cobaltstrike | 9fecec887d72cc60993e002b5e39b57a72e3de75adcdcfbb74525d732cd31742

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f95478a31d097bd48b9124f49a728697
SHA1

49d47bd330851a4c66b2d5f40eac83703cdb5650
SHA256

9fecec887d72cc60993e002b5e39b57a72e3de75adcdcfbb74525d732cd31742
SHA512

dbe883ac01240e8d1e471d437f5c17524e99002a854df305a75f4422fc2ce1d4bf338c59797371f3421be8b0a53dbd4ae200b92f470622bc9dc2848f532d3ea6
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUS

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234d9-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-14.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-25.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234df-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-43.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234da-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-19.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4388-40-0x00007FF737FF0000-0x00007FF738341000-memory.dmp	xmrig
behavioral2/memory/4300-82-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp	xmrig
behavioral2/memory/4244-88-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp	xmrig
behavioral2/memory/1284-87-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp	xmrig
behavioral2/memory/1504-78-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp	xmrig
behavioral2/memory/3424-71-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp	xmrig
behavioral2/memory/2636-68-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	xmrig
behavioral2/memory/1716-42-0x00007FF674920000-0x00007FF674C71000-memory.dmp	xmrig
behavioral2/memory/4388-92-0x00007FF737FF0000-0x00007FF738341000-memory.dmp	xmrig
behavioral2/memory/4064-99-0x00007FF7147F0000-0x00007FF714B41000-memory.dmp	xmrig
behavioral2/memory/3684-98-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp	xmrig
behavioral2/memory/2296-111-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp	xmrig
behavioral2/memory/1008-112-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp	xmrig
behavioral2/memory/728-116-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp	xmrig
behavioral2/memory/2308-114-0x00007FF6C0290000-0x00007FF6C05E1000-memory.dmp	xmrig
behavioral2/memory/2788-130-0x00007FF620000000-0x00007FF620351000-memory.dmp	xmrig
behavioral2/memory/2636-138-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	xmrig
behavioral2/memory/4524-137-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp	xmrig
behavioral2/memory/4340-143-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp	xmrig
behavioral2/memory/2812-147-0x00007FF6EF5C0000-0x00007FF6EF911000-memory.dmp	xmrig
behavioral2/memory/648-154-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp	xmrig
behavioral2/memory/4300-156-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp	xmrig
behavioral2/memory/4972-157-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp	xmrig
behavioral2/memory/2968-161-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp	xmrig
behavioral2/memory/4524-163-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp	xmrig
behavioral2/memory/3304-162-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp	xmrig
behavioral2/memory/2636-165-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	xmrig
behavioral2/memory/3424-213-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp	xmrig
behavioral2/memory/1504-224-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp	xmrig
behavioral2/memory/1284-226-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp	xmrig
behavioral2/memory/4244-228-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp	xmrig
behavioral2/memory/4388-230-0x00007FF737FF0000-0x00007FF738341000-memory.dmp	xmrig
behavioral2/memory/1716-232-0x00007FF674920000-0x00007FF674C71000-memory.dmp	xmrig
behavioral2/memory/3684-234-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp	xmrig
behavioral2/memory/2296-236-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp	xmrig
behavioral2/memory/728-242-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp	xmrig
behavioral2/memory/1008-244-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp	xmrig
behavioral2/memory/4340-246-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp	xmrig
behavioral2/memory/2788-248-0x00007FF620000000-0x00007FF620351000-memory.dmp	xmrig
behavioral2/memory/4300-251-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp	xmrig
behavioral2/memory/648-252-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp	xmrig
behavioral2/memory/4064-255-0x00007FF7147F0000-0x00007FF714B41000-memory.dmp	xmrig
behavioral2/memory/4972-259-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp	xmrig
behavioral2/memory/2308-261-0x00007FF6C0290000-0x00007FF6C05E1000-memory.dmp	xmrig
behavioral2/memory/2968-263-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp	xmrig
behavioral2/memory/3304-268-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp	xmrig
behavioral2/memory/2812-270-0x00007FF6EF5C0000-0x00007FF6EF911000-memory.dmp	xmrig
behavioral2/memory/4524-273-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3424	hxdBTaw.exe
1504	JHURWIZ.exe
1284	pCaBFuj.exe
4244	VKRiwul.exe
4388	uUAyKvW.exe
1716	GFXbtQk.exe
3684	uHeEUhG.exe
2296	tqWAXzc.exe
728	ZVxfzgH.exe
1008	gDtquYn.exe
2788	XTlBafM.exe
4340	mxOAAXN.exe
4300	hJdqlAL.exe
648	gPNnofT.exe
4064	kdQOwGv.exe
4972	UoUHkMo.exe
2308	HzXjbDf.exe
2968	OCvdzGx.exe
3304	XJmcoqk.exe
4524	YqFfkrR.exe
2812	krptBpq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2636-0-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	upx
