cobaltstrike | 4301c0c5eeaa6cc857a1d2d3cf25b340ef92041599b8b711293fe2411fa3526a

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

328db1ffbee2b626e32a9cf3c8882054
SHA1

a31c06b29b3180a1df3054b868e6656fa1ac0e14
SHA256

4301c0c5eeaa6cc857a1d2d3cf25b340ef92041599b8b711293fe2411fa3526a
SHA512

b4e0c3a7fa3b3d5b536d723ddace7bb32aad7a21eaa67c27057492a8fe6da21550cf53e1cc6c71bba5d17658163d9419ead30ee24efa381ac1ff778f09d5cb10
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a00000002344c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-33.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-32.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-82.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002344e-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2764-83-0x00007FF75D950000-0x00007FF75DCA1000-memory.dmp	xmrig
behavioral2/memory/960-93-0x00007FF72A510000-0x00007FF72A861000-memory.dmp	xmrig
behavioral2/memory/4952-96-0x00007FF60EBE0000-0x00007FF60EF31000-memory.dmp	xmrig
behavioral2/memory/2900-95-0x00007FF7EB390000-0x00007FF7EB6E1000-memory.dmp	xmrig
behavioral2/memory/4904-80-0x00007FF636110000-0x00007FF636461000-memory.dmp	xmrig
behavioral2/memory/2976-67-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp	xmrig
behavioral2/memory/4456-62-0x00007FF745DE0000-0x00007FF746131000-memory.dmp	xmrig
behavioral2/memory/632-124-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	xmrig
behavioral2/memory/3416-129-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp	xmrig
behavioral2/memory/2796-131-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp	xmrig
behavioral2/memory/3128-133-0x00007FF755710000-0x00007FF755A61000-memory.dmp	xmrig
behavioral2/memory/2152-132-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp	xmrig
behavioral2/memory/3448-130-0x00007FF774F10000-0x00007FF775261000-memory.dmp	xmrig
behavioral2/memory/632-134-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	xmrig
behavioral2/memory/3076-140-0x00007FF786A30000-0x00007FF786D81000-memory.dmp	xmrig
behavioral2/memory/1152-141-0x00007FF772650000-0x00007FF7729A1000-memory.dmp	xmrig
behavioral2/memory/4080-152-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp	xmrig
behavioral2/memory/4408-154-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	xmrig
behavioral2/memory/1016-153-0x00007FF77D510000-0x00007FF77D861000-memory.dmp	xmrig
behavioral2/memory/748-156-0x00007FF773C40000-0x00007FF773F91000-memory.dmp	xmrig
behavioral2/memory/2268-155-0x00007FF7312E0000-0x00007FF731631000-memory.dmp	xmrig
behavioral2/memory/5084-157-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp	xmrig
behavioral2/memory/2716-161-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp	xmrig
behavioral2/memory/632-162-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	xmrig
behavioral2/memory/3448-223-0x00007FF774F10000-0x00007FF775261000-memory.dmp	xmrig
behavioral2/memory/3416-225-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp	xmrig
behavioral2/memory/3076-229-0x00007FF786A30000-0x00007FF786D81000-memory.dmp	xmrig
behavioral2/memory/2796-231-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp	xmrig
behavioral2/memory/4456-228-0x00007FF745DE0000-0x00007FF746131000-memory.dmp	xmrig
behavioral2/memory/1152-245-0x00007FF772650000-0x00007FF7729A1000-memory.dmp	xmrig
behavioral2/memory/960-247-0x00007FF72A510000-0x00007FF72A861000-memory.dmp	xmrig
behavioral2/memory/2900-249-0x00007FF7EB390000-0x00007FF7EB6E1000-memory.dmp	xmrig
behavioral2/memory/2976-243-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp	xmrig
behavioral2/memory/2152-241-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp	xmrig
behavioral2/memory/3128-238-0x00007FF755710000-0x00007FF755A61000-memory.dmp	xmrig
behavioral2/memory/2764-240-0x00007FF75D950000-0x00007FF75DCA1000-memory.dmp	xmrig
behavioral2/memory/4904-236-0x00007FF636110000-0x00007FF636461000-memory.dmp	xmrig
behavioral2/memory/4952-251-0x00007FF60EBE0000-0x00007FF60EF31000-memory.dmp	xmrig
behavioral2/memory/4408-253-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	xmrig
behavioral2/memory/4080-259-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp	xmrig
behavioral2/memory/1016-261-0x00007FF77D510000-0x00007FF77D861000-memory.dmp	xmrig
behavioral2/memory/748-265-0x00007FF773C40000-0x00007FF773F91000-memory.dmp	xmrig
behavioral2/memory/2268-264-0x00007FF7312E0000-0x00007FF731631000-memory.dmp	xmrig
behavioral2/memory/5084-267-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp	xmrig
behavioral2/memory/2716-269-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3448	KMKRmty.exe
3416	bWIeEsP.exe
4456	UXlDKHd.exe
3076	UMZIYoA.exe
2796	DrhAQTu.exe
2976	MoFdnbs.exe
2152	ENyjIcD.exe
4904	mixySEf.exe
1152	lDLXuMW.exe
3128	EwVrkfL.exe
2764	lkcPvpD.exe
960	iPWVUbU.exe
2900	YKDhaRb.exe
4408	JuZsxXv.exe
4952	vUXkRnk.exe
4080	ZbCUSTm.exe
1016	nabpXbS.exe
2268	hEnjREy.exe
748	RMpSUrw.exe
5084	swqEcym.exe
2716	zKnpkXn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/632-0-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	upx
behavioral2/files/0x000a00000002344c-5.dat	upx
behavioral2/files/0x0007000000023457-10.dat	upx
behavioral2/files/0x000700000002345d-45.dat	upx
behavioral2/memory/2152-43-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp	upx
behavioral2/memory/2796-41-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp	upx
behavioral2/files/0x000700000002345a-38.dat	upx
behavioral2/files/0x0007000000023459-34.dat	upx
