cobaltstrike | 71a347e7d06668540a220cfc058a0f3a16013e8001f50fa649675674f978fd95

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4fb53bf9172786f06fd13971bbbf3e80
SHA1

c7c2a49e473b7f365389e00b7ffefa6c0fc2b66a
SHA256

71a347e7d06668540a220cfc058a0f3a16013e8001f50fa649675674f978fd95
SHA512

2629093fd0a503142e2697754d6cf67383f02a1d1df04abf181e09c3ec2c99dbcd8f2cd3472658f0f5b962e56570f97eaf59885e6a67e8d3ad1889c45c3ea8f7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibf56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023390-6.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ed-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ee-14.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f1-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f3-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f2-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f7-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f9-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fe-129.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233eb-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f8-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f6-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f4-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f5-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f0-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ef-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/852-125-0x00007FF622F80000-0x00007FF6232D1000-memory.dmp	xmrig
behavioral2/memory/1684-119-0x00007FF6FDE30000-0x00007FF6FE181000-memory.dmp	xmrig
behavioral2/memory/3580-112-0x00007FF6E0350000-0x00007FF6E06A1000-memory.dmp	xmrig
behavioral2/memory/4060-111-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp	xmrig
behavioral2/memory/3472-110-0x00007FF708280000-0x00007FF7085D1000-memory.dmp	xmrig
behavioral2/memory/2072-76-0x00007FF721E00000-0x00007FF722151000-memory.dmp	xmrig
behavioral2/memory/4512-24-0x00007FF665390000-0x00007FF6656E1000-memory.dmp	xmrig
behavioral2/memory/4396-131-0x00007FF623320000-0x00007FF623671000-memory.dmp	xmrig
behavioral2/memory/2628-136-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp	xmrig
behavioral2/memory/3616-139-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp	xmrig
behavioral2/memory/2072-132-0x00007FF721E00000-0x00007FF722151000-memory.dmp	xmrig
behavioral2/memory/4968-141-0x00007FF783910000-0x00007FF783C61000-memory.dmp	xmrig
behavioral2/memory/4164-144-0x00007FF792100000-0x00007FF792451000-memory.dmp	xmrig
behavioral2/memory/2300-154-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	xmrig
behavioral2/memory/1616-153-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp	xmrig
behavioral2/memory/3012-152-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp	xmrig
behavioral2/memory/1744-148-0x00007FF789520000-0x00007FF789871000-memory.dmp	xmrig
behavioral2/memory/3444-147-0x00007FF718490000-0x00007FF7187E1000-memory.dmp	xmrig
behavioral2/memory/2040-143-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp	xmrig
behavioral2/memory/4928-142-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	xmrig
behavioral2/memory/3076-150-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp	xmrig
behavioral2/memory/2212-145-0x00007FF738130000-0x00007FF738481000-memory.dmp	xmrig
behavioral2/memory/5096-140-0x00007FF798950000-0x00007FF798CA1000-memory.dmp	xmrig
behavioral2/memory/2072-155-0x00007FF721E00000-0x00007FF722151000-memory.dmp	xmrig
behavioral2/memory/3472-217-0x00007FF708280000-0x00007FF7085D1000-memory.dmp	xmrig
behavioral2/memory/4512-219-0x00007FF665390000-0x00007FF6656E1000-memory.dmp	xmrig
behavioral2/memory/4060-221-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp	xmrig
behavioral2/memory/2628-225-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp	xmrig
behavioral2/memory/4396-224-0x00007FF623320000-0x00007FF623671000-memory.dmp	xmrig
behavioral2/memory/3616-231-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp	xmrig
behavioral2/memory/5096-229-0x00007FF798950000-0x00007FF798CA1000-memory.dmp	xmrig
behavioral2/memory/4968-228-0x00007FF783910000-0x00007FF783C61000-memory.dmp	xmrig
behavioral2/memory/4928-233-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	xmrig
behavioral2/memory/2040-235-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp	xmrig
behavioral2/memory/4164-242-0x00007FF792100000-0x00007FF792451000-memory.dmp	xmrig
behavioral2/memory/852-254-0x00007FF622F80000-0x00007FF6232D1000-memory.dmp	xmrig
behavioral2/memory/2300-258-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	xmrig
behavioral2/memory/3076-257-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp	xmrig
behavioral2/memory/3580-252-0x00007FF6E0350000-0x00007FF6E06A1000-memory.dmp	xmrig
behavioral2/memory/3444-251-0x00007FF718490000-0x00007FF7187E1000-memory.dmp	xmrig
behavioral2/memory/1744-247-0x00007FF789520000-0x00007FF789871000-memory.dmp	xmrig
behavioral2/memory/1684-249-0x00007FF6FDE30000-0x00007FF6FE181000-memory.dmp	xmrig
behavioral2/memory/2212-245-0x00007FF738130000-0x00007FF738481000-memory.dmp	xmrig
behavioral2/memory/1616-262-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp	xmrig
behavioral2/memory/3012-261-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3472	bpkLUbm.exe
4060	gwknmZv.exe
4512	bbOxAsw.exe
4396	tYwJJKV.exe
2628	iaNoKZJ.exe
3616	bybmxOW.exe
5096	IHPGbgT.exe
4968	FSYSiVQ.exe
4928	zBPNlaB.exe
2040	AbkbgYm.exe
4164	GpTFDud.exe
2212	hsDXbFa.exe
3580	oopZNGj.exe
3444	jsfNKID.exe
1744	UKNxUwb.exe
1684	WLTEkyd.exe
3076	uWPkpMJ.exe
852	fYraYxW.exe
3012	CvVWUlY.exe
1616	KnPwLzc.exe