behavioral2/files/0x00080000000234d9-6.dat	upx
behavioral2/memory/3424-7-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp	upx
behavioral2/memory/1504-12-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-14.dat	upx
behavioral2/memory/1284-18-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-25.dat	upx
behavioral2/files/0x00070000000234df-27.dat	upx
behavioral2/files/0x00070000000234e1-33.dat	upx
behavioral2/memory/4388-40-0x00007FF737FF0000-0x00007FF738341000-memory.dmp	upx
behavioral2/memory/3684-41-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-43.dat	upx
behavioral2/memory/2296-48-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp	upx
behavioral2/files/0x00080000000234da-55.dat	upx
behavioral2/files/0x00070000000234e5-63.dat	upx
behavioral2/files/0x00070000000234e4-64.dat	upx
behavioral2/files/0x00070000000234e6-69.dat	upx
behavioral2/memory/4300-82-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-86.dat	upx
behavioral2/memory/648-91-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp	upx
behavioral2/memory/4244-88-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp	upx
behavioral2/memory/1284-87-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-81.dat	upx
behavioral2/memory/1504-78-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp	upx
behavioral2/memory/4340-74-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp	upx
behavioral2/memory/3424-71-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp	upx
behavioral2/memory/2788-70-0x00007FF620000000-0x00007FF620351000-memory.dmp	upx
behavioral2/memory/2636-68-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	upx
behavioral2/memory/1008-60-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp	upx
behavioral2/memory/728-57-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-51.dat	upx
behavioral2/memory/1716-42-0x00007FF674920000-0x00007FF674C71000-memory.dmp	upx
behavioral2/memory/4244-29-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp	upx
behavioral2/files/0x00070000000234de-19.dat	upx
behavioral2/memory/4388-92-0x00007FF737FF0000-0x00007FF738341000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-96.dat	upx
behavioral2/files/0x00070000000234ea-102.dat	upx
behavioral2/memory/4064-99-0x00007FF7147F0000-0x00007FF714B41000-memory.dmp	upx
behavioral2/memory/3684-98-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp	upx
behavioral2/memory/4972-103-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-107.dat	upx
behavioral2/memory/2296-111-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp	upx
behavioral2/memory/1008-112-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-115.dat	upx
behavioral2/memory/728-116-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp	upx
behavioral2/memory/2308-114-0x00007FF6C0290000-0x00007FF6C05E1000-memory.dmp	upx
behavioral2/memory/2968-120-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-123.dat	upx
behavioral2/files/0x00070000000234ef-129.dat	upx
behavioral2/memory/2788-130-0x00007FF620000000-0x00007FF620351000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-133.dat	upx
behavioral2/memory/3304-124-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp	upx
behavioral2/memory/2636-138-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	upx
behavioral2/memory/4524-137-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp	upx
behavioral2/memory/4340-143-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp	upx
behavioral2/memory/2812-147-0x00007FF6EF5C0000-0x00007FF6EF911000-memory.dmp	upx
behavioral2/memory/648-154-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp	upx
behavioral2/memory/4300-156-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp	upx
behavioral2/memory/4972-157-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp	upx
behavioral2/memory/2968-161-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp	upx
behavioral2/memory/4524-163-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp	upx
behavioral2/memory/3304-162-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp	upx
behavioral2/memory/2636-165-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp	upx
behavioral2/memory/3424-213-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pCaBFuj.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tqWAXzc.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVxfzgH.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHURWIZ.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDtquYn.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krptBpq.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxdBTaw.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uUAyKvW.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uHeEUhG.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTlBafM.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gPNnofT.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kdQOwGv.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UoUHkMo.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HzXjbDf.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKRiwul.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFXbtQk.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxOAAXN.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJdqlAL.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OCvdzGx.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJmcoqk.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqFfkrR.exe	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 3424	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2636 wrote to memory of 3424	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2636 wrote to memory of 1504	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2636 wrote to memory of 1504	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2636 wrote to memory of 1284	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2636 wrote to memory of 1284	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2636 wrote to memory of 4244	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2636 wrote to memory of 4244	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2636 wrote to memory of 4388	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2636 wrote to memory of 4388	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2636 wrote to memory of 1716	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2636 wrote to memory of 1716	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2636 wrote to memory of 3684	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2636 wrote to memory of 3684	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2636 wrote to memory of 2296	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2636 wrote to memory of 2296	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2636 wrote to memory of 728	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2636 wrote to memory of 728	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2636 wrote to memory of 1008	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2636 wrote to memory of 1008	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2636 wrote to memory of 2788	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2636 wrote to memory of 2788	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2636 wrote to memory of 4340	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2636 wrote to memory of 4340	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2636 wrote to memory of 4300	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2636 wrote to memory of 4300	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2636 wrote to memory of 648	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2636 wrote to memory of 648	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2636 wrote to memory of 4064	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2636 wrote to memory of 4064	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2636 wrote to memory of 4972	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2636 wrote to memory of 4972	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2636 wrote to memory of 2308	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2636 wrote to memory of 2308	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2636 wrote to memory of 2968	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2636 wrote to memory of 2968	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2636 wrote to memory of 3304	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2636 wrote to memory of 3304	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2636 wrote to memory of 4524	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2636 wrote to memory of 4524	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2636 wrote to memory of 2812	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2636 wrote to memory of 2812	2636	2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_f95478a31d097bd48b9124f49a728697_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System\hxdBTaw.exe
  C:\Windows\System\hxdBTaw.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\JHURWIZ.exe
  C:\Windows\System\JHURWIZ.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\pCaBFuj.exe
  C:\Windows\System\pCaBFuj.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\VKRiwul.exe
  C:\Windows\System\VKRiwul.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\uUAyKvW.exe
  C:\Windows\System\uUAyKvW.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\GFXbtQk.exe
  C:\Windows\System\GFXbtQk.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\uHeEUhG.exe
  C:\Windows\System\uHeEUhG.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\tqWAXzc.exe
  C:\Windows\System\tqWAXzc.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\ZVxfzgH.exe
  C:\Windows\System\ZVxfzgH.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\gDtquYn.exe
  C:\Windows\System\gDtquYn.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\XTlBafM.exe
  C:\Windows\System\XTlBafM.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\mxOAAXN.exe
  C:\Windows\System\mxOAAXN.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\hJdqlAL.exe
  C:\Windows\System\hJdqlAL.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\gPNnofT.exe
  C:\Windows\System\gPNnofT.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\kdQOwGv.exe
  C:\Windows\System\kdQOwGv.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\UoUHkMo.exe
  C:\Windows\System\UoUHkMo.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\HzXjbDf.exe
  C:\Windows\System\HzXjbDf.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\OCvdzGx.exe
  C:\Windows\System\OCvdzGx.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\XJmcoqk.exe
  C:\Windows\System\XJmcoqk.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\YqFfkrR.exe
  C:\Windows\System\YqFfkrR.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\krptBpq.exe
  C:\Windows\System\krptBpq.exe
  2⤵
  - Executes dropped EXE
  PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GFXbtQk.exe