behavioral2/files/0x0007000000023458-33.dat	upx
behavioral2/files/0x000700000002345c-32.dat	upx
behavioral2/files/0x000700000002345b-27.dat	upx
behavioral2/memory/3076-25-0x00007FF786A30000-0x00007FF786D81000-memory.dmp	upx
behavioral2/memory/3416-23-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp	upx
behavioral2/memory/3448-6-0x00007FF774F10000-0x00007FF775261000-memory.dmp	upx
behavioral2/memory/1152-52-0x00007FF772650000-0x00007FF7729A1000-memory.dmp	upx
behavioral2/files/0x000700000002345f-50.dat	upx
behavioral2/files/0x000700000002345e-46.dat	upx
behavioral2/files/0x0007000000023460-53.dat	upx
behavioral2/memory/3128-54-0x00007FF755710000-0x00007FF755A61000-memory.dmp	upx
behavioral2/memory/2764-83-0x00007FF75D950000-0x00007FF75DCA1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-88.dat	upx
behavioral2/memory/960-93-0x00007FF72A510000-0x00007FF72A861000-memory.dmp	upx
behavioral2/memory/4952-96-0x00007FF60EBE0000-0x00007FF60EF31000-memory.dmp	upx
behavioral2/memory/2900-95-0x00007FF7EB390000-0x00007FF7EB6E1000-memory.dmp	upx
behavioral2/files/0x0007000000023464-91.dat	upx
behavioral2/files/0x0007000000023463-90.dat	upx
behavioral2/memory/4080-87-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp	upx
behavioral2/files/0x0007000000023461-85.dat	upx
behavioral2/memory/4408-84-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	upx
behavioral2/files/0x0007000000023465-82.dat	upx
behavioral2/memory/4904-80-0x00007FF636110000-0x00007FF636461000-memory.dmp	upx
behavioral2/memory/2976-67-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp	upx
behavioral2/memory/4456-62-0x00007FF745DE0000-0x00007FF746131000-memory.dmp	upx
behavioral2/files/0x000900000002344e-109.dat	upx
behavioral2/memory/2268-114-0x00007FF7312E0000-0x00007FF731631000-memory.dmp	upx
behavioral2/files/0x0007000000023468-119.dat	upx
behavioral2/files/0x0007000000023469-122.dat	upx
behavioral2/memory/632-124-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	upx
behavioral2/memory/2716-125-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp	upx
behavioral2/memory/5084-123-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp	upx
behavioral2/memory/748-120-0x00007FF773C40000-0x00007FF773F91000-memory.dmp	upx
behavioral2/files/0x0007000000023467-116.dat	upx
behavioral2/files/0x0007000000023466-107.dat	upx
behavioral2/memory/1016-104-0x00007FF77D510000-0x00007FF77D861000-memory.dmp	upx
behavioral2/memory/3416-129-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp	upx
behavioral2/memory/2796-131-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp	upx
behavioral2/memory/3128-133-0x00007FF755710000-0x00007FF755A61000-memory.dmp	upx
behavioral2/memory/2152-132-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp	upx
behavioral2/memory/3448-130-0x00007FF774F10000-0x00007FF775261000-memory.dmp	upx
behavioral2/memory/632-134-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	upx
behavioral2/memory/3076-140-0x00007FF786A30000-0x00007FF786D81000-memory.dmp	upx
behavioral2/memory/1152-141-0x00007FF772650000-0x00007FF7729A1000-memory.dmp	upx
behavioral2/memory/4080-152-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp	upx
behavioral2/memory/4408-154-0x00007FF63FE30000-0x00007FF640181000-memory.dmp	upx
behavioral2/memory/1016-153-0x00007FF77D510000-0x00007FF77D861000-memory.dmp	upx
behavioral2/memory/748-156-0x00007FF773C40000-0x00007FF773F91000-memory.dmp	upx
behavioral2/memory/2268-155-0x00007FF7312E0000-0x00007FF731631000-memory.dmp	upx
behavioral2/memory/5084-157-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp	upx
behavioral2/memory/2716-161-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp	upx
behavioral2/memory/632-162-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp	upx
behavioral2/memory/3448-223-0x00007FF774F10000-0x00007FF775261000-memory.dmp	upx
behavioral2/memory/3416-225-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp	upx
behavioral2/memory/3076-229-0x00007FF786A30000-0x00007FF786D81000-memory.dmp	upx
behavioral2/memory/2796-231-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lDLXuMW.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lkcPvpD.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vUXkRnk.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nabpXbS.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UXlDKHd.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENyjIcD.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mixySEf.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iPWVUbU.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JuZsxXv.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hEnjREy.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKDhaRb.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RMpSUrw.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMKRmty.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bWIeEsP.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MoFdnbs.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZbCUSTm.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\swqEcym.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zKnpkXn.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMZIYoA.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DrhAQTu.