cobaltstrike | 4a93d241a9de67b0468a34f6cc4e971dc59d36c738fdf0880cf0541980b8814b

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b6d27ddb21898867a31de5c16b3e06c2
SHA1

8043b357c3266df3c9ea92b57fa9c7805d910ba0
SHA256

4a93d241a9de67b0468a34f6cc4e971dc59d36c738fdf0880cf0541980b8814b
SHA512

5497b4bcffc705026ee6b3d7599293b2208bfc517bf527be0123638a2952392b0910da38d8aec3da891376f5de6f485be5e82b18b945c0b8b51160b35b97e5e9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234b6-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-10.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b9-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-45.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234ba-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-136.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-135.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2680-55-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	xmrig
behavioral2/memory/3400-62-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp	xmrig
behavioral2/memory/4172-67-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp	xmrig
behavioral2/memory/1216-75-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp	xmrig
behavioral2/memory/3528-79-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp	xmrig
behavioral2/memory/4932-90-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp	xmrig
behavioral2/memory/3100-104-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp	xmrig
behavioral2/memory/1680-100-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp	xmrig
behavioral2/memory/1296-98-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp	xmrig
behavioral2/memory/2456-83-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	xmrig
behavioral2/memory/3212-112-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	xmrig
behavioral2/memory/1408-130-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	xmrig
behavioral2/memory/4072-132-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp	xmrig
behavioral2/memory/3848-127-0x00007FF62C520000-0x00007FF62C871000-memory.dmp	xmrig
behavioral2/memory/2384-118-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp	xmrig
behavioral2/memory/2680-141-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	xmrig
behavioral2/memory/4128-151-0x00007FF6174B0000-0x00007FF617801000-memory.dmp	xmrig
behavioral2/memory/1888-152-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp	xmrig
behavioral2/memory/1680-157-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp	xmrig
behavioral2/memory/1320-158-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp	xmrig
behavioral2/memory/1660-163-0x00007FF683300000-0x00007FF683651000-memory.dmp	xmrig
behavioral2/memory/2640-164-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp	xmrig
behavioral2/memory/3004-167-0x00007FF631320000-0x00007FF631671000-memory.dmp	xmrig
behavioral2/memory/116-168-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	xmrig
behavioral2/memory/2680-169-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	xmrig
behavioral2/memory/3400-218-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp	xmrig
behavioral2/memory/4172-220-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp	xmrig
behavioral2/memory/1216-228-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp	xmrig
behavioral2/memory/3528-230-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp	xmrig
behavioral2/memory/2456-232-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	xmrig
behavioral2/memory/4932-234-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp	xmrig
behavioral2/memory/3100-236-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp	xmrig
behavioral2/memory/1296-238-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp	xmrig
behavioral2/memory/3212-244-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	xmrig
behavioral2/memory/2384-246-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp	xmrig
behavioral2/memory/3848-248-0x00007FF62C520000-0x00007FF62C871000-memory.dmp	xmrig
behavioral2/memory/4072-250-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp	xmrig
behavioral2/memory/4128-256-0x00007FF6174B0000-0x00007FF617801000-memory.dmp	xmrig
behavioral2/memory/1888-258-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp	xmrig
behavioral2/memory/1680-260-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp	xmrig
behavioral2/memory/1320-262-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp	xmrig
behavioral2/memory/1660-269-0x00007FF683300000-0x00007FF683651000-memory.dmp	xmrig
behavioral2/memory/1408-271-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	xmrig
behavioral2/memory/2640-273-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp	xmrig
behavioral2/memory/3004-276-0x00007FF631320000-0x00007FF631671000-memory.dmp	xmrig
behavioral2/memory/116-277-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3400	dfnLaby.exe
4172	KKwnoIG.exe
1216	bVyppOk.exe
3528	OWNXUUl.exe
2456	PmjMHFH.exe
4932	DbsWmgK.exe
1296	rymMeDQ.exe
3100	PCADcwX.exe
3212	PGqfaEg.exe
2384	FPgVkbR.exe
3848	BwYcftf.exe
4072	kvGfDTv.exe
4128	npOmDPc.exe
1888	JKpJNhN.exe
1680	eVzyQac.exe
1320	cCksiWg.exe
1660	klyehVy.exe
2640	GsKzgaG.exe
1408	XJFoGrs.exe
3004	sLILpYn.exe
116	sbGXgpu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2680-0-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	upx
behavioral2/files/0x00080000000234b6-4.dat	upx
