a940e54ff23

Download Submit
C:\Windows\System\kNbXnsF.exe

Filesize
5.2MB

MD5
43a70d8b59c1ae0afadebbcc1669cb85

SHA1
3bc599ea1389ec1dbae0d9fb411acac31afd93af

SHA256
0ce534d4ec90833fc2c3315fd1c811e3f1e930f9e469b7172a449fadfb423fd6

SHA512
5b0021ba6cc3a9084324bde7a89b4325b60dfe69af9d3ad1d5db678d2ede134c97c94ca50e9b5d7a6513e61a8eed83882277b6308801f7d9ec0fd2e5e8bfaf76

Download Submit
C:\Windows\System\nVNubFB.exe

Filesize
5.2MB

MD5
494a5a3d95c85792d35687397a45c808

SHA1
0d39a8121d7d7dd786bb06c2bb8f5be2670bbf17

SHA256
fea74cebe5b75a8250490fd6ae9d11368f6efd919dc7b30c7418a0cb927fd9d0

SHA512
aec6dfb28ae2a6328f0af4821cc24b640296524be35a595cc28a5b6959311ec7d07b56137e629330599a9565c37bc4fda4287e3b5583cde8ceee8169a4bff0f2

Download Submit
C:\Windows\System\oxBLVRI.exe

Filesize
5.2MB

MD5
a9229e5195403f9701056cff173aeffb

SHA1
6efdfbb494368d60ab172cd2e2a2da34777c965d

SHA256
88927fc2f434f2689d114f5e986939e5a9c1ba1b192ee74621a3d7ff0b479a54

SHA512
4e857df791bbd1dcdc29581be58c7f7657adee5ade2e2fef71061bf99cde76df268bb50e32f8114d72b2d697e801e7af143758512cc6bdaa5edadb03e99873e8

Download Submit
C:\Windows\System\phdebcz.exe

Filesize
5.2MB

MD5
69618a7a91eaf134509d0c4298607a38

SHA1
aa08a7b71eb1eceb2ac1021bd4ea0880bbcea871

SHA256
dcd7a52fdb7bf9f7c8e24c4266a2e2ec3b7973cfecff49b50b7b40bfa87bb30e

SHA512
8e59c67c0c18b9072e4c3255fc2f14c0ce174853b8ba40a04d6cc0afbd14c524786c6da086023480c57e824622859af519e4a6d6d6754631297f63d7807af2de

Download Submit
C:\Windows\System\rNoZEOj.exe

Filesize
5.2MB

MD5
37367ccdf9dbbc4a39abbdd8a6ab49b1

SHA1
92f2fd719e61b2fec7237f86efed12c948bf0e3a

SHA256
07ba6423435d8b983d9956e58bfaf6a752834441e94a96222b3cb9d420f58bad

SHA512
674ac64f26cb8123ddbdebf9ffe47757c9a97e4cd5f1a865431383c7223bb2b886efb123831cfc6e1b520f9b50cdbc54504aaa9300d50cbf54e36d18d85e6355

Download Submit
C:\Windows\System\sNtHuQa.exe

Filesize
5.2MB

MD5
1f1b205c932eccaff04db7e044f42c7f

SHA1
6253b711bc7a81c53df32d4ce1de972b940e6fcf

SHA256
686208fe91c8015cce77d6fd4a1cd5f1bc5beb901aeb321de447e89d046a9fdd

SHA512
22eae46ff83d8bf2a2b6a9aee7bd7870af79334d651890020637624438c4667b5c6bad1ccf24843cc219a96ee1aeeeac2f46da33e898ff47404ae389b07b101d

Download Submit
C:\Windows\System\ywYmwIX.exe

Filesize
5.2MB

MD5
4fbbe327f868a1386a2f7ad275158bbf

SHA1
d8379d267fe983a23bee82a25687531c54ef41d7

SHA256
42a3156f4e459b27f4aa9f152542e41141b90fe19de07ffd7375aae403a887cb

SHA512
afc3f537552b5b0ac0529e58e80faecfaa1d5dab75a94c5ced90034067f830d40567717ddc219c55f68c1d48365d62ace123b025235f03957bce8df6039babb8