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EwVrkfL.exe	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3448	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 632 wrote to memory of 3448	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 632 wrote to memory of 3416	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 632 wrote to memory of 3416	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 632 wrote to memory of 4456	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 632 wrote to memory of 4456	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 632 wrote to memory of 3076	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 632 wrote to memory of 3076	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 632 wrote to memory of 2796	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 632 wrote to memory of 2796	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 632 wrote to memory of 2976	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 632 wrote to memory of 2976	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 632 wrote to memory of 2152	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 632 wrote to memory of 2152	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 632 wrote to memory of 4904	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 632 wrote to memory of 4904	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 632 wrote to memory of 1152	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 632 wrote to memory of 1152	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 632 wrote to memory of 3128	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 632 wrote to memory of 3128	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 632 wrote to memory of 2764	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 632 wrote to memory of 2764	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 632 wrote to memory of 960	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 632 wrote to memory of 960	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 632 wrote to memory of 2900	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 632 wrote to memory of 2900	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 632 wrote to memory of 4408	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 632 wrote to memory of 4408	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 632 wrote to memory of 4952	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 632 wrote to memory of 4952	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 632 wrote to memory of 4080	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 632 wrote to memory of 4080	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 632 wrote to memory of 1016	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 632 wrote to memory of 1016	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 632 wrote to memory of 2268	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 632 wrote to memory of 2268	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 632 wrote to memory of 748	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 632 wrote to memory of 748	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 632 wrote to memory of 5084	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 632 wrote to memory of 5084	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 632 wrote to memory of 2716	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 632 wrote to memory of 2716	632	2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_328db1ffbee2b626e32a9cf3c8882054_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\System\KMKRmty.exe
  C:\Windows\System\KMKRmty.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\bWIeEsP.exe
  C:\Windows\System\bWIeEsP.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\UXlDKHd.exe
  C:\Windows\System\UXlDKHd.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\UMZIYoA.exe
  C:\Windows\System\UMZIYoA.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\DrhAQTu.exe
  C:\Windows\System\DrhAQTu.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\MoFdnbs.exe
  C:\Windows\System\MoFdnbs.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\ENyjIcD.exe
  C:\Windows\System\ENyjIcD.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\mixySEf.exe
  C:\Windows\System\mixySEf.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\lDLXuMW.exe
  C:\Windows\System\lDLXuMW.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\EwVrkfL.exe
  C:\Windows\System\EwVrkfL.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\lkcPvpD.exe
  C:\Windows\System\lkcPvpD.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\iPWVUbU.exe
  C:\Windows\System\iPWVUbU.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\YKDhaRb.exe
  C:\Windows\System\YKDhaRb.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\JuZsxXv.exe
  C:\Windows\System\JuZsxXv.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\vUXkRnk.exe
  C:\Windows\System\vUXkRnk.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\ZbCUSTm.exe
  C:\Windows\System\ZbCUSTm.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\nabpXbS.exe
  C:\Windows\System\nabpXbS.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\hEnjREy.exe
  C:\Windows\System\hEnjREy.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\RMpSUrw.exe
  C:\Windows\System\RMpSUrw.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\swqEcym.exe
  C:\Windows\System\swqEcym.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\zKnpkXn.exe
  C:\Windows\System\zKnpkXn.exe
  2⤵
  - Executes dropped EXE
  PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DrhAQTu.exe