behavioral2/memory/3400-6-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-10.dat	upx
behavioral2/files/0x00080000000234b9-11.dat	upx
behavioral2/memory/4172-12-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp	upx
behavioral2/memory/1216-19-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp	upx
behavioral2/files/0x00070000000234be-24.dat	upx
behavioral2/memory/3528-25-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-28.dat	upx
behavioral2/memory/2456-30-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-39.dat	upx
behavioral2/memory/1296-41-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-45.dat	upx
behavioral2/memory/3100-47-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp	upx
behavioral2/files/0x00080000000234ba-40.dat	upx
behavioral2/memory/4932-36-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-54.dat	upx
behavioral2/memory/3212-56-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	upx
behavioral2/memory/2680-55-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-60.dat	upx
behavioral2/memory/3400-62-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp	upx
behavioral2/memory/2384-63-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp	upx
behavioral2/memory/4172-67-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-70.dat	upx
behavioral2/files/0x00070000000234c7-73.dat	upx
behavioral2/memory/4072-76-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp	upx
behavioral2/memory/1216-75-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp	upx
behavioral2/memory/3848-69-0x00007FF62C520000-0x00007FF62C871000-memory.dmp	upx
behavioral2/memory/3528-79-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-82.dat	upx
behavioral2/memory/4932-90-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-103.dat	upx
behavioral2/memory/1320-105-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp	upx
behavioral2/memory/3100-104-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp	upx
behavioral2/memory/1680-100-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp	upx
behavioral2/memory/1296-98-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-97.dat	upx
behavioral2/memory/1888-95-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-91.dat	upx
behavioral2/memory/4128-84-0x00007FF6174B0000-0x00007FF617801000-memory.dmp	upx
behavioral2/memory/2456-83-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-109.dat	upx
behavioral2/memory/3212-112-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-122.dat	upx
behavioral2/memory/1408-130-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp	upx
behavioral2/memory/4072-132-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-136.dat	upx
behavioral2/files/0x00070000000234d0-135.dat	upx
behavioral2/memory/3004-133-0x00007FF631320000-0x00007FF631671000-memory.dmp	upx
behavioral2/memory/3848-127-0x00007FF62C520000-0x00007FF62C871000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-124.dat	upx
behavioral2/memory/2640-119-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp	upx
behavioral2/memory/2384-118-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp	upx
behavioral2/memory/1660-115-0x00007FF683300000-0x00007FF683651000-memory.dmp	upx
behavioral2/memory/2680-141-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp	upx
behavioral2/memory/116-140-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp	upx
behavioral2/memory/4128-151-0x00007FF6174B0000-0x00007FF617801000-memory.dmp	upx
behavioral2/memory/1888-152-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp	upx
behavioral2/memory/1680-157-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp	upx
behavioral2/memory/1320-158-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp	upx
behavioral2/memory/1660-163-0x00007FF683300000-0x00007FF683651000-memory.dmp	upx
behavioral2/memory/2640-164-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp	upx
behavioral2/memory/3004-167-0x00007FF631320000-0x00007FF631671000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bVyppOk.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eVzyQac.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJFoGrs.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sLILpYn.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OWNXUUl.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rymMeDQ.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCADcwX.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PGqfaEg.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FPgVkbR.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JKpJNhN.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwYcftf.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kvGfDTv.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\npOmDPc.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCksiWg.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\klyehVy.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GsKzgaG.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfnLaby.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KKwnoIG.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PmjMHFH.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbsWmgK.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sbGXgpu.exe	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3400	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2680 wrote to memory of 3400	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2680 wrote to memory of 4172	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2680 wrote to memory of 4172	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2680 wrote to memory of 1216	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2680 wrote to memory of 1216	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2680 wrote to memory of 3528	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2680 wrote to memory of 3528	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2680 wrote to memory of 2456	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2680 wrote to memory of 2456	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2680 wrote to memory of 4932	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2680 wrote to memory of 4932	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2680 wrote to memory of 1296	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2680 wrote to memory of 1296	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2680 wrote to memory of 3100	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2680 wrote to memory of 3100	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2680 wrote to memory of 3212	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2680 wrote to memory of 3212	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2680 wrote to memory of 2384	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2680 wrote to memory of 2384	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2680 wrote to memory of 3848	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2680 wrote to memory of 3848	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2680 wrote to memory of 4072	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2680 wrote to memory of 4072	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2680 wrote to memory of 4128	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2680 wrote to memory of 4128	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2680 wrote to memory of 1888	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2680 wrote to memory of 1888	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2680 wrote to memory of 1680	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2680 wrote to memory of 1680	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2680 wrote to memory of 1320	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2680 wrote to memory of 1320	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2680 wrote to memory of 1660	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2680 wrote to memory of 1660	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2680 wrote to memory of 2640	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2680 wrote to memory of 2640	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2680 wrote to memory of 1408	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2680 wrote to memory of 1408	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2680 wrote to memory of 3004	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2680 wrote to memory of 3004	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2680 wrote to memory of 116	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2680 wrote to memory of 116	2680	2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_b6d27ddb21898867a31de5c16b3e06c2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System\dfnLaby.exe
  C:\Windows\System\dfnLaby.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\KKwnoIG.exe
  C:\Windows\System\KKwnoIG.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\bVyppOk.exe
  C:\Windows\System\bVyppOk.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\OWNXUUl.exe
  C:\Windows\System\OWNXUUl.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\PmjMHFH.exe
  C:\Windows\System\PmjMHFH.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\DbsWmgK.exe
  C:\Windows\System\DbsWmgK.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\rymMeDQ.exe
  C:\Windows\System\rymMeDQ.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\PCADcwX.exe
  C:\Windows\System\PCADcwX.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\PGqfaEg.exe
  C:\Windows\System\PGqfaEg.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\FPgVkbR.exe
  C:\Windows\System\FPgVkbR.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\BwYcftf.exe
  C:\Windows\System\BwYcftf.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\kvGfDTv.exe
  C:\Windows\System\kvGfDTv.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\npOmDPc.exe
  C:\Windows\System\npOmDPc.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\JKpJNhN.exe
  C:\Windows\System\JKpJNhN.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\eVzyQac.exe
  C:\Windows\System\eVzyQac.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\cCksiWg.exe
  C:\Windows\System\cCksiWg.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\klyehVy.exe
  C:\Windows\System\klyehVy.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\GsKzgaG.exe
  C:\Windows\System\GsKzgaG.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\XJFoGrs.exe
  C:\Windows\System\XJFoGrs.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\sLILpYn.exe
  C:\Windows\System\sLILpYn.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\sbGXgpu.exe
  C:\Windows\System\sbGXgpu.exe
  2⤵
  - Executes dropped EXE
  PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BwYcftf.exe