2300	AflWzCM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2072-0-0x00007FF721E00000-0x00007FF722151000-memory.dmp	upx
behavioral2/files/0x0009000000023390-6.dat	upx
behavioral2/files/0x00080000000233ed-11.dat	upx
behavioral2/files/0x00070000000233ee-14.dat	upx
behavioral2/files/0x00070000000233f1-28.dat	upx
behavioral2/memory/4396-29-0x00007FF623320000-0x00007FF623671000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-43.dat	upx
behavioral2/files/0x00070000000233f2-44.dat	upx
behavioral2/files/0x00070000000233f7-70.dat	upx
behavioral2/files/0x00070000000233f9-82.dat	upx
behavioral2/files/0x00070000000233fd-115.dat	upx
behavioral2/files/0x00070000000233ff-122.dat	upx
behavioral2/files/0x00070000000233fe-129.dat	upx
behavioral2/files/0x00080000000233eb-127.dat	upx
behavioral2/memory/3012-126-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp	upx
behavioral2/memory/852-125-0x00007FF622F80000-0x00007FF6232D1000-memory.dmp	upx
behavioral2/memory/2300-124-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	upx
behavioral2/memory/1616-121-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp	upx
behavioral2/memory/1684-119-0x00007FF6FDE30000-0x00007FF6FE181000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-117.dat	upx
behavioral2/memory/3580-112-0x00007FF6E0350000-0x00007FF6E06A1000-memory.dmp	upx
behavioral2/memory/4060-111-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp	upx
behavioral2/memory/3472-110-0x00007FF708280000-0x00007FF7085D1000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-108.dat	upx
behavioral2/files/0x00070000000233fb-102.dat	upx
behavioral2/files/0x00070000000233f8-96.dat	upx
behavioral2/memory/3076-95-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp	upx
behavioral2/memory/1744-94-0x00007FF789520000-0x00007FF789871000-memory.dmp	upx
behavioral2/memory/3444-87-0x00007FF718490000-0x00007FF7187E1000-memory.dmp	upx
behavioral2/memory/2212-86-0x00007FF738130000-0x00007FF738481000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-78.dat	upx
behavioral2/memory/2072-76-0x00007FF721E00000-0x00007FF722151000-memory.dmp	upx
behavioral2/memory/4164-73-0x00007FF792100000-0x00007FF792451000-memory.dmp	upx
behavioral2/memory/2040-64-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-63.dat	upx
behavioral2/files/0x00070000000233f5-66.dat	upx
behavioral2/memory/4928-57-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	upx
behavioral2/memory/4968-51-0x00007FF783910000-0x00007FF783C61000-memory.dmp	upx
behavioral2/memory/5096-49-0x00007FF798950000-0x00007FF798CA1000-memory.dmp	upx
behavioral2/memory/2628-38-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp	upx
behavioral2/files/0x00070000000233f0-32.dat	upx
behavioral2/files/0x00070000000233ef-31.dat	upx
behavioral2/memory/3616-30-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp	upx
behavioral2/memory/4512-24-0x00007FF665390000-0x00007FF6656E1000-memory.dmp	upx
behavioral2/memory/4060-19-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp	upx
behavioral2/memory/3472-9-0x00007FF708280000-0x00007FF7085D1000-memory.dmp	upx
behavioral2/memory/4396-131-0x00007FF623320000-0x00007FF623671000-memory.dmp	upx
behavioral2/memory/2628-136-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp	upx
behavioral2/memory/3616-139-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp	upx
behavioral2/memory/2072-132-0x00007FF721E00000-0x00007FF722151000-memory.dmp	upx
behavioral2/memory/4968-141-0x00007FF783910000-0x00007FF783C61000-memory.dmp	upx
behavioral2/memory/4164-144-0x00007FF792100000-0x00007FF792451000-memory.dmp	upx
behavioral2/memory/2300-154-0x00007FF61D440000-0x00007FF61D791000-memory.dmp	upx
behavioral2/memory/1616-153-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp	upx
behavioral2/memory/3012-152-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp	upx
behavioral2/memory/1744-148-0x00007FF789520000-0x00007FF789871000-memory.dmp	upx
behavioral2/memory/3444-147-0x00007FF718490000-0x00007FF7187E1000-memory.dmp	upx
behavioral2/memory/2040-143-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp	upx
behavioral2/memory/4928-142-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp	upx
behavioral2/memory/3076-150-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp	upx
behavioral2/memory/2212-145-0x00007FF738130000-0x00007FF738481000-memory.dmp	upx
behavioral2/memory/5096-140-0x00007FF798950000-0x00007FF798CA1000-memory.dmp	upx
behavioral2/memory/2072-155-0x00007FF721E00000-0x00007FF722151000-memory.dmp	upx
behavioral2/memory/3472-217-0x00007FF708280000-0x00007FF7085D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IHPGbgT.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpTFDud.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsDXbFa.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKNxUwb.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bybmxOW.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSYSiVQ.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jsfNKID.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WLTEkyd.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gwknmZv.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AbkbgYm.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oopZNGj.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CvVWUlY.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnPwLzc.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AflWzCM.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpkLUbm.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbOxAsw.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iaNoKZJ.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tYwJJKV.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zBPNlaB.