Filesize
5.2MB

MD5
684fa050c1f9422197082c7cd6850bc6

SHA1
363f4b42668b7a87d63e040ca5f3ed2e53a7608a

SHA256
0c37ad377cf5c4ba84446b621aa80a8c3df3b6961a57f59924f8d86283b36b50

SHA512
170797c6089619c4373a79dfa615d76feb1b3a71fdc7d604207bc3adebe0b4fe83d2f89c07cbf55cb84059f4fe65c1e8ecc8c8ffd5879d35f21edc5bc7e12a6e

Download Submit
C:\Windows\System\ENyjIcD.exe

Filesize
5.2MB

MD5
e9953b0b2a43853c809dcc41003e4b89

SHA1
5feb0882f41b8f35bee2bc2843d7c77df7278bb0

SHA256
2bc38480f4009db9c778204a626b1470e8f03f4b1910fbdfefb5814e22d49309

SHA512
1e1b43e06172e652beeea7486f11554327b6c2ffe9ffe7b5fb3c36be3014541f8ccc53df25fc883c77ff8076fa1ab43e4656cd8460a41f46444f985718679e3b

Download Submit
C:\Windows\System\EwVrkfL.exe

Filesize
5.2MB

MD5
1a1782fc7a6efd6837c9d5cbd2ef7afb

SHA1
6cc189d61cb1fac3d42906817d1a690ea5ca238a

SHA256
49ba0020753e62dad424a00a7a64e49002bfa121fdbf7281be5b370355a0253b

SHA512
080adf9ad8940f664731fa1097f2cb2e850dcb679d38b48d13e8986511949511025d892dccdf2036d259913be6ac0ab19b89c264f2642670d4ac84d173397885