Filesize
5.2MB

MD5
3c5253b55863cffb4d91c48d5662ffa1

SHA1
c4d651f5c695fa7a6084a976f3a6af41384a9064

SHA256
daa20a5c832510d51d4587092b4f5bd84be09b9b29163139c38f62b9a418b3b3

SHA512
2281cd79d784a54727ed02c677e3d88fd89369cb0fad07e9f236aa3315fbfaff51d568ec1a84f145d50e4503ecb8dbcdbe307ccb01bacda97cc6e9db82389ec4

Download Submit
C:\Windows\System\HzXjbDf.exe

Filesize
5.2MB

MD5
ae14ea3c413e93637efc61584a0459ad

SHA1
70a1683d49ffcade71c1c072959581df1ea22d03

SHA256
9468b02c86b232b100ba3d5b2549c6eccb00adfe762777ee512bea2e1d09d893

SHA512
4797d77de4a96067f1ae69343be453bb0232cefedd76a771c954bfda2bc1c0401282e958d5543bbcacbdb9f81a141300572b51ec877ea7658f367f8f642c3ef5

Download Submit
C:\Windows\System\JHURWIZ.exe

Filesize
5.2MB

MD5
c822d463138a4885743ccf5796c8278b

SHA1
ad1524e02b150cb53df9bb7ae8694dfb1a0829ed

SHA256
c5758ee184871fd73724087cc3cf506353f8a1409facc1654e99e71af65f41b2

SHA512
6f47e927da22e0bceba05ee4e9b7d8553101fb72369a0ad8fbfa31c556a3eb153dc835dd0585bfb198c357890d1a7c074fa5fce633e345d2ae34cbbc2db9daab

Download Submit
C:\Windows\System\OCvdzGx.exe

Filesize
5.2MB

MD5
a9b4f77b57047a90963471b32f2e8dd5

SHA1
80b074ac339c0b00646d3c2efa38473b28181536

SHA256
11d144ba69bfe1d37320730d2aad286577292c441e1d0724ad3e2c076cd8422d

SHA512
617b00e7d91ba8d1817497e9a46af980a1572752cea673c550ebe5e906c76f563498d7ea5a0fb3d407246cf1729ce2b73bee3d63d13e60b25c0f373c248d4761

Download Submit
C:\Windows\System\UoUHkMo.exe

Filesize
5.2MB

MD5
0c9d49ca1a53d5da1bf7cb1e231e4600

SHA1
1866cea12994bb9423010a148f7408c0718f36c2

SHA256
3515d3a5024dbe0b296b3bde3c685dae60727a5904e1927b93a0536d5f6c6489

SHA512
17d16364e6ec428f4b6857ffa1e2c6a36adc2e95f7c665f663e505d9d6f6ab49a2cd9e902e5548072c546c21f5e5aaf41d34720d5b132ae0e6938175cef941a4

Download Submit
C:\Windows\System\VKRiwul.exe

Filesize
5.2MB

MD5
195aa1211c8a256cf9ba1a760c74e0a4

SHA1
1ab0ff3d76737a959a9417debf49b509ac9dd74f

SHA256
0254ef546446d071246c551cab403405e72d4d66eff5acd912fae1d1188bdcc8

SHA512
a3856b23161dd87df5602115e00e6d2c41d705e3faad0058fffe9ae720ff64f8d3698a2709a5fcd37816e0ece4aecdff15c26e791e870d1b4f5e1f1975e03b3f

Download Submit
C:\Windows\System\XJmcoqk.exe

Filesize
5.2MB

MD5
5b616bf9e88323cbac1584f12c0af69a

SHA1
26e9f788c9f57a72a7210ff9dec15c581a83ed49

SHA256
5879a731ee698822ba12587fc98d677334bbb3ee517ba7775a34751fc41290dc

SHA512
949facc8bf7bb9e8284d5adfc84b309dde2eba47106427f9f019591456f0eb7bdc67cf2c2ffe68855744e821f8187acfb0be65d748fd846bc36bae2f7bf68f51