Filesize
5.2MB

MD5
99b33bde91bcb94ad1c33703a2126fa3

SHA1
a6bbef8624b152d29afe78a929e5033c6c4648db

SHA256
c95a4d4f4f2fba3a3b3e2959ba5dced069fa60e6fb82043b13c580aa8575d5d6

SHA512
a559552e11ccb1b992dee92b948992e9f3edf01cb5d2ee21bd57e2be85c73c04aba161182047738c0be6568012ffaf3f82580744f191da9ffdb9fbe76797f1c3

Download Submit
C:\Windows\System\DbsWmgK.exe

Filesize
5.2MB

MD5
b06c5478f096efee7f4f86160e998f93

SHA1
fd4ef7489009a6a9449027a1499f94e19233bb2d

SHA256
c37bab9e5b6c2cc6f6f2d4fc450c7bd62d53f824f7303e3c1e64557e1f88bad8

SHA512
7ea30873ac8f9e08b29ad25edb2df8baec93f3ee0bce00f7960fb1fcdf57a36c1e1efa985e1f41a877d0a383af7f2c92ed56a0bcfe543ad13866930705d48b27

Download Submit
C:\Windows\System\FPgVkbR.exe

Filesize
5.2MB

MD5
ec4b7e00bf9b2ed9a81e153cf0beb2fe

SHA1
3315274d391d60aa882819a67b7d15cbcad2b869

SHA256
2c22b8aaf2f78a0e30e6e7a912cc6a12f1c1f60abb7a0570dddf348b6300622f

SHA512
7d9070e6145ba6ca71dd0217c7ce49e6db8fe26cbe95295eb867708acb33087d9e0573f0a16fe7c32e573c86148ec07978064ffe0cbf4814639391a8bd7c38ec

Download Submit
C:\Windows\System\GsKzgaG.exe

Filesize
5.2MB

MD5
ca491d2e57b119635353fd925eae040b

SHA1
633a8c3a0871a2b7bf53a99760b0e6a1816fee2c

SHA256
a98b68178bb234fd4b0f6ed6a05d3aee9274bb89d97d6f869517a52d11a61f09

SHA512
93b97c70d866e949baffc004159cd61fb9a11f3c21cc10ebaf35a45076d9d6587596b3f56ed439b49949a636856009a7b9e5af51676ad2690bec9a6265590e22

Download Submit
C:\Windows\System\JKpJNhN.exe

Filesize
5.2MB

MD5
8ad69cc27da7eee835e2b228927af954

SHA1
a4daac77bb7a56dc92f326a92fe72b09afd772a0

SHA256
c9f9ed995fd716df9148a46ccff1e5c99a846346c9aec6f48831e08e53a183d6

SHA512
9bf5a8f19641b0edaa4d623bfe502f6f1232919f53dcf17ef318791cc4ccee78ede88ff47f15fa60314047ad41752ca197cae439a6e1a1fe36c0a7f94a9d63cb

Download Submit
C:\Windows\System\KKwnoIG.exe

Filesize
5.2MB

MD5
aea6276d2f949ec1293ff5d1cb26b383

SHA1
b71d01ea58234586c413dc52059fcb2d6b594216

SHA256
f245c97de662d5599bd1f907f361b57584e2334bcf4b882c81af277334990bea

SHA512
8d905a9856a28bf589fbae6b27028f743032a9b3ce3d5858adb52b921359d9132d65e3762de081fb36d07ef438796301c545396f7770b419f167065a772232ce

Download Submit
C:\Windows\System\OWNXUUl.exe

Filesize
5.2MB

MD5
6964a8ef5ef402421d0915f744dbd9a8

SHA1
ad4e25e729b8719318781386f48f34e37f278382

SHA256
1ca72f6b59510bb5a40604d3b27cab1c3717dfbd045b6d0bba2a3ec6cabf72eb

SHA512
76dff18a648354ec7e86fc0fcc6db5a494c03a6704914a4b0c9e54582178278d69c7f0ec42fa2fc00152c29fc366ce045435fe365e70d72555b1ad956ad28c07

Download Submit
C:\Windows\System\PCADcwX.exe

Filesize
5.2MB

MD5
408561e5ef64c401ca15680a81e15ff2

SHA1
feba4716a24cd80dfcae52aa35ca41566d60a6cd

SHA256
a0b594966bd5204033b53742183081b9551dba75525dd8b62661b18b29b2199a

SHA512
126ab4de696babe715d42d53c37eab774a6f16c53f505bc78242fb1c952a9e5485cfc2e7f5aed86e817aaa37998e00716e20da71c6a9666a1a87f1d0cbc659dd