Download Submit
C:\Windows\System\JuZsxXv.exe

Filesize
5.2MB

MD5
617e037671abf2cd668fa29412a2c60f

SHA1
ba5812732d83d6e95d89cbbb4448c2b7503a4633

SHA256
2ed6afce1e78b3d9ed67d67f5bcc79da3f91e35ccd2972eb91967f73c3b78cfa

SHA512
bfaecacf59c50fd7053ca01b1ad0617dc408f62175fc91e2591b036832d4a254b9afa0b8d89bbead618779b54e330de2194434f8634d2b03f1896df31fff8770

Download Submit
C:\Windows\System\KMKRmty.exe

Filesize
5.2MB

MD5
7b55038cd5143c4171f4497b00b2c83b

SHA1
396fbcfb807d94d2751a79d536b8783066a70ba6

SHA256
06c01647dd07a19a45679f5b70e82bd695d70152654c6f0538884dd27fe56e04

SHA512
0d016054573d045eecff1aae42a966d818434d8b767c5daa84a2f8bc558c87e0515ed10a8982b2ad47f653250f27df2e20bdac448c47e63d0a85ecbb831efe61

Download Submit
C:\Windows\System\MoFdnbs.exe

Filesize
5.2MB

MD5
e0b6a432b926d7841fe4185fa736021a

SHA1
e1ccc79c4161ec556a18a54f602def8f260cfd72

SHA256
a6d17d0acb920133a075a162b98cd210942f44ab04c0e49fbec71f743fe13b9c

SHA512
15aa83ff3b7b4346505534c0ad834f393d27083b23ffd8941ab72993b41b89e3f7677d1ad7b008d42448924724bf8621b73968b94e5c92ce0c4be2ea24992284

Download Submit
C:\Windows\System\RMpSUrw.exe

Filesize
5.2MB

MD5
8536cd497ebde6d8166d573149225842

SHA1
a881a5acfc3996da3b4368cf7bbedd23e3527735

SHA256
e67b11b9fd444af57d0657ec61e8e51fe8d0cf90d9d6d8fe42b1f512f0a1a3c7

SHA512
ae5175231c4e3b002826412fd3510f9e759d03f4653024a8a6dd9d3ced9aa2e5c87d6463ccb69aeab0da796cd6f167b6006634a8a17157cc774c6bd615c545d4

Download Submit
C:\Windows\System\UMZIYoA.exe

Filesize
5.2MB

MD5
7157b726bbd2aebcc75bab72ec6888b8

SHA1
57f9aef5ebddc2c38d92f497237f5eeba6c42ac4

SHA256
d072935b66dc125bf0ddcf8df2d2ffb82f4e2091f890ccf555b4844af62910c3

SHA512
6459095f4667dd3ba6f8773c2e63503e7150f67c35510a98b61cedcd86d6bf7cd5272058a6678c14373afd57299e8f2c7bb4fe283f7c3e949ca691733a86ab70

Download Submit
C:\Windows\System\UXlDKHd.exe

Filesize
5.2MB

MD5
f7f9ef0832a0f0e2378f3adbd86a3fb3

SHA1
f372e58ab68d46ec0bb723ed90dd60fba35a8191

SHA256
3305cfd7d87565ef4fa368bc55be9c4c8fa053f980699f9f503d34b65adf9088

SHA512
eb52617e21dc36bc2d5f8a5a75c487e293d60521d9db8b1bbf9e64452b4ad08cd136c32ae3d9c95c054042d20e0b57ec11494c7b1c65723a25b385c34162892d

Download Submit
C:\Windows\System\YKDhaRb.exe

Filesize
5.2MB

MD5
1c79e71513c716f86f3d631a33bb0f3c

SHA1
83fef9df4794f8131cbc4b51400eb9ebbe87ecfa

SHA256
66150a5477b4034be03f2606aa1f085c3e5ed3b15fc70142236f6754858caeeb

SHA512
f4af5fb05e853d08b6470f29bb8723dca7cefa28aae365e70f7d912d25a0a6dd7b51b6d6e5d7cd3b098e8ad2a7ba058bdc6208f62c2796c1fea2688519c88953