Download Submit
C:\Windows\System\XTlBafM.exe

Filesize
5.2MB

MD5
5d8c0d06368ec5bce540e0f47618b00d

SHA1
04fe25eaf4d713214737f95f38538cfb400e7a70

SHA256
26e0a65a87de89826875fa2ee0edea23559c05fd6c57e320c00bdb31b9afeee8

SHA512
de90c1babbd51a246fbdb30b4003370b7a607d8ff9d4ce7e7c3fddc64258f63ae9da42d6a1897488641105139dc5ff8ab98e4b6f4d87d379d6066e750c839dc0

Download Submit
C:\Windows\System\YqFfkrR.exe

Filesize
5.2MB

MD5
24c1cdb98d0d5bc530e9eef857e1f8e9

SHA1
49b9c30fc92a46f8f4c49507a8618699011e3a72

SHA256
26452c6a9dff6ad3ce1f1f2486a39ef3a91ca2c71badd012eb227e8fe2f57da4

SHA512
512e2fa13d5978eabb4b48c0fb065d926797f422c4aa8726804240c88f3456900929b51814ff3a0e2fd75fee3cf67ebabdadf0659e99f751e6b42b50a046dd75

Download Submit
C:\Windows\System\ZVxfzgH.exe

Filesize
5.2MB

MD5
ca68a2b1ecab849e24bb0cd00628574c

SHA1
a5d84a2e85978815848c5e1dbcc8b82121e69cd5

SHA256
19e8a442fe5c50645d63f515e09946cf78e23436623257b2a30cd31e7328d94a

SHA512
0760577149cded90d6fd178da5a40b311cce8149462fad988ec0d7e1990fdcae636c48d87e3b4cff29b4c9500ecc425f54bcdb4901058b80a998376a49728afb

Download Submit
C:\Windows\System\gDtquYn.exe

Filesize
5.2MB

MD5
d046312f01d55ec194da7cf32305616d

SHA1
0055dd9ca32228161208f4d8b3fe2f36fa7fff69

SHA256
9938b40148b09d59f7387dacfd4074b8139908ac1e72b0c5d1ff22abb42ca36b

SHA512
ee5567fd41215012b0b74f569aa94d05a1fba3b2cda66b8bedb4d4aeee05857eb8c257cdf465f20d84ca63bd37d2c4344aa1a967e32d61bcc84e03c3973b5a75

Download Submit
C:\Windows\System\gPNnofT.exe

Filesize
5.2MB

MD5
40e824d2d127257140817e66d6d33192

SHA1
80a7a53f391906f0b3703d7408a8899c8a25970a

SHA256
f430c49e8f6ac868d2b6e99537ea3dc7d7f864bc30c9473ba05cd7e841aa25ca

SHA512
3ffc7b07e3b0c123c1b0101043b8bda6685656bc2f454551ab303cc9cacbd3a2a246f0450d8d23da1edcddd36fb931517fa7b6f0a64d663eb49d2e9694915163

Download Submit
C:\Windows\System\hJdqlAL.exe

Filesize
5.2MB

MD5
7f2abf02ccdb263f00ed32688e188638

SHA1
254b1a28ea9b1adf3dba21c1d525444e39624406

SHA256
3ac5e7fadca4a81a4ae28fa0ddc11d544747dd175f7719b35d75ef0341b9a0ae

SHA512
9e72890a1e05d73ef6e7e5aa52c366d427dfa85f09f0bf0b5cb33ece342cd3e5f96dbfcbc5817ccfbcd1666a05221249c065198449a2a971e64004fc2003b738

Download Submit
C:\Windows\System\hxdBTaw.exe

Filesize
5.2MB

MD5
dd138feec2a7f70a85f33d9095621d3a

SHA1
1a9595e6d6540ace2b019c80ba7a3b32c6150239

SHA256
7988fb5b5372fe6eb663274feeebc90d40f0e4dea5457e07ade7ddc4f7d2d13f

SHA512
8929220a3f7edfe7552f14a75be121a98de0e01e5803ff09034c2f50d1c82b3f05d75ddc85b64f7a14f16b53996ffe35b948c8b9b3f3ecf5bbf6051f2d24416a