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWPkpMJ.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fYraYxW.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3472	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2072 wrote to memory of 3472	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2072 wrote to memory of 4060	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2072 wrote to memory of 4060	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2072 wrote to memory of 4512	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2072 wrote to memory of 4512	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2072 wrote to memory of 2628	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2072 wrote to memory of 2628	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2072 wrote to memory of 4396	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2072 wrote to memory of 4396	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2072 wrote to memory of 3616	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2072 wrote to memory of 3616	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2072 wrote to memory of 5096	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2072 wrote to memory of 5096	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2072 wrote to memory of 4968	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2072 wrote to memory of 4968	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2072 wrote to memory of 4928	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2072 wrote to memory of 4928	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2072 wrote to memory of 2040	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2072 wrote to memory of 2040	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2072 wrote to memory of 4164	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2072 wrote to memory of 4164	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2072 wrote to memory of 2212	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2072 wrote to memory of 2212	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2072 wrote to memory of 3580	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2072 wrote to memory of 3580	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2072 wrote to memory of 3444	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2072 wrote to memory of 3444	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2072 wrote to memory of 1744	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2072 wrote to memory of 1744	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2072 wrote to memory of 1684	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2072 wrote to memory of 1684	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2072 wrote to memory of 3076	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2072 wrote to memory of 3076	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2072 wrote to memory of 852	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2072 wrote to memory of 852	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2072 wrote to memory of 3012	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2072 wrote to memory of 3012	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2072 wrote to memory of 1616	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2072 wrote to memory of 1616	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2072 wrote to memory of 2300	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2072 wrote to memory of 2300	2072	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System\bpkLUbm.exe
  C:\Windows\System\bpkLUbm.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\gwknmZv.exe
  C:\Windows\System\gwknmZv.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\bbOxAsw.exe
  C:\Windows\System\bbOxAsw.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\iaNoKZJ.exe
  C:\Windows\System\iaNoKZJ.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\tYwJJKV.exe
  C:\Windows\System\tYwJJKV.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\bybmxOW.exe
  C:\Windows\System\bybmxOW.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\IHPGbgT.exe
  C:\Windows\System\IHPGbgT.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\FSYSiVQ.exe
  C:\Windows\System\FSYSiVQ.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\zBPNlaB.exe
  C:\Windows\System\zBPNlaB.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\AbkbgYm.exe
  C:\Windows\System\AbkbgYm.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\GpTFDud.exe
  C:\Windows\System\GpTFDud.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\hsDXbFa.exe
  C:\Windows\System\hsDXbFa.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\oopZNGj.exe
  C:\Windows\System\oopZNGj.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\jsfNKID.exe
  C:\Windows\System\jsfNKID.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\UKNxUwb.exe
  C:\Windows\System\UKNxUwb.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\WLTEkyd.exe
  C:\Windows\System\WLTEkyd.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\uWPkpMJ.exe
  C:\Windows\System\uWPkpMJ.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\fYraYxW.exe
  C:\Windows\System\fYraYxW.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\CvVWUlY.exe
  C:\Windows\System\CvVWUlY.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\KnPwLzc.exe
  C:\Windows\System\KnPwLzc.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\AflWzCM.exe
  C:\Windows\System\AflWzCM.exe
  2⤵
  - Executes dropped EXE
  PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AbkbgYm.exe