Download Submit
C:\Windows\System\ZbCUSTm.exe

Filesize
5.2MB

MD5
e2c416f6776e95d272ef2c2081fc926f

SHA1
9996ae2effef7cbbc2f80c6ab20f7c6587384949

SHA256
89a5b94ee879f54848a96aba367d52d0b9d8e4df91c34ab5c46ea6dbe9fb472b

SHA512
cd6d9ed89c647b6b738a8c0b611d7cb3ccf0b1e017bd8bbdaba7e06a481922f2841ef5f9c3a73aae0dc7ee0739cf7e95159240fca99908f128d2f01d19b90058

Download Submit
C:\Windows\System\bWIeEsP.exe

Filesize
5.2MB

MD5
b4f5c7aa71bc67a7be96cdf495506b1b

SHA1
5d457b88a71d2f8fd9e9ab50e81348305f12a4f1

SHA256
2969c9a56ac9f8ae63da6eb4a06babd9b458972a5a0f5b2550882f4ba33e8996

SHA512
cbf4c1d6ac24a122c14779305bbd312021cba112eca7a817a5ac818af7de4f5f0457f5c3ed63c1f71fe989690711c7f9b22c0591b2b36bcf202daee86fd51bb6

Download Submit
C:\Windows\System\hEnjREy.exe

Filesize
5.2MB

MD5
0ad1234c1f6f2fd3ee866ae894b522cf

SHA1
f9c8961be52e64d0c833d615940439047969fe76

SHA256
47293cdc9c5b0b6feb4cd4ceb76c2b17499290a1b593b18c81db90dbc89dab59

SHA512
f25f89be94b22ca067f16e13ad97602713525c095cc948e84ef835bc929a6481fed5643f2ad80021035f0284b3ba688d3df960764a7891833174024172eb31b8

Download Submit
C:\Windows\System\iPWVUbU.exe

Filesize
5.2MB

MD5
a6bee4e0c2868dc1d1cdbda14b8c59dc

SHA1
877cda98b9cfd288277b7032e6277f84e4c9039a

SHA256
f6d20f2b2dc0853b20925185f39faa200f44520e71c905894588b8eb0aad4ccc

SHA512
b894af84f553104905cc23ac3ac4f4c2b3440438d16b920a80e152cf104afe7a87ba27b7dd4b8fdc9b7999b303c107084d54d3852dd032af9de354a915dea277

Download Submit
C:\Windows\System\lDLXuMW.exe

Filesize
5.2MB

MD5
70758bc266802afcfd36883676eed8c9

SHA1
ea3904a09e38485707307c7c4ba7716017424569

SHA256
5e1cea000a8e7fc506005749918e040fb13c3d36ba46ca885b660d3d4189d850

SHA512
ac507c6f69bcc2e670c48b245013d7dec479a4e54fb90441bfb6d25e574778475b7801ba1867357febeb652314c27d350c5b22f854538202b91f68d190e017bc

Download Submit
C:\Windows\System\lkcPvpD.exe

Filesize
5.2MB

MD5
6d97479898a884c07203ef36cc68f089

SHA1
846454ecab304e78619ffb127b70881d681f48c2

SHA256
d9090ebf4e8e77ccc9445cbeaa4ac9cd2fa8fbb1db2bd904171a93d5a25b0261

SHA512
b5edd3420f0a95514451ee65f9d465044d32ffcde9b26f5154bf958f35a820a92bf7f5e32a87df7542ce32161aaf0123d4859ef04a9188edf5566619770b87c6

