cobaltstrike | 913f321d055b43135d95d56b160ddee91dc8967997009b98aa7243cc890e59b8

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d4d6762542965a8342131c1321a767dd
SHA1

c7db5cbfc93707bf53ee0ca2e4121ea3db9ce073
SHA256

913f321d055b43135d95d56b160ddee91dc8967997009b98aa7243cc890e59b8
SHA512

ae831bad682dd97cb1cb93bf579c77e30e0337924fabef4ac6e78dde940f94a5d7d2c8a42a1106af6280a32153ccf814ba34864b7f740766fc30e869ff3819af
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibd56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023421-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023422-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-58.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1156-60-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp	xmrig
behavioral2/memory/4456-71-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp	xmrig
behavioral2/memory/1904-136-0x00007FF720730000-0x00007FF720A81000-memory.dmp	xmrig
behavioral2/memory/908-134-0x00007FF7E4D50000-0x00007FF7E50A1000-memory.dmp	xmrig
behavioral2/memory/1976-133-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp	xmrig
behavioral2/memory/748-122-0x00007FF600240000-0x00007FF600591000-memory.dmp	xmrig
behavioral2/memory/2864-117-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp	xmrig
behavioral2/memory/5060-108-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp	xmrig
behavioral2/memory/4576-100-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp	xmrig
behavioral2/memory/3460-88-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp	xmrig
behavioral2/memory/5036-84-0x00007FF793510000-0x00007FF793861000-memory.dmp	xmrig
behavioral2/memory/4708-80-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp	xmrig
behavioral2/memory/1616-79-0x00007FF65F560000-0x00007FF65F8B1000-memory.dmp	xmrig
behavioral2/memory/4116-53-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	xmrig
behavioral2/memory/4116-140-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	xmrig
behavioral2/memory/2024-147-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp	xmrig
behavioral2/memory/2028-148-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp	xmrig
behavioral2/memory/2880-156-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp	xmrig
behavioral2/memory/2008-157-0x00007FF642DF0000-0x00007FF643141000-memory.dmp	xmrig
behavioral2/memory/1824-161-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp	xmrig
behavioral2/memory/3268-163-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp	xmrig
behavioral2/memory/1448-165-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp	xmrig
behavioral2/memory/2352-162-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp	xmrig
behavioral2/memory/4116-166-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	xmrig
behavioral2/memory/1156-214-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp	xmrig
behavioral2/memory/4456-220-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp	xmrig
behavioral2/memory/4708-222-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp	xmrig
behavioral2/memory/5036-224-0x00007FF793510000-0x00007FF793861000-memory.dmp	xmrig
behavioral2/memory/3460-226-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp	xmrig
behavioral2/memory/4576-238-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp	xmrig
behavioral2/memory/5060-242-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp	xmrig
behavioral2/memory/2864-241-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp	xmrig
behavioral2/memory/748-244-0x00007FF600240000-0x00007FF600591000-memory.dmp	xmrig
behavioral2/memory/1976-246-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp	xmrig
behavioral2/memory/1904-248-0x00007FF720730000-0x00007FF720A81000-memory.dmp	xmrig
behavioral2/memory/1616-250-0x00007FF65F560000-0x00007FF65F8B1000-memory.dmp	xmrig
behavioral2/memory/2024-252-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp	xmrig
behavioral2/memory/2028-259-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp	xmrig
behavioral2/memory/2880-261-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp	xmrig
behavioral2/memory/1824-263-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp	xmrig
behavioral2/memory/2352-267-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp	xmrig
behavioral2/memory/2008-266-0x00007FF642DF0000-0x00007FF643141000-memory.dmp	xmrig
behavioral2/memory/908-269-0x00007FF7E4D50000-0x00007FF7E50A1000-memory.dmp	xmrig
behavioral2/memory/3268-271-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp	xmrig
behavioral2/memory/1448-273-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1156	GxzNVBG.exe
4456	DXoOPsA.exe
4708	POJFgQL.exe
5036	oZqKkFl.exe
3460	WaEqMXO.exe
4576	GRFNKzb.exe
5060	LyYVZxC.exe
2864	cxJyTfk.exe
748	miXJtUl.exe
1976	hzMLcSQ.exe
1904	gHBRedn.exe
1616	MSWnfrD.exe
2024	fQbiMBw.exe
2028	ezqTQnc.exe
2880	UqtmXyr.exe
2008	oHZdvwi.exe
1824	LHwYOPS.exe
2352	ECwljIN.exe
3268	QDkLkHC.exe
908	gKDaFoE.exe
1448	hGWrlAY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4116-0-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	upx
behavioral2/files/0x0008000000023421-5.dat	upx
behavioral2/memory/1156-7-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp	upx
behavioral2/files/0x0007000000023425-11.dat	upx
behavioral2/files/0x0007000000023426-10.dat	upx
behavioral2/memory/4708-18-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp	upx
behavioral2/files/0x0007000000023427-21.dat	upx
behavioral2/files/0x0007000000023428-29.dat	upx
