cobaltstrike | 86655fdb9e86e0d5677265760f33a422ce714c702afd3f5060282dc4eea293a2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

68b4132d1e2e2b98aed36809e0f11f63
SHA1

f2683351d9f2106684633aad787d1db3373a49c6
SHA256

86655fdb9e86e0d5677265760f33a422ce714c702afd3f5060282dc4eea293a2
SHA512

163761685c43dd8cc51d98a52da47d66db6dbd0bcfd981737de7d635af0135fa71c57d1bcb3a3b5bd76ca27c9157a288bae8f383956c2b11000e85d2a549ae94
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUx

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233db-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-67.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343f-57.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1788-33-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp	xmrig
behavioral2/memory/2792-41-0x00007FF750140000-0x00007FF750491000-memory.dmp	xmrig
behavioral2/memory/3628-76-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp	xmrig
behavioral2/memory/3796-97-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	xmrig
behavioral2/memory/2472-99-0x00007FF739D60000-0x00007FF73A0B1000-memory.dmp	xmrig
behavioral2/memory/448-101-0x00007FF632EF0000-0x00007FF633241000-memory.dmp	xmrig
behavioral2/memory/4656-98-0x00007FF7D6C30000-0x00007FF7D6F81000-memory.dmp	xmrig
behavioral2/memory/4672-115-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	xmrig
behavioral2/memory/3636-73-0x00007FF723CF0000-0x00007FF724041000-memory.dmp	xmrig
behavioral2/memory/528-71-0x00007FF678950000-0x00007FF678CA1000-memory.dmp	xmrig
behavioral2/memory/4716-66-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	xmrig
behavioral2/memory/3676-128-0x00007FF75E1D0000-0x00007FF75E521000-memory.dmp	xmrig
behavioral2/memory/1160-127-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp	xmrig
behavioral2/memory/876-129-0x00007FF7E9AF0000-0x00007FF7E9E41000-memory.dmp	xmrig
behavioral2/memory/60-130-0x00007FF6788B0000-0x00007FF678C01000-memory.dmp	xmrig
behavioral2/memory/548-131-0x00007FF6591F0000-0x00007FF659541000-memory.dmp	xmrig
behavioral2/memory/3668-132-0x00007FF7DD150000-0x00007FF7DD4A1000-memory.dmp	xmrig
behavioral2/memory/4716-133-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	xmrig
behavioral2/memory/3696-139-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp	xmrig
behavioral2/memory/404-142-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp	xmrig
behavioral2/memory/1176-143-0x00007FF746740000-0x00007FF746A91000-memory.dmp	xmrig
behavioral2/memory/728-144-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp	xmrig
behavioral2/memory/2572-152-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp	xmrig
behavioral2/memory/4716-158-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	xmrig
behavioral2/memory/3628-212-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp	xmrig
behavioral2/memory/528-214-0x00007FF678950000-0x00007FF678CA1000-memory.dmp	xmrig
behavioral2/memory/4672-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	xmrig
behavioral2/memory/1788-218-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp	xmrig
behavioral2/memory/1160-221-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp	xmrig
behavioral2/memory/2792-222-0x00007FF750140000-0x00007FF750491000-memory.dmp	xmrig
behavioral2/memory/3696-224-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp	xmrig
behavioral2/memory/404-229-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp	xmrig
behavioral2/memory/1176-231-0x00007FF746740000-0x00007FF746A91000-memory.dmp	xmrig
behavioral2/memory/728-241-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp	xmrig
behavioral2/memory/3636-243-0x00007FF723CF0000-0x00007FF724041000-memory.dmp	xmrig
behavioral2/memory/3796-247-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	xmrig
behavioral2/memory/448-246-0x00007FF632EF0000-0x00007FF633241000-memory.dmp	xmrig
behavioral2/memory/4656-249-0x00007FF7D6C30000-0x00007FF7D6F81000-memory.dmp	xmrig
behavioral2/memory/2472-251-0x00007FF739D60000-0x00007FF73A0B1000-memory.dmp	xmrig
behavioral2/memory/3676-255-0x00007FF75E1D0000-0x00007FF75E521000-memory.dmp	xmrig
behavioral2/memory/2572-257-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp	xmrig
behavioral2/memory/3668-261-0x00007FF7DD150000-0x00007FF7DD4A1000-memory.dmp	xmrig
behavioral2/memory/60-263-0x00007FF6788B0000-0x00007FF678C01000-memory.dmp	xmrig
behavioral2/memory/548-265-0x00007FF6591F0000-0x00007FF659541000-memory.dmp	xmrig
behavioral2/memory/876-260-0x00007FF7E9AF0000-0x00007FF7E9E41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3628	cVmVcbx.exe
528	FJLQNkJ.exe
4672	PcMPJOc.exe
1788	hQYWTAi.exe
1160	bbslCGj.exe
2792	duRvEEA.exe
3696	dslTVWi.exe
404	bwpqmDO.exe
1176	fBmnZNL.exe
728	vjxEubP.exe
3636	aWpYxJh.exe
3796	NIMMCmX.exe
448	dxwHawc.exe
4656	PkfJhoY.exe
2472	MRCStub.exe
2572	eideCxG.exe
3676	CkvUBVi.exe
876	LWUinVv.exe
3668	REOxCjt.exe
60	sXctGhb.exe
548	Suwzeqm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4716-0-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	upx
behavioral2/files/0x00090000000233db-4.dat	upx
behavioral2/files/0x0007000000023442-12.dat	upx
behavioral2/files/0x0007000000023443-25.dat	upx
behavioral2/memory/1788-33-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp	upx
behavioral2/memory/2792-41-0x00007FF750140000-0x00007FF750491000-memory.dmp	upx
behavioral2/memory/3696-42-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp	upx
behavioral2/files/0x0007000000023447-43.dat	upx