Download Submit
C:\Windows\System\PGqfaEg.exe

Filesize
5.2MB

MD5
87dfbf58ef5b19898ffe093532143967

SHA1
67d55287ca7c90ee63844f75e47ba25af6f71627

SHA256
4d782393191e6c8c6ad3a47ffa3eb08b7a7d3f43f360ba330a75ec3da1073a93

SHA512
495011dd8ab60a9a09a1c48b7b2d857a6ab24aa511327754fa625ceca7a6f350c67f509e1dc8b05f84cb374880935afc74b10aaec9c0211d4ebece4527a69f86

Download Submit
C:\Windows\System\PmjMHFH.exe

Filesize
5.2MB

MD5
b6efbeea79c0d8d1cd52bb46c05c46bd

SHA1
d576ac354475ebcfde37d7786239a7a6a94d31ea

SHA256
de74a68022db87caf001b0e4a24a5df4cc60edbf0c4b62c30d1436c584295481

SHA512
791f63a22c41c0da389b3f64887a7e1930b172bf75fb8e91acdc40ac81a64ae963df31cbe59478f750f7e1244ced358f290741a50acc8a6e867a90ec0db99b23

Download Submit
C:\Windows\System\XJFoGrs.exe

Filesize
5.2MB

MD5
1189e13e9f30444a791097ca0d590c56

SHA1
04864d65bce790aa628fdca77827c0b267d9d85a

SHA256
43472288b6f131c6a575f14230ba91977b9e1030f9df4bce64361b589c585cf5

SHA512
cf7d973bc79e7a1ddce8365e12ec9b68e753c9a8aa35a75e527d08caae33f5919686158684df2a9c899fcdbe8ff54ac890f5ef42a99398b9b51c586d5af9d61c

Download Submit
C:\Windows\System\bVyppOk.exe

Filesize
5.2MB

MD5
b58216e47972c942eae883cd7d678d94

SHA1
38a2cdd94275bc43172ec9fa4e8d800f8116ac5c

SHA256
64e8de24f191f0b12a4add4977a21dd57fb05f8bc4da47fc2b1d7770cc375a56

SHA512
125f47d711e85e12da26cd2ba92b79b30dd4619a6de0b7e6a9a818f65626a0a6fe50a36bc555693cf96fd5402136f29a72667c88cdf64c93594ab37362452fb6

Download Submit
C:\Windows\System\cCksiWg.exe

Filesize
5.2MB

MD5
f649569ce33c749cef015d239effb6e5

SHA1
fe0463b34f0a07a7dbeaf9f92ad34b545bbe8fc9

SHA256
677f80a38e78452c0d9557c32e74ff7b521ef2a6866d1e75e7f13e587bcdbd72

SHA512
8c1bfdeaa5e2a6d2bc616235b9781c5381f25a7a60c2eb41a85365c89a282d806bf83459ea47dc18d074e0e40678eb4e47e490eebb32b8c0619cb25453ebe7ab

Download Submit
C:\Windows\System\dfnLaby.exe

Filesize
5.2MB

MD5
09cb0242a89866796fac4fc608b8a6fb

SHA1
9f5f3068e8c5cb9e1ee7ff843360eac70757ec76

SHA256
7c4c505ab325599bac9c65a032e051b720add372e09817482ebe058a6ef6b4d4

SHA512
40d7938984d9601d765870e275fbc685320fc59cff02177eaf3b2b9f3eb8c20f9ab92c71ba2cc263bdaaf23b6458cea2cdd08e410c3fb10946730ac0f35f0ed5

Download Submit
C:\Windows\System\eVzyQac.exe

Filesize
5.2MB

MD5
66d484f6976f1a580a329b0ecaa79f82

SHA1
684aedd4a6027f46ecdca49b87c9142e1bc2d6e0

SHA256
a0e25ef1831a281b8655f1cc3e1f846f93c2c93f8645227d984816a55320a1e4

SHA512
14474a83c1643c35ec609c60ba31e9399d59b343fd86951229980c5648fe18032067ad221cfc658fc0726a7dd842418c9b9683f667ba121de57295c57784359b