behavioral2/memory/3460-30-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp	upx
behavioral2/memory/5036-27-0x00007FF793510000-0x00007FF793861000-memory.dmp	upx
behavioral2/memory/4456-15-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp	upx
behavioral2/files/0x0007000000023429-35.dat	upx
behavioral2/memory/4576-36-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp	upx
behavioral2/memory/5060-42-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp	upx
behavioral2/files/0x0008000000023422-45.dat	upx
behavioral2/files/0x000700000002342a-51.dat	upx
behavioral2/memory/2864-49-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp	upx
behavioral2/memory/748-55-0x00007FF600240000-0x00007FF600591000-memory.dmp	upx
behavioral2/memory/1156-60-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp	upx
behavioral2/memory/1976-66-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp	upx
behavioral2/memory/4456-71-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-74.dat	upx
behavioral2/memory/1904-76-0x00007FF720730000-0x00007FF720A81000-memory.dmp	upx
behavioral2/files/0x000700000002342f-86.dat	upx
behavioral2/files/0x0007000000023432-95.dat	upx
behavioral2/memory/2008-99-0x00007FF642DF0000-0x00007FF643141000-memory.dmp	upx
behavioral2/memory/1824-109-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-114.dat	upx
behavioral2/memory/2352-121-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp	upx
behavioral2/memory/3268-126-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp	upx
behavioral2/files/0x0007000000023436-127.dat	upx
behavioral2/memory/1904-136-0x00007FF720730000-0x00007FF720A81000-memory.dmp	upx
behavioral2/files/0x0007000000023437-138.dat	upx
behavioral2/memory/1448-137-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp	upx
behavioral2/memory/908-134-0x00007FF7E4D50000-0x00007FF7E50A1000-memory.dmp	upx
behavioral2/memory/1976-133-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp	upx
behavioral2/files/0x0007000000023435-129.dat	upx
behavioral2/memory/748-122-0x00007FF600240000-0x00007FF600591000-memory.dmp	upx
behavioral2/memory/2864-117-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp	upx
behavioral2/files/0x0007000000023433-112.dat	upx
behavioral2/memory/5060-108-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp	upx
behavioral2/files/0x0007000000023431-101.dat	upx
behavioral2/memory/4576-100-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp	upx
behavioral2/memory/2880-96-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp	upx
behavioral2/memory/2028-92-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp	upx
behavioral2/files/0x0007000000023430-90.dat	upx
behavioral2/memory/3460-88-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp	upx
behavioral2/memory/2024-85-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp	upx
behavioral2/memory/5036-84-0x00007FF793510000-0x00007FF793861000-memory.dmp	upx
behavioral2/memory/4708-80-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp	upx
behavioral2/memory/1616-79-0x00007FF65F560000-0x00007FF65F8B1000-memory.dmp	upx
behavioral2/files/0x000700000002342d-72.dat	upx
behavioral2/files/0x000700000002342c-64.dat	upx
behavioral2/files/0x000700000002342b-58.dat	upx
behavioral2/memory/4116-53-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	upx
behavioral2/memory/4116-140-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp	upx
behavioral2/memory/2024-147-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp	upx
behavioral2/memory/2028-148-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp	upx
behavioral2/memory/2880-156-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp	upx
behavioral2/memory/2008-157-0x00007FF642DF0000-0x00007FF643141000-memory.dmp	upx
behavioral2/memory/1824-161-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp	upx
behavioral2/memory/3268-163-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp	upx
behavioral2/memory/1448-165-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp	upx
behavioral2/memory/2352-162-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GxzNVBG.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\POJFgQL.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyYVZxC.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxJyTfk.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezqTQnc.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LHwYOPS.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ECwljIN.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDkLkHC.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WaEqMXO.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\miXJtUl.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSWnfrD.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fQbiMBw.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DXoOPsA.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oZqKkFl.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gKDaFoE.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GRFNKzb.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hzMLcSQ.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gHBRedn.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqtmXyr.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oHZdvwi.