behavioral2/memory/1160-40-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp	upx
behavioral2/files/0x0007000000023446-35.dat	upx
behavioral2/files/0x0007000000023445-32.dat	upx
behavioral2/files/0x0007000000023444-30.dat	upx
behavioral2/memory/4672-20-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	upx
behavioral2/memory/528-19-0x00007FF678950000-0x00007FF678CA1000-memory.dmp	upx
behavioral2/memory/3628-7-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp	upx
behavioral2/files/0x0007000000023448-48.dat	upx
behavioral2/memory/404-49-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp	upx
behavioral2/files/0x0007000000023449-59.dat	upx
behavioral2/files/0x000700000002344b-72.dat	upx
behavioral2/files/0x000700000002344c-83.dat	upx
behavioral2/files/0x000700000002344e-85.dat	upx
behavioral2/memory/3628-76-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp	upx
behavioral2/files/0x0007000000023450-92.dat	upx
behavioral2/files/0x000700000002344f-89.dat	upx
behavioral2/memory/3796-97-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp	upx
behavioral2/memory/2472-99-0x00007FF739D60000-0x00007FF73A0B1000-memory.dmp	upx
behavioral2/memory/448-101-0x00007FF632EF0000-0x00007FF633241000-memory.dmp	upx
behavioral2/memory/2572-100-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp	upx
behavioral2/memory/4656-98-0x00007FF7D6C30000-0x00007FF7D6F81000-memory.dmp	upx
behavioral2/files/0x0007000000023451-104.dat	upx
behavioral2/files/0x0007000000023453-121.dat	upx
behavioral2/files/0x0007000000023455-125.dat	upx
behavioral2/files/0x0007000000023454-123.dat	upx
behavioral2/files/0x0007000000023452-119.dat	upx
behavioral2/memory/4672-115-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	upx
behavioral2/memory/3636-73-0x00007FF723CF0000-0x00007FF724041000-memory.dmp	upx
behavioral2/memory/528-71-0x00007FF678950000-0x00007FF678CA1000-memory.dmp	upx
behavioral2/files/0x000700000002344a-67.dat	upx
behavioral2/memory/4716-66-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	upx
behavioral2/memory/728-62-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp	upx
behavioral2/memory/1176-54-0x00007FF746740000-0x00007FF746A91000-memory.dmp	upx
behavioral2/files/0x000800000002343f-57.dat	upx
behavioral2/memory/3676-128-0x00007FF75E1D0000-0x00007FF75E521000-memory.dmp	upx
behavioral2/memory/1160-127-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp	upx
behavioral2/memory/876-129-0x00007FF7E9AF0000-0x00007FF7E9E41000-memory.dmp	upx
behavioral2/memory/60-130-0x00007FF6788B0000-0x00007FF678C01000-memory.dmp	upx
behavioral2/memory/548-131-0x00007FF6591F0000-0x00007FF659541000-memory.dmp	upx
behavioral2/memory/3668-132-0x00007FF7DD150000-0x00007FF7DD4A1000-memory.dmp	upx
behavioral2/memory/4716-133-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	upx
behavioral2/memory/3696-139-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp	upx
behavioral2/memory/404-142-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp	upx
behavioral2/memory/1176-143-0x00007FF746740000-0x00007FF746A91000-memory.dmp	upx
behavioral2/memory/728-144-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp	upx
behavioral2/memory/2572-152-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp	upx
behavioral2/memory/4716-158-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp	upx
behavioral2/memory/3628-212-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp	upx
behavioral2/memory/528-214-0x00007FF678950000-0x00007FF678CA1000-memory.dmp	upx
behavioral2/memory/4672-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	upx
behavioral2/memory/1788-218-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp	upx
behavioral2/memory/1160-221-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp	upx
behavioral2/memory/2792-222-0x00007FF750140000-0x00007FF750491000-memory.dmp	upx
behavioral2/memory/3696-224-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp	upx
behavioral2/memory/404-229-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp	upx
behavioral2/memory/1176-231-0x00007FF746740000-0x00007FF746A91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bwpqmDO.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWpYxJh.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NIMMCmX.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PkfJhoY.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MRCStub.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cVmVcbx.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJLQNkJ.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dslTVWi.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWUinVv.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\REOxCjt.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\duRvEEA.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eideCxG.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sXctGhb.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Suwzeqm.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbslCGj.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjxEubP.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxwHawc.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CkvUBVi.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PcMPJOc.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQYWTAi.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBmnZNL.exe	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3628	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4716 wrote to memory of 3628	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4716 wrote to memory of 528	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4716 wrote to memory of 528	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4716 wrote to memory of 4672	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4716 wrote to memory of 4672	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4716 wrote to memory of 1788	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4716 wrote to memory of 1788	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4716 wrote to memory of 1160	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4716 wrote to memory of 1160	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4716 wrote to memory of 2792	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4716 wrote to memory of 2792	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4716 wrote to memory of 3696	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4716 wrote to memory of 3696	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4716 wrote to memory of 404	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4716 wrote to memory of 404	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4716 wrote to memory of 1176	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4716 wrote to memory of 1176	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4716 wrote to memory of 728	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4716 wrote to memory of 728	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4716 wrote to memory of 3636	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4716 wrote to memory of 3636	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4716 wrote to memory of 3796	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4716 wrote to memory of 3796	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4716 wrote to memory of 448	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4716 wrote to memory of 448	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4716 wrote to memory of 4656	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4716 wrote to memory of 4656	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4716 wrote to memory of 2472	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4716 wrote to memory of 2472	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4716 wrote to memory of 2572	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4716 wrote to memory of 2572	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4716 wrote to memory of 3676	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4716 wrote to memory of 3676	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4716 wrote to memory of 876	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4716 wrote to memory of 876	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4716 wrote to memory of 3668	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4716 wrote to memory of 3668	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4716 wrote to memory of 60	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4716 wrote to memory of 60	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4716 wrote to memory of 548	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4716 wrote to memory of 548	4716	2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_68b4132d1e2e2b98aed36809e0f11f63_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\System\cVmVcbx.exe
  C:\Windows\System\cVmVcbx.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\FJLQNkJ.exe
  C:\Windows\System\FJLQNkJ.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\PcMPJOc.exe
  C:\Windows\System\PcMPJOc.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\hQYWTAi.exe
  C:\Windows\System\hQYWTAi.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\bbslCGj.exe
  C:\Windows\System\bbslCGj.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\duRvEEA.exe
  C:\Windows\System\duRvEEA.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\dslTVWi.exe
  C:\Windows\System\dslTVWi.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\bwpqmDO.exe
  C:\Windows\System\bwpqmDO.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\fBmnZNL.exe
  C:\Windows\System\fBmnZNL.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\vjxEubP.exe
  C:\Windows\System\vjxEubP.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\aWpYxJh.exe
  C:\Windows\System\aWpYxJh.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\NIMMCmX.exe
  C:\Windows\System\NIMMCmX.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\dxwHawc.exe
  C:\Windows\System\dxwHawc.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\PkfJhoY.exe
  C:\Windows\System\PkfJhoY.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\MRCStub.exe
  C:\Windows\System\MRCStub.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\eideCxG.exe
  C:\Windows\System\eideCxG.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\CkvUBVi.exe
  C:\Windows\System\CkvUBVi.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\LWUinVv.exe
  C:\Windows\System\LWUinVv.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\REOxCjt.exe
  C:\Windows\System\REOxCjt.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\sXctGhb.exe
  C:\Windows\System\sXctGhb.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\Suwzeqm.exe
  C:\Windows\System\Suwzeqm.exe
  2⤵
  - Executes dropped EXE
  PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CkvUBVi.exe