Download Submit
memory/516-1-0x0000026414480000-0x0000026414490000-memory.dmp

Filesize
64KB

Download
memory/516-163-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp

Filesize
3.3MB

Download
memory/516-84-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp

Filesize
3.3MB

Download
memory/516-0-0x00007FF79EAB0000-0x00007FF79EE01000-memory.dmp

Filesize
3.3MB

Download
memory/644-129-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp

Filesize
3.3MB

Download
memory/644-239-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp

Filesize
3.3MB

Download
memory/644-62-0x00007FF67ABD0000-0x00007FF67AF21000-memory.dmp

Filesize
3.3MB

Download
memory/880-233-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp

Filesize
3.3MB

Download
memory/880-126-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp

Filesize
3.3MB

Download
memory/880-55-0x00007FF6FF850000-0x00007FF6FFBA1000-memory.dmp

Filesize
3.3MB

Download
memory/928-159-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp

Filesize
3.3MB

Download
memory/928-117-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp

Filesize
3.3MB

Download
memory/928-268-0x00007FF7ADED0000-0x00007FF7AE221000-memory.dmp

Filesize
3.3MB

Download
memory/964-118-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp

Filesize
3.3MB

Download
memory/964-28-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp

Filesize
3.3MB

Download
memory/964-227-0x00007FF6CB400000-0x00007FF6CB751000-memory.dmp

Filesize
3.3MB

Download
memory/1136-252-0x00007FF695330000-0x00007FF695681000-memory.dmp

Filesize
3.3MB

Download
memory/1136-151-0x00007FF695330000-0x00007FF695681000-memory.dmp

Filesize
3.3MB

Download
memory/1136-85-0x00007FF695330000-0x00007FF695681000-memory.dmp

Filesize
3.3MB

Download
memory/1828-78-0x00007FF740A20000-0x00007FF740D71000-memory.dmp

Filesize
3.3MB

Download
memory/1828-150-0x00007FF740A20000-0x00007FF740D71000-memory.dmp

Filesize
3.3MB

Download
memory/1828-250-0x00007FF740A20000-0x00007FF740D71000-memory.dmp

Filesize
3.3MB

Download
memory/2500-125-0x00007FF649840000-0x00007FF649B91000-memory.dmp

Filesize
3.3MB

Download
memory/2500-161-0x00007FF649840000-0x00007FF649B91000-memory.dmp

Filesize
3.3MB

Download
memory/2500-266-0x00007FF649840000-0x00007FF649B91000-memory.dmp

Filesize
3.3MB

Download
memory/2576-36-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-120-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-229-0x00007FF7C4A60000-0x00007FF7C4DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-221-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-9-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-100-0x00007FF6787A0000-0x00007FF678AF1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-121-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp

Filesize
3.3MB

Download
memory/2836-231-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp

Filesize
3.3MB

Download
memory/2836-41-0x00007FF7C0930000-0x00007FF7C0C81000-memory.dmp

Filesize
3.3MB

Download
memory/2924-241-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp

Filesize
3.3MB

Download
memory/2924-66-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp

Filesize
3.3MB

Download
memory/2924-142-0x00007FF7C7720000-0x00007FF7C7A71000-memory.dmp

Filesize
3.3MB

Download
memory/3364-153-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp

Filesize
3.3MB

Download
memory/3364-258-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp

Filesize
3.3MB

Download
memory/3364-99-0x00007FF6AAA30000-0x00007FF6AAD81000-memory.dmp

Filesize
3.3MB

Download
memory/3560-145-0x00007FF6C52E0000-0x00007FF6C5631000-memory.dmp

Filesize
3.3MB

Download
memory/3560-271-0x00007FF6C52E0000-0x00007FF6C5631000-memory.dmp

Filesize
3.3MB

Download
memory/3608-235-0x00007FF70A3D0000-0x00007FF70A721000-memory.dmp

Filesize
3.3MB

Download
memory/3608-63-0x00007FF70A3D0000-0x00007FF70A721000-memory.dmp

Filesize
3.3MB

Download
memory/3708-262-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp

Filesize
3.3MB

Download
memory/3708-111-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp

Filesize
3.3MB

Download
memory/3708-158-0x00007FF63CF20000-0x00007FF63D271000-memory.dmp

Filesize
3.3MB

Download
memory/4008-108-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp

Filesize
3.3MB

Download
memory/4008-20-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp

Filesize
3.3MB

Download
memory/4008-225-0x00007FF77FFB0000-0x00007FF780301000-memory.dmp

Filesize
3.3MB

Download
memory/4236-122-0x00007FF6332C0000-0x00007FF633611000-memory.dmp

Filesize
3.3MB

Download
memory/4236-160-0x00007FF6332C0000-0x00007FF633611000-memory.dmp

Filesize
3.3MB

Download
memory/4236-264-0x00007FF6332C0000-0x00007FF633611000-memory.dmp

Filesize
3.3MB

Download
memory/4572-223-0x00007FF779620000-0x00007FF779971000-memory.dmp

Filesize
3.3MB

Download
memory/4572-17-0x00007FF779620000-0x00007FF779971000-memory.dmp

Filesize
3.3MB

Download
memory/4776-152-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-254-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-88-0x00007FF7316E0000-0x00007FF731A31000-memory.dmp

Filesize
3.3MB

Download
memory/4808-136-0x00007FF755910000-0x00007FF755C61000-memory.dmp

Filesize
3.3MB

Download
memory/4808-237-0x00007FF755910000-0x00007FF755C61000-memory.dmp

Filesize
3.3MB

Download
memory/4808-44-0x00007FF755910000-0x00007FF755C61000-memory.dmp

Filesize
3.3MB

Download
memory/4840-101-0x00007FF7B7E00000-0x00007FF7B8151000-memory.dmp

Filesize
3.3MB

Download
memory/4840-256-0x00007FF7B7E00000-0x00007FF7B8151000-memory.dmp

Filesize
3.3MB

Download