Download Submit
C:\Windows\System\klyehVy.exe

Filesize
5.2MB

MD5
1c511791c42ff0b880c7eb6ebdb17ecf

SHA1
631fbd85dfc4ba323dbe2f340695647d95acaa20

SHA256
b15908c9bed87ffaf824a6e4c7c823e6d9ee609895549f8b6981c81db7019ad0

SHA512
f65d9f63e5c290362f44da3e5a01bdefe0960eb75dd46c6fbce176553c53a0c37283a9a24723aba4fe75f02d3ecc6133f5ddb9648b0f65358b3215376afa93bd

Download Submit
C:\Windows\System\kvGfDTv.exe

Filesize
5.2MB

MD5
8276c4111baf34c9f9b58e48127a5ccb

SHA1
955aae8c4eea18d5905d8bb24d57f86b783ac1c7

SHA256
808b5b558c14eefe3decf0e168b261fdf6141a7417ee2defe70262ca72c7f69b

SHA512
ed761876deb2f46e3ee9a0943051e473efcee51191b98de7ee2afde25a015393b7d6ed30f73aae16834b40319128d41acdbf314a2c8bbe15f306816e988fa431

Download Submit
C:\Windows\System\npOmDPc.exe

Filesize
5.2MB

MD5
fed68cf39951117365765c3b07033e71

SHA1
9738b67163472e6e67a157926db942e1908c370a

SHA256
f3228213e00bb2aecb81ef8ef5da81321424c14a5198e0f3b2ebc77841a6845c

SHA512
03ca65df544278304d3c9cb85ef00a7fa121a25cd568dcf34f3b19c0757888e31b16444407beebef96280283ac73abc68af7bd49bc7087cae7ccb8f7e27f1c87

Download Submit
C:\Windows\System\rymMeDQ.exe

Filesize
5.2MB

MD5
b54a77592a17d0516c9b42c99705ffac

SHA1
fd1cbfa36d185e307a39165730cee3b11f60be86

SHA256
f8cf356275b3e7645b6b537cc911327038a5bc25330a9a6daad104490dfd606f

SHA512
c853bfc8b9d5433afa5e3755af2bcde35598b20f3546ad0b5aae1f00141f946c3c88b9925a655289b02dca9efa7f27d77964081d581547e701f42202c67fd445

Download Submit
C:\Windows\System\sLILpYn.exe

Filesize
5.2MB

MD5
cb34b40a5c1236d9a79865d277479149

SHA1
7eda527374e2382a5ac83408f71b72227be80719

SHA256
c03988cf9aa8396a629b5b1a3e41b82a3d26e1f07b1cecfd08fb12c0c2ceaa7f

SHA512
8f2d77a4ad6fff263f3ad9361f6113f95c495c4d6ba72e47dd6ad847c8d5c49f1a2f85c9ee32f65f1f7bd46b04d49d0e741db73a5c118f5bac7edb0fea51dec0

Download Submit
C:\Windows\System\sbGXgpu.exe

Filesize
5.2MB

MD5
306b0c8ae38b64c248986805c6b05252

SHA1
09f754a38dd8e16934d47ecb0e48e8c3711e2968

SHA256
0ff1836584554ca81bd0ba8eb0b9f7c2c5dfa7154b05c26d77df04ade6aea60d

SHA512
412e0a6960e9c8e75aa675e1fc9f38b9bfa7195c228230adadf68338f02f73d74e8aa8a085fa5d5df20c6fe49b26b9e97c5da4da89b1b8ce88b220967c85af62

Download Submit
memory/116-168-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/116-277-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/116-140-0x00007FF7F3860000-0x00007FF7F3BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-19-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-228-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-75-0x00007FF6A9780000-0x00007FF6A9AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-98-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-238-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-41-0x00007FF64C650000-0x00007FF64C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-158-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp

Filesize
3.3MB

Download
memory/1320-262-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp

Filesize
3.3MB

Download
memory/1320-105-0x00007FF6606F0000-0x00007FF660A41000-memory.dmp

Filesize
3.3MB

Download
memory/1408-130-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp

Filesize
3.3MB

Download
memory/1408-271-0x00007FF778AD0000-0x00007FF778E21000-memory.dmp

Filesize
3.3MB

Download
memory/1660-163-0x00007FF683300000-0x00007FF683651000-memory.dmp

Filesize
3.3MB

Download
memory/1660-115-0x00007FF683300000-0x00007FF683651000-memory.dmp

Filesize
3.3MB

Download
memory/1660-269-0x00007FF683300000-0x00007FF683651000-memory.dmp

Filesize
3.3MB

Download
memory/1680-100-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-157-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-260-0x00007FF65FA50000-0x00007FF65FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-152-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp

Filesize
3.3MB

Download
memory/1888-95-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp

Filesize
3.3MB

Download
memory/1888-258-0x00007FF66BCF0000-0x00007FF66C041000-memory.dmp

Filesize
3.3MB

Download
memory/2384-63-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp

Filesize
3.3MB

Download
memory/2384-246-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp

Filesize
3.3MB

Download
memory/2384-118-0x00007FF76C4F0000-0x00007FF76C841000-memory.dmp

Filesize
3.3MB

Download
memory/2456-30-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-83-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-232-0x00007FF79BF70000-0x00007FF79C2C1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-119-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp

Filesize
3.3MB

Download
memory/2640-164-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp

Filesize
3.3MB

Download
memory/2640-273-0x00007FF6C4520000-0x00007FF6C4871000-memory.dmp

Filesize
3.3MB

Download
memory/2680-1-0x00000279B0B10000-0x00000279B0B20000-memory.dmp

Filesize
64KB

Download
memory/2680-55-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp

Filesize
3.3MB

Download
memory/2680-0-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp

Filesize
3.3MB

Download
memory/2680-169-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp

Filesize
3.3MB

Download
memory/2680-141-0x00007FF6C5640000-0x00007FF6C5991000-memory.dmp

Filesize
3.3MB

Download
memory/3004-276-0x00007FF631320000-0x00007FF631671000-memory.dmp

Filesize
3.3MB

Download
memory/3004-167-0x00007FF631320000-0x00007FF631671000-memory.dmp

Filesize
3.3MB

Download
memory/3004-133-0x00007FF631320000-0x00007FF631671000-memory.dmp

Filesize
3.3MB

Download
memory/3100-236-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3100-47-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3100-104-0x00007FF75F890000-0x00007FF75FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-244-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-112-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-56-0x00007FF71C080000-0x00007FF71C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-62-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-6-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3400-218-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-230-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-25-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-79-0x00007FF7C4090000-0x00007FF7C43E1000-memory.dmp

Filesize
3.3MB

Download
memory/3848-69-0x00007FF62C520000-0x00007FF62C871000-memory.dmp

Filesize
3.3MB

Download
memory/3848-248-0x00007FF62C520000-0x00007FF62C871000-memory.dmp

Filesize
3.3MB

Download
memory/3848-127-0x00007FF62C520000-0x00007FF62C871000-memory.dmp

Filesize
3.3MB

Download
memory/4072-132-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-76-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-250-0x00007FF6A3C60000-0x00007FF6A3FB1000-memory.dmp

Filesize
3.3MB

Download
memory/4128-151-0x00007FF6174B0000-0x00007FF617801000-memory.dmp

Filesize
3.3MB

Download
memory/4128-84-0x00007FF6174B0000-0x00007FF617801000-memory.dmp

Filesize
3.3MB

Download
memory/4128-256-0x00007FF6174B0000-0x00007FF617801000-memory.dmp

Filesize
3.3MB

Download
memory/4172-220-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp

Filesize
3.3MB

Download
memory/4172-12-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp

Filesize
3.3MB

Download
memory/4172-67-0x00007FF7CD230000-0x00007FF7CD581000-memory.dmp

Filesize
3.3MB

Download
memory/4932-90-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp

Filesize
3.3MB

Download
memory/4932-36-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp

Filesize
3.3MB

Download
memory/4932-234-0x00007FF658AB0000-0x00007FF658E01000-memory.dmp

Filesize
3.3MB

Download