Filesize
5.2MB

MD5
f7163ac4b6c8c415641194fcdbde79da

SHA1
452421d8ed13271746898c49445c284b731adf18

SHA256
c70662d8739248753b6e2543205b26f752b126a1c01b5f78e533a7d12c2f530d

SHA512
46404e7017e491dda4f530e53a57b69618c50e341976b962c8b6dfe2ec3d1825f45397db13b12507771cd44893b5b20b2ac5c7d3fb991ec470536620952d30ed

Download Submit
C:\Windows\System\FJLQNkJ.exe

Filesize
5.2MB

MD5
8cde486454a16922d315fdd9049f3267

SHA1
330ad81e6b0ed0b92c0cfeb8d345f5f8e104f19d

SHA256
b1ba2e468cc148b7e7de3ba3109d31abf31e447473cdfc09d8f6377b57dcbdee

SHA512
4b0e73684774a2a4a25a15fdfeb88ce8fb437d054772986e46ea8dc7f6c9bf7b0fe600aea0a5207139f9dacdfddfce220908781e52ffff0b9acb6c7c90abedbd

Download Submit
C:\Windows\System\LWUinVv.exe

Filesize
5.2MB

MD5
b306b601b32e916adc561c7e450348ed

SHA1
5d33bb61115766f0382f38973e323403a5d1b719

SHA256
70add9f4ee5f80cf6bba6da53b9823e82dfb263925c358d19bca305ed4795876

SHA512
267be4d029c343b251701b9228d978c856d2366373ac1b11e6381caccd2aa680f3c7f18f000c866c53da22b5b8e93d6bdcc81ddf18802b1ab1d49bd62765de27

Download Submit
C:\Windows\System\MRCStub.exe

Filesize
5.2MB

MD5
abf84cf112478f3640fed15c61830cef

SHA1
30909fc912a1f64af3d1b4e2c006541c32c01291

SHA256
4253f37bf7046d1b1dae57a65b3623594126cd39da74ace0aee3ef12c6a735aa

SHA512
94c6ac16f65582ee5a1865dc32e50a99ddca6a6de63911314b8b85ef742472bd457c67f33ae8f3afb09f1348d791d40704932b8db88b78ae255f3501d779e465

Download Submit
C:\Windows\System\NIMMCmX.exe

Filesize
5.2MB

MD5
972cfd294ae04590b3d70e8584729e09

SHA1
6e4d2170266426e36e17d12c02678dc5453047c0

SHA256
07db6b3f3afcafa5751493a919d4cdcc74b5af34d514b4ea53fee09ab707ed0c

SHA512
260f0d9dc648b5f595dd073d953531c6bd9088e85081708de6b2045d008b86f32a4d001f6c9e016f6b87a40459c30ed55dcc2eddb2db429d5a927d59806a231f

Download Submit
C:\Windows\System\PcMPJOc.exe

Filesize
5.2MB

MD5
6e6e60cb537dab88dfc1c72f704bdede

SHA1
0865fa1e2386d05535f1e87202dc7a4cd84aca45

SHA256
3176414eb6515688b8f7a467f4f000a03ccce24f3fb0d09c2511cf302182ce78

SHA512
c877de101a8815095dd76b8614b79c1d45d9cb921a7747b2a3084a57263459eefa729323619dd82d085ebe3278a34fc3cc8bee5c7d5c13df75e7bd18c50076b1

Download Submit
C:\Windows\System\PkfJhoY.exe

Filesize
5.2MB

MD5
3b9a86fde77c0fc224e635954e99c4fa

SHA1
ada51d87650e9e8fcff32a2d6591179593cb8df6

SHA256
cd45420b3ebff5c0a8e60c6f4e778acd59ac426e490acc2ef226097151e8b346

SHA512
2ac4dc0aa79951822e4b816e63168ad39b064d024ce6c3e8538ffaffd7ffeaf9c1aff009c390500d60a59277292c2a16406400e93301a8bb06b7344f49e4c64d