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hGWrlAY.exe	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 1156	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4116 wrote to memory of 1156	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4116 wrote to memory of 4456	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4116 wrote to memory of 4456	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4116 wrote to memory of 4708	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4116 wrote to memory of 4708	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4116 wrote to memory of 5036	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4116 wrote to memory of 5036	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4116 wrote to memory of 3460	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4116 wrote to memory of 3460	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4116 wrote to memory of 4576	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4116 wrote to memory of 4576	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4116 wrote to memory of 5060	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4116 wrote to memory of 5060	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4116 wrote to memory of 2864	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4116 wrote to memory of 2864	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4116 wrote to memory of 748	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4116 wrote to memory of 748	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4116 wrote to memory of 1976	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4116 wrote to memory of 1976	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4116 wrote to memory of 1904	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4116 wrote to memory of 1904	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4116 wrote to memory of 1616	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4116 wrote to memory of 1616	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4116 wrote to memory of 2028	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4116 wrote to memory of 2028	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4116 wrote to memory of 2024	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4116 wrote to memory of 2024	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4116 wrote to memory of 2880	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4116 wrote to memory of 2880	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4116 wrote to memory of 2008	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4116 wrote to memory of 2008	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4116 wrote to memory of 1824	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4116 wrote to memory of 1824	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4116 wrote to memory of 2352	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4116 wrote to memory of 2352	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4116 wrote to memory of 3268	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4116 wrote to memory of 3268	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4116 wrote to memory of 908	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4116 wrote to memory of 908	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4116 wrote to memory of 1448	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4116 wrote to memory of 1448	4116	2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_d4d6762542965a8342131c1321a767dd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\System\GxzNVBG.exe
  C:\Windows\System\GxzNVBG.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\DXoOPsA.exe
  C:\Windows\System\DXoOPsA.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\POJFgQL.exe
  C:\Windows\System\POJFgQL.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\oZqKkFl.exe
  C:\Windows\System\oZqKkFl.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\WaEqMXO.exe
  C:\Windows\System\WaEqMXO.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\GRFNKzb.exe
  C:\Windows\System\GRFNKzb.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\LyYVZxC.exe
  C:\Windows\System\LyYVZxC.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\cxJyTfk.exe
  C:\Windows\System\cxJyTfk.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\miXJtUl.exe
  C:\Windows\System\miXJtUl.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\hzMLcSQ.exe
  C:\Windows\System\hzMLcSQ.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\gHBRedn.exe
  C:\Windows\System\gHBRedn.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\MSWnfrD.exe
  C:\Windows\System\MSWnfrD.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\ezqTQnc.exe
  C:\Windows\System\ezqTQnc.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\fQbiMBw.exe
  C:\Windows\System\fQbiMBw.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\UqtmXyr.exe
  C:\Windows\System\UqtmXyr.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\oHZdvwi.exe
  C:\Windows\System\oHZdvwi.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\LHwYOPS.exe
  C:\Windows\System\LHwYOPS.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\ECwljIN.exe
  C:\Windows\System\ECwljIN.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\QDkLkHC.exe
  C:\Windows\System\QDkLkHC.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\gKDaFoE.exe
  C:\Windows\System\gKDaFoE.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\hGWrlAY.exe
  C:\Windows\System\hGWrlAY.exe
  2⤵
  - Executes dropped EXE
  PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DXoOPsA.exe