Download Submit
C:\Windows\System\mixySEf.exe

Filesize
5.2MB

MD5
3ce02d7211b77d611d0e60b2331a5e28

SHA1
c2adbbb299982efdcf3778db09dfceefd7dc4cf8

SHA256
90544e815f351c429dbda0283d3eceb55bf2db770daca3089590c53f1b887c3b

SHA512
10a758bfcce6c25c23675f5ddd5044c557e3d4f29fab6e4aa36b0ff0ab17b23c6105515ae52dbbf914bdf45ca29a13683fd27e0934ca4c6b19688c976f12a737

Download Submit
C:\Windows\System\nabpXbS.exe

Filesize
5.2MB

MD5
65d7b867e36eba4786e1981dc99fca46

SHA1
39cfd002aada9200107961772fcf1126f756ea63

SHA256
174406277180ca5033d139b794c9659d400388f559d47c7f62f09c8aa556dc2e

SHA512
79ea919a7b68a489ff07fbe31691b802a13b045f4c1be8178fd74b2143359c52a2fcf94c63cc29daf24224c754034fdb3206a787338cb565ab0a2b9f78da78b4

Download Submit
C:\Windows\System\swqEcym.exe

Filesize
5.2MB

MD5
a8af15f8747e654eeee02b9c0740a4df

SHA1
31eaca5d37405cbf4808c177e28362e2be151cd9

SHA256
9cb53069a8fa12287682d8e48fc915c15602d0c80855eceaf238e131e4c7c6df

SHA512
cc172207d5690ecbe15714bf014b2c59d66b7f33597c6a084ead027a3b716e84c5bf75c01bd2df53310233aac7b3b572138fdbc3db8b33deabd78c5e87a840f3

Download Submit
C:\Windows\System\vUXkRnk.exe

Filesize
5.2MB

MD5
b6aa3d9213d001655c9d30e77354b5a3

SHA1
a2a6c990b49a5c8927ad3111133f6a8c0f7b134d

SHA256
c76b0bead99b8ba3334273bd86946ca7d45f749f70564fc177df9a4a9d13dffc

SHA512
5916ba010bee47a3034d558f066cca1fff70a5597c2607fbc818132c6cb90bd6b236fa7cb527c5deaaf1bdb55b69d39210cec0a858f2cb07a2f5843617a21b3e

Download Submit
C:\Windows\System\zKnpkXn.exe

Filesize
5.2MB

MD5
9395169d6df0218c8d8e56a19afce80c

SHA1
ccab4f0633567a68a62862b069bcd7fbdcf37703

SHA256
d2b6e5d0a6f3fcf2bd7fd2572c31d752682447f32daf592e355b2d73af4b8bff

SHA512
404379f9755662993bfa95d8c04fa6bc114b7da8542a6cb6bd065d0192780ac0472acfe0fe2663fb21f52f6316a79c6019c3ff90e7b258636a27dd81d4f7c4cd

Download Submit
memory/632-162-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp

Filesize
3.3MB

Download
memory/632-0-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp

Filesize
3.3MB

Download
memory/632-134-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp

Filesize
3.3MB

Download
memory/632-1-0x0000028807000000-0x0000028807010000-memory.dmp

Filesize
64KB

Download
memory/632-124-0x00007FF7E9BB0000-0x00007FF7E9F01000-memory.dmp

Filesize
3.3MB

Download
memory/748-156-0x00007FF773C40000-0x00007FF773F91000-memory.dmp

Filesize
3.3MB

Download
memory/748-120-0x00007FF773C40000-0x00007FF773F91000-memory.dmp

Filesize
3.3MB

Download
memory/748-265-0x00007FF773C40000-0x00007FF773F91000-memory.dmp

Filesize
3.3MB

Download
memory/960-93-0x00007FF72A510000-0x00007FF72A861000-memory.dmp

Filesize
3.3MB

Download
memory/960-247-0x00007FF72A510000-0x00007FF72A861000-memory.dmp

Filesize
3.3MB

Download
memory/1016-153-0x00007FF77D510000-0x00007FF77D861000-memory.dmp

Filesize
3.3MB

Download
memory/1016-261-0x00007FF77D510000-0x00007FF77D861000-memory.dmp

Filesize
3.3MB

Download
memory/1016-104-0x00007FF77D510000-0x00007FF77D861000-memory.dmp

Filesize
3.3MB

Download
memory/1152-141-0x00007FF772650000-0x00007FF7729A1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-245-0x00007FF772650000-0x00007FF7729A1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-52-0x00007FF772650000-0x00007FF7729A1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-241-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-43-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-132-0x00007FF6E2D70000-0x00007FF6E30C1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-155-0x00007FF7312E0000-0x00007FF731631000-memory.dmp