Download Submit
C:\Windows\System\REOxCjt.exe

Filesize
5.2MB

MD5
69378a7d5333fd297563d82481c458f6

SHA1
d897224abe88704a9120b2b7e3eb9aecdc7e2448

SHA256
b12967ba8fdbd3b8e13dbabeecc5bb996f0fdb063356877a07d73d49a46c2810

SHA512
75f0ffd9e0fa58925e989d7622a5064932b9399c35b4a8cca14a8fcb3778b7b5eee26bc0b1666c47c8c4b2f7fb493d79f6ce2d47ec5276dbe94ba29e968f0f6e

Download Submit
C:\Windows\System\Suwzeqm.exe

Filesize
5.2MB

MD5
e120df20197cbde90015400f48e0e192

SHA1
d37dc1bff5c83c0654b1a11189e8b3a3925ebbed

SHA256
c3ad73f16dbf6f138f62bee4dbf7dab4e53fbc72fb19871da414d051a9961ea9

SHA512
b9751c0045c6abc012103baecc3e3869410540524370a5f4fa08b87f630b7afdfd07e5568879b4efdcc79da03ee101d33957979e003788fb7cc2113904d8158d

Download Submit
C:\Windows\System\aWpYxJh.exe

Filesize
5.2MB

MD5
5678bbbeda81721e13c2c00871986cec

SHA1
5a2122cd80b6c9ab804887a876d8f7531d2ed9e4

SHA256
1e89467a5f9ea0ba6f748c99c829f55f801a959e20b3ad11a1099c46c019642d

SHA512
e1709db320992beb4443524fa8f24f50360ea58ec27c00a6eef9a2d3e058310dc4e552f6d4b44e386af1a7e6c4d9305a15709e17fb481021a291bc69366c12bf

Download Submit
C:\Windows\System\bbslCGj.exe

Filesize
5.2MB

MD5
30414bdab5b7f86ff6ed5d11d177a398

SHA1
e5e7afb74129402421ef7e255824dbac7002494d

SHA256
6ea4337ebf5207ca238a255a448eb2d413d0d4f75d0ad6649df30cca0dee6aba

SHA512
b6bcda1ccd2db1a9f98d1d65830fd1b396d4ca812400b7a93b9ab8670ebb2682b6241851db66ed555b404d07908db49c4eeeb180b5805feeef68ee56590b75b2

Download Submit
C:\Windows\System\bwpqmDO.exe

Filesize
5.2MB

MD5
0b48d873398eb5cb5a99abcb0a8bed4d

SHA1
d653d6a48f4c878419b98f48d349d4f7257fecc1

SHA256
6620ce52bf909d9c4129cd56f01e0227bd0c82ddced135677e89316201984a68

SHA512
84d6b203613e26db6328e147a9f89eac6c677ede401ee4cef2c3204ed97fb43036ee2ea736ee36c5191eb6bf7bfa5ef1b0f1f740d9af8db2127ecfab35b26877

Download Submit
C:\Windows\System\cVmVcbx.exe

Filesize
5.2MB

MD5
85d0bae0985cbde60086ec9bf8742c65

SHA1
5f7ed95be291bf1f3d4ced63866709bbac087a36

SHA256
6f023ee2630b5851dcff7d0fa785c3c0c014a342523e89ff771085bf05b9c5af

SHA512
e60223e41d4953593a39d3631458255f4691a294dbd281b46f868eedb7de499e69f7f274253206bdd01b798dd31c30e594d48f34f1825508cf4154195c3b1a9d

Download Submit
C:\Windows\System\dslTVWi.exe

Filesize
5.2MB

MD5
f9beb160c455f2eb09ef728baba5811c

SHA1
a4da597a6da576644e1afbc00113033ff6b516a8

SHA256
7f748e2989539d1659406a5d65ee68a6c813e61c685c9e1072a33057d5ff91d7

SHA512
fce03aa3acedf82d4cd3a85b23b2d6e291b18811e3365e29cd4110b7423db5310655cfb76dc423c88b887959a9ae11c3ed44800cdd7373d2e8ec8470691858e8