Filesize
5.2MB

MD5
995971628da282cc17229e89ba4146dd

SHA1
8723903cec0f9d9bf3b10bef795de3d34fde4a07

SHA256
0d0cd82a0c74ce49a0e32a6b647cd5675c69bdf4d421d1656d60e472b6e56e04

SHA512
7d6172b2fb09afc04374bd44c4d7d116575544611f5ad23b9a3d191ee3e07b81f3a8a7419a18cb43065169212ed18ae8bc48e793412c8b4133d3a660f21d4a49

Download Submit
C:\Windows\System\AflWzCM.exe

Filesize
5.2MB

MD5
f9ffa5817a2084026a3dd25163de781f

SHA1
af5f42cfbc866f2d553fc91f137a11cfb4a5e0bc

SHA256
f46727c3664b882e40e18386e192c01c18fc5a57d9ecae1e1af455b74fe56809

SHA512
234a85ca1e70963091e8f08379d158afd0b585d93d33ecc13fdcf4dd86f1cffb7855b05c1be551015450f145ecd8a544a15906460b1df89ed0bdf40d9060fc4c

Download Submit
C:\Windows\System\CvVWUlY.exe

Filesize
5.2MB

MD5
76d8ede9656dcdcda153df19504d05f6

SHA1
15455c40cd3eadb099e2e5f6b3a7cef146272c21

SHA256
87164ab88c7d0e6b639bd11c689d3ca6f71556701f18723673df0108305cf4b5

SHA512
8065571ce0ec2e80ad94b2b64227eea72aca2866f8d424cbd16f481057ce3f5399690a8241689144c97d71440e4b4d9c688b54e93e65241856d336dbcf2760be

Download Submit
C:\Windows\System\FSYSiVQ.exe

Filesize
5.2MB

MD5
6985faee962ffa9eac39d6c79faf518a

SHA1
213734e365da99e8935fb17d2a92b2dd3fd2972d

SHA256
1a040c51a7f859567435867474f8055396494cfd91593b62f41d3bceffcfec85

SHA512
2c5f05bac43318d32a93a52555f760f63097dde4ab6460c5c7c80937071d12da69f37ff4abea2697324b60711f01848790af4b8f5ac2d76e74ae2d565b9d8b23