Filesize
5.2MB

MD5
f48a8b99555be67ccf938d34eaae5628

SHA1
80fde22c06e70e7072440a44d32fb974c2882210

SHA256
1c7dbd3819ca75a739a40bfce67de89abf775be78278d520abd450f1740a2a27

SHA512
498616647e81b7b1d3ba874b5addcc7030f2d505788e8a02cd5f2272a66481f537a5088d7b4dbf5e50e4746b56574645720e7f0001e1d3791707e0361c8f92c8

Download Submit
C:\Windows\System\ECwljIN.exe

Filesize
5.2MB

MD5
5c2ce4894a866858662579e4577858cd

SHA1
eac38ca0b605fc7c402332aa2821a363d5f5759f

SHA256
da29d4b340f70673536b31fb217acc3bc3a733608eed641341dd5aac05dda7d4

SHA512
f3c4a8d5cce86a096611d53fe87b77c24a718ec1f0b68b4324d846a701939a14f6c7820266f03f335e15f05d038615aef596e4b8d1c474c055cad1fcaaa8072e

Download Submit
C:\Windows\System\GRFNKzb.exe

Filesize
5.2MB

MD5
4a3da3a0439cd728f94fa4c6fda65495

SHA1
a6ccd15693f41023edebec869ef25ae8f06e04a2

SHA256
1ec993f4a08f47e532af2a0f8a7dd313133461bdc44aaac28ec066a787b45002

SHA512
af747fdcada4780dd8bf5fa7050620389db0ea909cf6b4e676cc64560b6bcafd76e1c340ea7a28b296992229fc2bcf71be6602bcd261fb9b7aa70fa63aa18898

Download Submit
C:\Windows\System\GxzNVBG.exe

Filesize
5.2MB

MD5
d6d7094d11cbfa6af380bf19567a1c2f

SHA1
0f54b0431b54ce06a1504c9937c0129ef1fb37ce

SHA256
e8458332446a8256f0bef2c51a889a3f31083218edfdd6fd16030f7476d1b992

SHA512
b902bb6ee15faa70788913a57a12b56ac8e25299e69daa6753a2920092c33106ce39effef476ab03a945876f3959a4591fe54ee0e370dce29cba390f6e85eeda

Download Submit
C:\Windows\System\LHwYOPS.exe

Filesize
5.2MB

MD5
da661914d6ddbaf6eebb10dccd1d717c

SHA1
e867f58ecbf5de138912225fb8fd62a805ac313f

SHA256
1dc2ca21bbafc0e0405e25ab57a2613b09e8d8078c1ac04df76d06bf7f718c55

SHA512
06130c1b463dcd552b3a10fbb7294e696910adf7d5ba7529ef7a50838a2529db5b9deb46bcc85aa5a96facba4eedbdec7b0fa9d3e1738803870f39c6e23a37fc

Download Submit
C:\Windows\System\LyYVZxC.exe

Filesize
5.2MB

MD5
719fb04cfda324563555b790cf9a0ac1

SHA1
c44f862f63881292ce8ce62809f777b6e6ddbc48

SHA256
2fc7f10770c0ddb1eaa9296eac1aef54e289da79dfc7675b0d077ca82e040b72

SHA512
6110d3533ed3fb1929b46c5238a6c62840cd5ded7a08e1c5d4c23e42e5e43d8d394a28793f3fafb532a727a78f0a25392682b7d94d394d5e8511bf95110dcad1

Download Submit
C:\Windows\System\MSWnfrD.exe

Filesize
5.2MB

MD5
a9180198a8a4d97bb7dc9d17e69a8fa3

SHA1
11a3d063006e88c482ee8b7c2bf4ae856c1b3607

SHA256
17b6ecdff243626758f0b76f11a576c8d0629f522aa480298c326ac6cda56904

SHA512
5d6fad47907d2c68d96601c5e1f6912d1971b3cce0794829a91c0562ad0d898dba8683d7118992cf427e2868cae3f9d1b8caae7aa33d6ec09742942ca0dd9932

Download Submit
C:\Windows\System\POJFgQL.exe

Filesize
5.2MB

MD5
0a1e239b8ea01d680bf8592f771f8a69

SHA1
1510a5fffdc5c376aeb346e836fb1b58536be823

SHA256
f5f7e96c7da0fc9576ea0beb1ebff2c8ed56967afa775092c71c88e166cd7cbe

SHA512
6de921d91a994e68d58b1ae35d399e2c639e7f39cce65317e4490b22c33ec5681d18924dac3988a91194291f0e11e4dc25fa8dba37494455c82d54c4be9f7374