Download Submit
C:\Windows\System\duRvEEA.exe

Filesize
5.2MB

MD5
fcca37c472aed9b7028eef98ba101351

SHA1
8d5eec78a210fef87703f6bbbf3ea034486f930c

SHA256
8aebf8b061ef10f34738f712d544ef144ee81d945ddde4fe95ad455710cc67c0

SHA512
e47cde7e5688e75b8d4f77093a0dd232f115d8e350d982221eea979533d828924517c7535909402d37efabe057bff5484bb92d4bd08faea179a3b9193c912b96

Download Submit
C:\Windows\System\dxwHawc.exe

Filesize
5.2MB

MD5
58cf24a7b741bf0ec1ad01f29d026ca8

SHA1
a80c57e6e93e7201b5c1eb6faf9a3a85aaea2f38

SHA256
bd1c0e01765afc27595d349383ae2e65bf833e84abb9c3f8770d981260b649ec

SHA512
bfccd11cf2026a2bf088800fca99dec8d62b337f14d7fb93a3d676739ac6970f0abf60e0ccfee13fddf520c5e90e511a6fb5ed469314be867ad4a421e83c7c4e

Download Submit
C:\Windows\System\eideCxG.exe

Filesize
5.2MB

MD5
fd3975d7862f5b99a9649268ef477922

SHA1
c7c63332703c221fd32b33d04f156f2b04080aea

SHA256
99bb5c83f0bddaf6c83b4120a90ede8e074b6b02e222bd69a3629a8f8b2b5f89

SHA512
4656022de478ce8977f1b937c2bc34858eeb28783ce077e0176afb2332c78436465b0f1663c129f9191ff93ff64c9f0af27a6aedc7eb1c9547b00c1d473a5d42

Download Submit
C:\Windows\System\fBmnZNL.exe

Filesize
5.2MB

MD5
096ddcd434bf034ced34842752ba3721

SHA1
0e64c5368773f88342c4dc4ad9d8cd2f956e4b86

SHA256
5af9218baca9a0f4d6a79e55b951c276286eecf582709ab5d02944785d2c2db4

SHA512
4d88ced49b16df4036a736befa1e958a39643d295250f825a059f7515a4c4045df56179b92f686c7fd00b3be36119c0c28fd2b90c595f4cdc94299ee1c8aec52

Download Submit
C:\Windows\System\hQYWTAi.exe

Filesize
5.2MB

MD5
7d64d7f193284e32616a0fb6c9b0ba03

SHA1
f16a2148710fb12f4440e807673f5b4d316d5a65

SHA256
da7a773f9aa9cc476b1dca9e97979573ec6ee695cb8774be2ec874b9a06d416f

SHA512
c63351dd603211d32a1a9b04d642dacffa34768e5ab62fd5f2067b0280ca08aa5dd118c2811f2c223d7b7a91324aab058afa1987b53afc55b0f75bc488c27036

Download Submit
C:\Windows\System\sXctGhb.exe

Filesize
5.2MB

MD5
39ed9ef3c8c6cc51d28fb69e29839504

SHA1
380a7643a86914ad5ef4045240d5a182b9238e7e

SHA256
e091f777b46ede9e6d6b3253ca10f7ff8574ac893c1d3c42faa589a1ef5809f0

SHA512
ad06957c95da2e6d8d8b4358347a6a6fa20d2804e8850fa66b47e6ad91b28e4929f00079f0f6fe43fc8b664452b78532441cfcfff4fc0e293b1ccae765f1519f

Download Submit
C:\Windows\System\vjxEubP.exe

Filesize
5.2MB

MD5
1d379143296d0fb62d148c3a27a4ff9f

SHA1
9dcba05da9005300bf28dde2b4047f86d499a5ed

SHA256
2d8e71ee7afbb48b529f64ad05a7f3436bb85c438f91adb004dd4ba0604cfc37

SHA512
b839d21fc15d44192d6ce54287e23135ffe49dada57c2d230dfadb0e1ed79527863fd582860992c0375f1be51bde30c935cd415a68f4021e153d8e03b469bc61

Download Submit
memory/60-130-0x00007FF6788B0000-0x00007FF678C01000-memory.dmp

Filesize
3.3MB

Download
memory/60-263-0x00007FF6788B0000-0x00007FF678C01000-memory.dmp

Filesize
3.3MB

Download
memory/404-229-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/404-142-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/404-49-0x00007FF71C860000-0x00007FF71CBB1000-memory.dmp