Download Submit
C:\Windows\System\GpTFDud.exe

Filesize
5.2MB

MD5
54d9d0c2afaa679f708935ab74d71a60

SHA1
926b7f4b955cd40c381e02e747c130c6bca6cb89

SHA256
98a0391580d6fffe53389e2358d52129a05cfe78509e1b8fb817c474913a4fcf

SHA512
ad20889fd767cc2da7846fef1aed7a5398fe5980b91989a84c6513cf940c239670f1476af57ca9794f7a2b036ecf2a1de281cdb299c70236ec58daabaf1d3030

Download Submit
C:\Windows\System\IHPGbgT.exe

Filesize
5.2MB

MD5
ede24784608eb4672f00dca796305514

SHA1
ebd35130c999047bd9417e017f52126665b9aa8d

SHA256
014bbb3e2d73d42985941937d8e8f2fd561e5adbcb90b20d3e1650a662f9c1a3

SHA512
a53842ced3357a1ee3903816e561f73c497ba194320bd2c858ae3e97244d6fbf38ae0a9165c87cb4b8526c3563c89f373b1b41d76c15f568d850c39371300d70

Download Submit
C:\Windows\System\KnPwLzc.exe

Filesize
5.2MB

MD5
77e0a8d8a0afda833c7807f68808eb0c

SHA1
2c4fd71301c6162cde196806f5b21dcba0678d41

SHA256
269d4c077f23f31d1661e673b8d0d50c4f2c10123896b157c62b50398b80f17c

SHA512
68c25e97b964105d56b404d9b9dfe5c8d98ff06891f44cda78887cae7c77b7edd7d3dd72ebb8370bd873d1ec70c44b865ee6d85ffeca6393e1d593e20a440408

Download Submit
C:\Windows\System\UKNxUwb.exe

Filesize
5.2MB

MD5
309ad780391aed3cd7e01dc7930e8e0f

SHA1
f467a1610295f3a001ce431e722058b855f962de

SHA256
355c85fcbb9ce4adeffbda9f2c33271003e26a10d94762dc3999796d53b9018a

SHA512
e443c407f3c7b69573c8fffc569a71f874564ea9ef0295c06bf26f92335edbd7c73cefc1e7472f841fb6c5055e5e2a0181c1656c2e1fd64b3958b67a43d8a2e1

Download Submit
C:\Windows\System\WLTEkyd.exe

Filesize
5.2MB

MD5
508f47229367babb3c165c11dfaf67be

SHA1
3624748b5237f6e8b2097bd4888a0d9e1456f870

SHA256
dc1eb90c9dcce0986237ca88d3f4b5a06dfb5ecb660b33ac288cf0bfe2e347aa

SHA512
e47d7b48657d6d30fa0bf9cab0a7fded56b56f173e17c91f2df4a3e191aba886cf797f0d3510e98596d7dbfd91852da9494016d5c9415ae1254a29a63e777394

Download Submit
C:\Windows\System\bbOxAsw.exe

Filesize
5.2MB

MD5
d47211d6bfc6c6b43e2814566f1cdcc7

SHA1
3aadaf11c3da85c125e17ceffa3b3cc83e3cbcab

SHA256
705323e5ec46c38605a49a41411036aeefe4cd27d8dc5073a950fe5f0c098fb3

SHA512
c5e7f2901865f19eacfcb190e85158bd4c7e8d2b6db7bc507e700244f2446ca3d21d62144ad152ca77594555c373b48c5612f49e55d039c81be4355db3adf443

Download Submit
C:\Windows\System\bpkLUbm.exe

Filesize
5.2MB

MD5
2334a0d57cf494be8e5091906a016ec9

SHA1
a141869b5cdb06c5af95847616a522e2050a7ee8

SHA256
39c907a379687a33e2519f649c7bb2aabd4dc208905e0d5ee6c7d81b0fc035f1

SHA512
1a195e403eef486e1f14e9dc6280d859dc448439b714244eac33621423b332999469ed5b06286d64fb4131bc3d728ecd9453a19944d3e55b870de549e01e94af