Download Submit
C:\Windows\System\QDkLkHC.exe

Filesize
5.2MB

MD5
77eac064f5d73ac7db6a474e9b8d81e0

SHA1
6c28254af92ccb7c88df2b7fa85ae451cc8140df

SHA256
de1a0b4890d533b23d5b8417289a7ec0f5df8a0b1729f3a84dc441482bfb2b84

SHA512
3c87ec90de6525b63ffacc2ae669e48e7d8ffe063c7447917d86f3bc92152c2aa5e8b3e5d629bd7587f5c9b915f58b4504bbe3a81404743c44dcb93d1bca9e1d

Download Submit
C:\Windows\System\UqtmXyr.exe

Filesize
5.2MB

MD5
8d4345c8060cfefe40d063b27e41e2e7

SHA1
eb87954c9aef59c7255e4dfd37c9dc6c6303d8a7

SHA256
da91b56b87834f9ceb19142b1bdef3c1d5cb93672f9841cfd8f9446c2ebed12f

SHA512
911ed58b6a4ea16ce434453abfa581f7b93b27797475039155925872ca50bd724ff50a16c599b3162417961bd9785a6a69f8bbce8f21704f779ffe3781750020

Download Submit
C:\Windows\System\WaEqMXO.exe

Filesize
5.2MB

MD5
405f04ae9cf8a4010585cb2380228f27

SHA1
1be929b521453ae717045129df04ccc21af34415

SHA256
10c12bea46bf1e75bb4793a7b9b5eac981b13f91e5247efaded532dcd6d9c65b

SHA512
1a85f69ff5eaec22cdbb4b618468de78ee8784e910a1c3f2c0a41e328f30e459c3045acb4e337899b624e90ae691d4421acc6a9f3b1c254dcdbae9943e793c42

Download Submit
C:\Windows\System\cxJyTfk.exe

Filesize
5.2MB

MD5
99064cd417ab4012f25293617ce9a411

SHA1
9d4614127f91e8020c1c7f815e8c4fd09735e83a

SHA256
a7b1ffc0aec22eadc64a2d7a603ebf3ccae2752bd926aa60d870eba615177269

SHA512
d3844a011ea06b26776b59593f5c17d1303d2a1121ce5f3462e4ca9bb19c5ec965ed5487af8ff0ca7bf4bdf40a3d4f532693aecf6e081ab0522e179e887f8a4e

Download Submit
C:\Windows\System\ezqTQnc.exe

Filesize
5.2MB

MD5
98809128654ea77fbae95e6de805d9b3

SHA1
dc4ecbbbf1ba843abb839dc8eaf9be9ad59312e4

SHA256
23f0382eba1da5d52d594bb50c39eb804d542619c6cf6c82c51d339cd7dc7507

SHA512
6088cd5a8689eca5e0295282b962f2b9f5b67165ab9c50e5babcdf4641b0082c879597d756f539bd1e7986fe5a694f457fdf076e243df233c48963a5ea84930b

Download Submit
C:\Windows\System\fQbiMBw.exe

Filesize
5.2MB

MD5
f99bb7a86ea7404d86a1d22b3eaa12c3

SHA1
832f9e57b15de541b63048b37f9500b70c502ea9

SHA256
1c077a6c4bf87756d081c2b9020278e0ae4a0bb27ee990073968cf27bebd9cc8

SHA512
99c00bde6293d54fd6dd75946d9e471de2425062fdabb5b21aae6bbcedce43e88900859028bd9f6c3b0ef04e734e2a023b29a7761fffd27315a46b9c36505f24

Download Submit
C:\Windows\System\gHBRedn.exe

Filesize
5.2MB

MD5
921330570af11584c082867bba6aacda

SHA1
3e994ba611e1d41e3b17f20891f3b92cee350fa0

SHA256
15be15e74b937ab1893c1c3028a5548fb407bdc960c3fc5775635b1c72cee97d

SHA512
3ea6083c722a74502e1dca12023d02f62f5a046303236a529846bc057a8533feea535ce22e58f1c6a25a1bfa94b2cb874f14b95454ec4d31aa8b9ade24ceb099