Filesize
3.3MB

Download
memory/448-246-0x00007FF632EF0000-0x00007FF633241000-memory.dmp

Filesize
3.3MB

Download
memory/448-101-0x00007FF632EF0000-0x00007FF633241000-memory.dmp

Filesize
3.3MB

Download
memory/528-71-0x00007FF678950000-0x00007FF678CA1000-memory.dmp

Filesize
3.3MB

Download
memory/528-19-0x00007FF678950000-0x00007FF678CA1000-memory.dmp

Filesize
3.3MB

Download
memory/528-214-0x00007FF678950000-0x00007FF678CA1000-memory.dmp

Filesize
3.3MB

Download
memory/548-265-0x00007FF6591F0000-0x00007FF659541000-memory.dmp

Filesize
3.3MB

Download
memory/548-131-0x00007FF6591F0000-0x00007FF659541000-memory.dmp

Filesize
3.3MB

Download
memory/728-241-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp

Filesize
3.3MB

Download
memory/728-144-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp

Filesize
3.3MB

Download
memory/728-62-0x00007FF7B7190000-0x00007FF7B74E1000-memory.dmp

Filesize
3.3MB

Download
memory/876-260-0x00007FF7E9AF0000-0x00007FF7E9E41000-memory.dmp

Filesize
3.3MB

Download
memory/876-129-0x00007FF7E9AF0000-0x00007FF7E9E41000-memory.dmp

Filesize
3.3MB

Download
memory/1160-221-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp

Filesize
3.3MB

Download
memory/1160-40-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp

Filesize
3.3MB

Download
memory/1160-127-0x00007FF7C2930000-0x00007FF7C2C81000-memory.dmp

Filesize
3.3MB

Download
memory/1176-231-0x00007FF746740000-0x00007FF746A91000-memory.dmp

Filesize
3.3MB

Download
memory/1176-54-0x00007FF746740000-0x00007FF746A91000-memory.dmp

Filesize
3.3MB

Download
memory/1176-143-0x00007FF746740000-0x00007FF746A91000-memory.dmp

Filesize
3.3MB

Download
memory/1788-33-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-218-0x00007FF7545A0000-0x00007FF7548F1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-99-0x00007FF739D60000-0x00007FF73A0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-251-0x00007FF739D60000-0x00007FF73A0B1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-257-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp

Filesize
3.3MB

Download
memory/2572-152-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp

Filesize
3.3MB

Download
memory/2572-100-0x00007FF60DBE0000-0x00007FF60DF31000-memory.dmp

Filesize
3.3MB

Download
memory/2792-222-0x00007FF750140000-0x00007FF750491000-memory.dmp

Filesize
3.3MB

Download
memory/2792-41-0x00007FF750140000-0x00007FF750491000-memory.dmp

Filesize
3.3MB

Download
memory/3628-212-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-7-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-76-0x00007FF7DA0A0000-0x00007FF7DA3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3636-73-0x00007FF723CF0000-0x00007FF724041000-memory.dmp

Filesize
3.3MB

Download
memory/3636-243-0x00007FF723CF0000-0x00007FF724041000-memory.dmp

Filesize
3.3MB

Download
memory/3668-261-0x00007FF7DD150000-0x00007FF7DD4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-132-0x00007FF7DD150000-0x00007FF7DD4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3676-128-0x00007FF75E1D0000-0x00007FF75E521000-memory.dmp

Filesize
3.3MB

Download
memory/3676-255-0x00007FF75E1D0000-0x00007FF75E521000-memory.dmp

Filesize
3.3MB

Download
memory/3696-139-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-224-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-42-0x00007FF71ADA0000-0x00007FF71B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-247-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-97-0x00007FF64DF80000-0x00007FF64E2D1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-249-0x00007FF7D6C30000-0x00007FF7D6F81000-memory.dmp

Filesize
3.3MB

Download
memory/4656-98-0x00007FF7D6C30000-0x00007FF7D6F81000-memory.dmp

Filesize
3.3MB

Download
memory/4672-20-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-115-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-0-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-133-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-158-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-1-0x000001F37C510000-0x000001F37C520000-memory.dmp

Filesize
64KB

Download
memory/4716-66-0x00007FF6E1B90000-0x00007FF6E1EE1000-memory.dmp

Filesize
3.3MB

Download