Download Submit
C:\Windows\System\bybmxOW.exe

Filesize
5.2MB

MD5
fba9904e0ea3e5cc50b227b758f6343c

SHA1
d8dd52025ab615f1b9d1ce94d10f3f617c02c40d

SHA256
a4702cdf0a9586f78023e116947ea4186828b820776c8aafd7c4ecb8f7cd09e6

SHA512
1779367dc420f11e510343b0564d1cf1cd93598d2d912bac2b7b02c2c8d6619b39793d3f0f4236e17474cbc27dabf5f1e5e89f264b0a616bfba3b50bb6e4ecac

Download Submit
C:\Windows\System\fYraYxW.exe

Filesize
5.2MB

MD5
4e52843ed795af5d58657b663b29b58e

SHA1
37491bdc899f72caceefbcebccd610144563dc7f

SHA256
a69523c01ce8afc5c04b8cc6f5947cb404f1d18ff4926ab08b57410d92f58da3

SHA512
f85c12a6e4ba206c3510d7b672b37d8dbe1ff1f7951d726c9c8283047b910b2f41cedefbdb2468061e20f471bb1ceaf02321dda25ce9a1ab2c7ad16085b4c09d

Download Submit
C:\Windows\System\gwknmZv.exe

Filesize
5.2MB

MD5
43d160355a612a8951355850abf491bb

SHA1
ceb9249e783968e5bc051de4c273a3ffc0bb1dfe

SHA256
7a4516b4d2ababbbc16addd05a80dbeb740249b6f3de0909878974303a4efeb5

SHA512
25157906654ebee0ddd69a7193e25b85faf096f1c5aa743f0daf44077c678b75159a8a9ba2892dcb8b7b73ae215b5673ffbe2bcc4611ebf6ce6983b2c8e90596

Download Submit
C:\Windows\System\hsDXbFa.exe

Filesize
5.2MB

MD5
b7dfa8d9083132eaef53972d06b97c07

SHA1
a5362b0425583738b815b1f63968d62a045c1d57

SHA256
2fca0274634be81f54d6d67e5938b22ffba16b0beb3bbcbdb2516f8c59bd2e7f

SHA512
d2cab738c81c789b0b0d4b548cfb639c48d18ee366a92639a5a743a5600852967a240f3ad3d4ee3975e1df8388fdbba26c590dfc309ac74ec08a550fcde0ed86

Download Submit
C:\Windows\System\iaNoKZJ.exe

Filesize
5.2MB

MD5
235e184ed22b3cbbf1177a048f91e972

SHA1
9e8f241da2a18a67e6d5757f856a343fb7f6a3cb

SHA256
a138af9c6833e12caded7da5b679c907b197eeb3a325f3524e9457802597c2fe

SHA512
32e234707b2c6e85b79e733c490e12dabbd8c152dd3d0b323859f8caa93d65f89e2e2a705f242688e7dbfb251a0a43e45106102f312d2be18dafc8b3094cc2b3

Download Submit
C:\Windows\System\jsfNKID.exe

Filesize
5.2MB

MD5
e750136ecd22ad812326dbeb9d37bdb6

SHA1
964df49d1413c1e40f6455d0a4e2017a96f313a4

SHA256
abb2a5d75c7539a51ba03b0eab9cf2acff9cf7aaf51c19018958408049b33735

SHA512
7de18333a9c7cd9bb97984a69ad1f5eaef6afbccdab2a36781358b08f0916188f980332aced8ca947973f4e497834c678d76704b6499eb4962b3f8027d4894ed

Download Submit
C:\Windows\System\oopZNGj.exe

Filesize
5.2MB

MD5
58a45be52b76a3d693956334d04b23d7

SHA1
fcad0c86d4e8b844fd8cf6065467c3e2f9088e43

SHA256
fff52a1da0dde3e7eb2061fda159286a71e3e0a19b33878261233d469082e7ee

SHA512
58fa5ff226a7e388928c8400cbf1f52265620a8ca3c84640fe34e5d505e3982ab89087092412d5565f19eabc81442af3ecd2d8defec1fe6a9da928d19fc1bb02