Filesize
3.3MB

Download
memory/2268-114-0x00007FF7312E0000-0x00007FF731631000-memory.dmp

Filesize
3.3MB

Download
memory/2268-264-0x00007FF7312E0000-0x00007FF731631000-memory.dmp

Filesize
3.3MB

Download
memory/2716-161-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-269-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-125-0x00007FF79EFA0000-0x00007FF79F2F1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-240-0x00007FF75D950000-0x00007FF75DCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-83-0x00007FF75D950000-0x00007FF75DCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-131-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp

Filesize
3.3MB

Download
memory/2796-231-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp

Filesize
3.3MB

Download
memory/2796-41-0x00007FF7FF5F0000-0x00007FF7FF941000-memory.dmp

Filesize
3.3MB

Download
memory/2900-249-0x00007FF7EB390000-0x00007FF7EB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-95-0x00007FF7EB390000-0x00007FF7EB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-67-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp

Filesize
3.3MB

Download
memory/2976-243-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp

Filesize
3.3MB

Download
memory/3076-140-0x00007FF786A30000-0x00007FF786D81000-memory.dmp

Filesize
3.3MB

Download
memory/3076-229-0x00007FF786A30000-0x00007FF786D81000-memory.dmp

Filesize
3.3MB

Download
memory/3076-25-0x00007FF786A30000-0x00007FF786D81000-memory.dmp

Filesize
3.3MB

Download
memory/3128-238-0x00007FF755710000-0x00007FF755A61000-memory.dmp

Filesize
3.3MB

Download
memory/3128-54-0x00007FF755710000-0x00007FF755A61000-memory.dmp

Filesize
3.3MB

Download
memory/3128-133-0x00007FF755710000-0x00007FF755A61000-memory.dmp

Filesize
3.3MB

Download
memory/3416-225-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-129-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-23-0x00007FF717C60000-0x00007FF717FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-6-0x00007FF774F10000-0x00007FF775261000-memory.dmp

Filesize
3.3MB

Download
memory/3448-223-0x00007FF774F10000-0x00007FF775261000-memory.dmp

Filesize
3.3MB

Download
memory/3448-130-0x00007FF774F10000-0x00007FF775261000-memory.dmp

Filesize
3.3MB

Download
memory/4080-87-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-152-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-259-0x00007FF71C960000-0x00007FF71CCB1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-154-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4408-84-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4408-253-0x00007FF63FE30000-0x00007FF640181000-memory.dmp

Filesize
3.3MB

Download
memory/4456-62-0x00007FF745DE0000-0x00007FF746131000-memory.dmp

Filesize
3.3MB

Download
memory/4456-228-0x00007FF745DE0000-0x00007FF746131000-memory.dmp

Filesize
3.3MB

Download
memory/4904-80-0x00007FF636110000-0x00007FF636461000-memory.dmp

Filesize
3.3MB

Download
memory/4904-236-0x00007FF636110000-0x00007FF636461000-memory.dmp

Filesize
3.3MB

Download
memory/4952-251-0x00007FF60EBE0000-0x00007FF60EF31000-memory.dmp

Filesize
3.3MB

Download
memory/4952-96-0x00007FF60EBE0000-0x00007FF60EF31000-memory.dmp

Filesize
3.3MB

Download
memory/5084-157-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-123-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp

Filesize
3.3MB

Download
memory/5084-267-0x00007FF7EDA80000-0x00007FF7EDDD1000-memory.dmp

Filesize
3.3MB

Download