Download Submit
C:\Windows\System\gKDaFoE.exe

Filesize
5.2MB

MD5
5fa7eea595085521406cbaaa58cba383

SHA1
e47c9e392d15b5eab7167981dfbf93f2dc6b937c

SHA256
242189ea70a2793616ac40d2487a0cb90a37262a0b56c83843a341c1d2045d89

SHA512
e1a5e208ceade3bdd322460cf2674409991deb72b66aa4c3da340a6acb81bba10ce0ca5b833ee1e9bfc011d9e8051320e538f1c19da04068fa97c9c47521a4d0

Download Submit
C:\Windows\System\hGWrlAY.exe

Filesize
5.2MB

MD5
5e8885971fd298206c60fb3af68adc2b

SHA1
abec0942b77061641ff9dc36c62ac6772f11fa18

SHA256
4c57932368e2d213734499eca7091da078f89f01159f698f3083a5ec99b3ea35

SHA512
c788c74d09f097e9c313ee349b48569b7822a7aa507145afc316a54b5714cf0248db28b04f749027ab1c00a3eb7b46aeef864fa6ad3c8f0a74242540f2c06bfd

Download Submit
C:\Windows\System\hzMLcSQ.exe

Filesize
5.2MB

MD5
16c20aca9099cddf3a48f4396230cc64

SHA1
b6f3ff159f7c735d9a77d3c51e29b6aaa8fdfe5d

SHA256
5049ad69704d12c642848682a40154138a7acf83a4ffdd4bf0fcd8fa6455994b

SHA512
d8c8f05e7fe08bdf2baa195b3ee7bc1957b5e16e70346e440f83dfa1d194adb6477e7ca86fe51c126ebc9580ade90e0cee9447a61d9f3af56dd3a10dd4ba9810

Download Submit
C:\Windows\System\miXJtUl.exe

Filesize
5.2MB

MD5
d57824b72e1a0468d6ae960b882570b8

SHA1
cf92016a93bbb69739f87a75d185da231c142de7

SHA256
9bc0af98188d9b8aaab0f9cda3477111718db246208a8756639ed4b457898a62

SHA512
cf5860210b0a49d9db82a779b35d98fa42e577e32b104318118c05b94216a479f4257ba4bd8336ac644b690459cbf80ac7f657b968a8cf04690db0b7e6690431

Download Submit
C:\Windows\System\oHZdvwi.exe

Filesize
5.2MB

MD5
3b37ba92d6078cdc17594d3ed9a2fbfa

SHA1
650bc5b93af530842f8e40fd6c1b84fb384eefc8

SHA256
1259ee9125269625212cf8b29cdec76857a2407ac661c9b2b60f6a33c7c5d72f

SHA512
8f8a69dea8f1b0d74ab6c752bd736742b50a1a503da236b467115a553f13a83573306a649303e745c0b6866fc303e9fc20e9e46cc91eccc3df1896e95f437c4b

Download Submit
C:\Windows\System\oZqKkFl.exe

Filesize
5.2MB

MD5
c05882c7fcdba06a4132277d1814dcaf

SHA1
4385bb95feaf305ea828753e77bd5e937294c9f0

SHA256
9b7f84e6326e9ae45a874a382604497fd970682ec9305c31cacd6dd0a06f0f1e

SHA512
cbd66ffa7ae7344715c4ce014284bc198d91f62491e8e0945e80ca5b93b0cf80fd3b7b8453c467885c1df6582c0d5c80783979152edaa3213c291b36c6b08d7a

Download Submit
memory/748-55-0x00007FF600240000-0x00007FF600591000-memory.dmp

Filesize
3.3MB

Download
memory/748-244-0x00007FF600240000-0x00007FF600591000-memory.dmp

Filesize
3.3MB

Download
memory/748-122-0x00007FF600240000-0x00007FF600591000-memory.dmp

Filesize
3.3MB

Download
memory/908-269-0x00007FF7E4D50000-0x00007FF7E50A1000-memory.dmp

Filesize
3.3MB

Download
memory/908-134-0x00007FF7E4D50000-0x00007FF7E50A1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-7-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-214-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-60-0x00007FF60A370000-0x00007FF60A6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-137-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp

Filesize
3.3MB

Download
memory/1448-273-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp

Filesize
3.3MB

Download
memory/1448-165-0x00007FF74ABE0000-0x00007FF74AF31000-memory.dmp

Filesize
3.3MB

Download
memory/1616-250-0x00007FF65F560000-0x00007FF65F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-79-0x00007FF65F560000-0x00007FF65F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-161-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-109-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp

Filesize
3.3MB

Download
memory/1824-263-0x00007FF7E1180000-0x00007FF7E14D1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-76-0x00007FF720730000-0x00007FF720A81000-memory.dmp

Filesize
3.3MB

Download
memory/1904-248-0x00007FF720730000-0x00007FF720A81000-memory.dmp

Filesize
3.3MB

Download
memory/1904-136-0x00007FF720730000-0x00007FF720A81000-memory.dmp

Filesize
3.3MB

Download
memory/1976-246-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp

Filesize
3.3MB

Download
memory/1976-66-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp

Filesize
3.3MB

Download
memory/1976-133-0x00007FF65B3B0000-0x00007FF65B701000-memory.dmp

Filesize
3.3MB

Download
memory/2008-99-0x00007FF642DF0000-0x00007FF643141000-memory.dmp

Filesize
3.3MB

Download
memory/2008-157-0x00007FF642DF0000-0x00007FF643141000-memory.dmp

Filesize
3.3MB

Download
memory/2008-266-0x00007FF642DF0000-0x00007FF643141000-memory.dmp

Filesize
3.3MB

Download
memory/2024-147-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp

Filesize
3.3MB

Download
memory/2024-85-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp

Filesize
3.3MB

Download
memory/2024-252-0x00007FF6076F0000-0x00007FF607A41000-memory.dmp

Filesize
3.3MB

Download
memory/2028-259-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp

Filesize
3.3MB

Download
memory/2028-92-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp

Filesize
3.3MB

Download
memory/2028-148-0x00007FF78E4D0000-0x00007FF78E821000-memory.dmp

Filesize
3.3MB

Download
memory/2352-162-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp

Filesize
3.3MB

Download
memory/2352-267-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp

Filesize
3.3MB

Download
memory/2352-121-0x00007FF6BE900000-0x00007FF6BEC51000-memory.dmp

Filesize
3.3MB

Download
memory/2864-117-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2864-241-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2864-49-0x00007FF69FB00000-0x00007FF69FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2880-96-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-156-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-261-0x00007FF6F2770000-0x00007FF6F2AC1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-126-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-163-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-271-0x00007FF6F0480000-0x00007FF6F07D1000-memory.dmp

Filesize
3.3MB

Download
memory/3460-88-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp

Filesize
3.3MB

Download
memory/3460-226-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp

Filesize
3.3MB

Download
memory/3460-30-0x00007FF6D5AD0000-0x00007FF6D5E21000-memory.dmp

Filesize
3.3MB

Download
memory/4116-0-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp

Filesize
3.3MB

Download
memory/4116-166-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp

Filesize
3.3MB

Download
memory/4116-140-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp

Filesize
3.3MB

Download
memory/4116-1-0x000002C0AF6E0000-0x000002C0AF6F0000-memory.dmp

Filesize
64KB

Download
memory/4116-53-0x00007FF7D7540000-0x00007FF7D7891000-memory.dmp

Filesize
3.3MB

Download
memory/4456-15-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-71-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-220-0x00007FF6DE350000-0x00007FF6DE6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-100-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp

Filesize
3.3MB

Download
memory/4576-238-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp

Filesize
3.3MB

Download
memory/4576-36-0x00007FF77E6B0000-0x00007FF77EA01000-memory.dmp

Filesize
3.3MB

Download
memory/4708-80-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-18-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-222-0x00007FF62EBA0000-0x00007FF62EEF1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-224-0x00007FF793510000-0x00007FF793861000-memory.dmp

Filesize
3.3MB

Download
memory/5036-27-0x00007FF793510000-0x00007FF793861000-memory.dmp

Filesize
3.3MB

Download
memory/5036-84-0x00007FF793510000-0x00007FF793861000-memory.dmp

Filesize
3.3MB

Download
memory/5060-108-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-42-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-242-0x00007FF6CDB60000-0x00007FF6CDEB1000-memory.dmp

Filesize
3.3MB

Download