Download Submit
C:\Windows\System\tYwJJKV.exe

Filesize
5.2MB

MD5
543648cf888bbe2a861027e6fdb0b246

SHA1
17ed9854fff70826ed27aaa74229e2726bc6ac6d

SHA256
5b2ed793ab1355216bed162883ca69e8a718b8e951bd822e00b0f6812b231b38

SHA512
7fe8bb7c6ce0e4acfe579ff79490c28c01feda81b1de50ee2fd2b38c145d8354e7f1d4d1fa9fc8274df70c89c3f7a0fed2da8b64fd16d2fd372398420f6c1065

Download Submit
C:\Windows\System\uWPkpMJ.exe

Filesize
5.2MB

MD5
4f23744ae3a7abe5293b962ba4ff5bd6

SHA1
0f9c0072b27e1f654a053b11b1b3eebe0353c1cd

SHA256
a8875df25d4419f8f473d0d546faadd96339b22e99fe7aaf2133a7de46f4ffea

SHA512
29d1a2a7907eb08bb63c617254ea63705a97b3b5ca1cbb5ffd7ce2902e3d48d844bce34199b5296b3ce5e1c33d33ac37601d9c54e9ebaa635ed17000016bc629

Download Submit
C:\Windows\System\zBPNlaB.exe

Filesize
5.2MB

MD5
46a0f795bdb2c9e5bd21dd6321a832e5

SHA1
fbe730de610bf85bfffffb0e4b25be780be323cf

SHA256
a016ea08a74e11a2aa279298cee850e7ae5c607c0e3e06ee37db63df9ee86b70

SHA512
62331ed2cc3254acaaa2f43d31ca7eb706b471d4e532b04fc98e3b1a0d00520929eb4b03badf9610da548f7a41bf4622b2c3e0dd2c6d012d8296450d953ef600

Download Submit
memory/852-125-0x00007FF622F80000-0x00007FF6232D1000-memory.dmp

Filesize
3.3MB

Download
memory/852-254-0x00007FF622F80000-0x00007FF6232D1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-262-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-121-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-153-0x00007FF77AD80000-0x00007FF77B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-119-0x00007FF6FDE30000-0x00007FF6FE181000-memory.dmp

Filesize
3.3MB

Download
memory/1684-249-0x00007FF6FDE30000-0x00007FF6FE181000-memory.dmp

Filesize
3.3MB

Download
memory/1744-148-0x00007FF789520000-0x00007FF789871000-memory.dmp

Filesize
3.3MB

Download
memory/1744-94-0x00007FF789520000-0x00007FF789871000-memory.dmp

Filesize
3.3MB

Download
memory/1744-247-0x00007FF789520000-0x00007FF789871000-memory.dmp

Filesize
3.3MB

Download
memory/2040-235-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp

Filesize
3.3MB

Download
memory/2040-143-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp

Filesize
3.3MB

Download
memory/2040-64-0x00007FF6D3B30000-0x00007FF6D3E81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-0-0x00007FF721E00000-0x00007FF722151000-memory.dmp

Filesize
3.3MB

Download
memory/2072-155-0x00007FF721E00000-0x00007FF722151000-memory.dmp

Filesize
3.3MB

Download
memory/2072-76-0x00007FF721E00000-0x00007FF722151000-memory.dmp

Filesize
3.3MB

Download
memory/2072-132-0x00007FF721E00000-0x00007FF722151000-memory.dmp

Filesize
3.3MB

Download
memory/2072-1-0x000002568F080000-0x000002568F090000-memory.dmp

Filesize
64KB

Download
memory/2212-245-0x00007FF738130000-0x00007FF738481000-memory.dmp

Filesize
3.3MB

Download
memory/2212-145-0x00007FF738130000-0x00007FF738481000-memory.dmp

Filesize
3.3MB

Download
memory/2212-86-0x00007FF738130000-0x00007FF738481000-memory.dmp

Filesize
3.3MB

Download
memory/2300-124-0x00007FF61D440000-0x00007FF61D791000-memory.dmp

Filesize
3.3MB

Download
memory/2300-154-0x00007FF61D440000-0x00007FF61D791000-memory.dmp

Filesize
3.3MB

Download
memory/2300-258-0x00007FF61D440000-0x00007FF61D791000-memory.dmp

Filesize
3.3MB

Download
memory/2628-38-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp

Filesize
3.3MB

Download
memory/2628-225-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp

Filesize
3.3MB

Download
memory/2628-136-0x00007FF6E8240000-0x00007FF6E8591000-memory.dmp

Filesize
3.3MB

Download
memory/3012-126-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-152-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-261-0x00007FF6F1580000-0x00007FF6F18D1000-memory.dmp

Filesize
3.3MB

Download
memory/3076-150-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3076-95-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3076-257-0x00007FF7FF840000-0x00007FF7FFB91000-memory.dmp

Filesize
3.3MB

Download
memory/3444-87-0x00007FF718490000-0x00007FF7187E1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-147-0x00007FF718490000-0x00007FF7187E1000-memory.dmp

Filesize
3.3MB

Download
memory/3444-251-0x00007FF718490000-0x00007FF7187E1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-217-0x00007FF708280000-0x00007FF7085D1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-9-0x00007FF708280000-0x00007FF7085D1000-memory.dmp

Filesize
3.3MB

Download
memory/3472-110-0x00007FF708280000-0x00007FF7085D1000-memory.dmp

Filesize
3.3MB

Download
memory/3580-112-0x00007FF6E0350000-0x00007FF6E06A1000-memory.dmp

Filesize
3.3MB

Download
memory/3580-252-0x00007FF6E0350000-0x00007FF6E06A1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-231-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp

Filesize
3.3MB

Download
memory/3616-139-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp

Filesize
3.3MB

Download
memory/3616-30-0x00007FF67F740000-0x00007FF67FA91000-memory.dmp

Filesize
3.3MB

Download
memory/4060-111-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp

Filesize
3.3MB

Download
memory/4060-19-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp

Filesize
3.3MB

Download
memory/4060-221-0x00007FF7E93B0000-0x00007FF7E9701000-memory.dmp

Filesize
3.3MB

Download
memory/4164-144-0x00007FF792100000-0x00007FF792451000-memory.dmp

Filesize
3.3MB

Download
memory/4164-242-0x00007FF792100000-0x00007FF792451000-memory.dmp

Filesize
3.3MB

Download
memory/4164-73-0x00007FF792100000-0x00007FF792451000-memory.dmp

Filesize
3.3MB

Download
memory/4396-131-0x00007FF623320000-0x00007FF623671000-memory.dmp

Filesize
3.3MB

Download
memory/4396-29-0x00007FF623320000-0x00007FF623671000-memory.dmp

Filesize
3.3MB

Download
memory/4396-224-0x00007FF623320000-0x00007FF623671000-memory.dmp

Filesize
3.3MB

Download
memory/4512-219-0x00007FF665390000-0x00007FF6656E1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-24-0x00007FF665390000-0x00007FF6656E1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-142-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp

Filesize
3.3MB

Download
memory/4928-57-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp

Filesize
3.3MB

Download
memory/4928-233-0x00007FF7BC6E0000-0x00007FF7BCA31000-memory.dmp

Filesize
3.3MB

Download
memory/4968-51-0x00007FF783910000-0x00007FF783C61000-memory.dmp

Filesize
3.3MB

Download
memory/4968-228-0x00007FF783910000-0x00007FF783C61000-memory.dmp

Filesize
3.3MB

Download
memory/4968-141-0x00007FF783910000-0x00007FF783C61000-memory.dmp

Filesize
3.3MB

Download
memory/5096-229-0x00007FF798950000-0x00007FF798CA1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-49-0x00007FF798950000-0x00007FF798CA1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-140-0x00007FF798950000-0x00007FF798CA1000-memory.dmp

Filesize
3.3MB

Download