Download Submit
C:\Windows\System\kdQOwGv.exe

Filesize
5.2MB

MD5
4d292d1a1e31e34019bb640de18fd23b

SHA1
ba35e955dc260ea4edaa554d317bfbf6e05ea449

SHA256
a8af7b0526a0f0d28fcb2a0adc516b64da9388c0f7dba453e2580e17cda15274

SHA512
3b0112d89b841a535500b2454f8f0e3b6f2c8e677706b4e8d3dfdc11f9b9b05877c4761364554e7679f87bd528cd0ddfb673c45448d10004c71e05256fda358d

Download Submit
C:\Windows\System\krptBpq.exe

Filesize
5.2MB

MD5
8ae69ad1cfbf0b59ac1d7a156f1c672a

SHA1
93d8b280606c6a8590266ea1516dcd9a763b83ae

SHA256
7ee3a76c2e69708f61c591c9f0024eec4457a235e9c522f0b0b588ea9d5d0e8c

SHA512
7e95c1d9a60c872dd045cc521ded1e0864f23fb300138edd9e5b3602ca12d203c90f32ca60caedd31e1872a886ca34bc6270b5e35657f8eaad8387d67daa1971

Download Submit
C:\Windows\System\mxOAAXN.exe

Filesize
5.2MB

MD5
131683942bad5adb69b3448ed854e842

SHA1
2643ff93c6104885507fc2be1f4abf21b2283493

SHA256
d374a1fae699f7862d3d074bd4ebbc092f3c1c2a83dfcf809c0bb64c4b7fa016

SHA512
ef22559e3d3b4312c05dc133f738b46080dd8ff1a227ce53199bb08d47386954991584997f8234bed9c400c93c5056cb1fb0f082f7390db28aacc1626006e6bd

Download Submit
C:\Windows\System\pCaBFuj.exe

Filesize
5.2MB

MD5
94afa56848da0f2b0f4f6fb5c272e2d0

SHA1
78b209b30d33e3c30cb21c15dc9f2ff8b4d43aef

SHA256
c0409e3abb992bfb5a5ead2abfbd134a0657212dc3757fdcf32c761142e3521c

SHA512
c6e4615b92385aa19045ebd6af9ef8130ab1281d5c822027f6677b5f656dbbda1ff5fd20bb69f9332c5c7f7e895ce33b9513fcbbfde1ee3ce83627a1abff3083

Download Submit
C:\Windows\System\tqWAXzc.exe

Filesize
5.2MB

MD5
6fa3698acc05f04aa6677889fac9baa5

SHA1
a490416c48b922005160b7acb9b4e8f4a0d44f35

SHA256
1a514595fadcb52434fd83892ddbe972accf97a274c758ed4d826897117a1374

SHA512
dc2e7122897e99b556dd16bc12014b4d7e29b266747d21b1893d2e27d7918e2eb210ea9792176e5f58486e97e167adfa29fa4a233482a231f5d2b5e4ed11b75c

Download Submit
C:\Windows\System\uHeEUhG.exe

Filesize
5.2MB

MD5
e41c25ee98b89e559dafd837e71ce897

SHA1
54a758b96bb540e25be4f67449ea6974cda82bca

SHA256
beaed99a362091ca49ac95933fdba101cb61df7cfb5bd2c311cb280327798dd6

SHA512
a2afe05f7a72be571b04154e6bed7f362ff648c8a4b27c39c0f31afeac1b005ac18e6de7aea1b00fcd28139938363126e5c7eed6fd8c63248b2c531b4ae0120c

Download Submit
C:\Windows\System\uUAyKvW.exe

Filesize
5.2MB

MD5
b6cd162b168fda1289425ac35010b9e2

SHA1
3b70bcbb0b79262e161f63a53c214f50561e6df7

SHA256
7ae91d5085002bfa851e104c67fac7d5b4f7892d2c35275d8b9ca238b621f5ea

SHA512
a0e8f19ad4a88366f53da2eb4a434e44e8fd2db3d2dbb2e9edcb761536f07a881f51f6b6301cbdd276d62d371edf2e964ce8b8bd816ec1470b192b7ebe3f25b1

Download Submit
memory/648-252-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp

Filesize
3.3MB

Download
memory/648-91-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp

Filesize
3.3MB

Download
memory/648-154-0x00007FF7FFAF0000-0x00007FF7FFE41000-memory.dmp

Filesize
3.3MB

Download
memory/728-116-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp

Filesize
3.3MB

Download
memory/728-242-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp

Filesize
3.3MB

Download
memory/728-57-0x00007FF6719E0000-0x00007FF671D31000-memory.dmp

Filesize
3.3MB

Download
memory/1008-112-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-244-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-60-0x00007FF6DC180000-0x00007FF6DC4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1284-87-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp

Filesize
3.3MB

Download
memory/1284-18-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp

Filesize
3.3MB

Download
memory/1284-226-0x00007FF726AB0000-0x00007FF726E01000-memory.dmp

Filesize
3.3MB

Download
memory/1504-78-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-224-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-12-0x00007FF7DDC70000-0x00007FF7DDFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-42-0x00007FF674920000-0x00007FF674C71000-memory.dmp

Filesize
3.3MB

Download
memory/1716-232-0x00007FF674920000-0x00007FF674C71000-memory.dmp

Filesize
3.3MB

Download
memory/2296-48-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-111-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-236-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-114-0x00007FF6C0290000-0x00007FF6C05E1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-261-0x00007FF6C0290000-0x00007FF6C05E1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-0-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp

Filesize
3.3MB

Download
memory/2636-1-0x00000162F77F0000-0x00000162F7800000-memory.dmp

Filesize
64KB

Download
memory/2636-165-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp

Filesize
3.3MB

Download
memory/2636-138-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp

Filesize
3.3MB

Download
memory/2636-68-0x00007FF77D940000-0x00007FF77DC91000-memory.dmp

Filesize
3.3MB

Download
memory/2788-248-0x00007FF620000000-0x00007FF620351000-memory.dmp

Filesize
3.3MB

Download
memory/2788-70-0x00007FF620000000-0x00007FF620351000-memory.dmp

Filesize
3.3MB

Download
memory/2788-130-0x00007FF620000000-0x00007FF620351000-memory.dmp

Filesize
3.3MB

Download
memory/2812-147-0x00007FF6EF5C0000-0x00007FF6EF911000-memory.dmp

Filesize
3.3MB

Download
memory/2812-270-0x00007FF6EF5C0000-0x00007FF6EF911000-memory.dmp

Filesize
3.3MB

Download
memory/2968-161-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-263-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-120-0x00007FF7FDD80000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-268-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-162-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-124-0x00007FF663A90000-0x00007FF663DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-213-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp

Filesize
3.3MB

Download
memory/3424-71-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp

Filesize
3.3MB

Download
memory/3424-7-0x00007FF692AC0000-0x00007FF692E11000-memory.dmp

Filesize
3.3MB

Download
memory/3684-41-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-234-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-98-0x00007FF672A60000-0x00007FF672DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-255-0x00007FF7147F0000-0x00007FF714B41000-memory.dmp

Filesize
3.3MB

Download
memory/4064-99-0x00007FF7147F0000-0x00007FF714B41000-memory.dmp

Filesize
3.3MB

Download
memory/4244-29-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp

Filesize
3.3MB

Download
memory/4244-88-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp

Filesize
3.3MB

Download
memory/4244-228-0x00007FF74DED0000-0x00007FF74E221000-memory.dmp

Filesize
3.3MB

Download
memory/4300-251-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-82-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4300-156-0x00007FF6E3C90000-0x00007FF6E3FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4340-246-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp

Filesize
3.3MB

Download
memory/4340-74-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp

Filesize
3.3MB

Download
memory/4340-143-0x00007FF7D9490000-0x00007FF7D97E1000-memory.dmp

Filesize
3.3MB

Download
memory/4388-230-0x00007FF737FF0000-0x00007FF738341000-memory.dmp

Filesize
3.3MB

Download
memory/4388-92-0x00007FF737FF0000-0x00007FF738341000-memory.dmp

Filesize
3.3MB

Download
memory/4388-40-0x00007FF737FF0000-0x00007FF738341000-memory.dmp

Filesize
3.3MB

Download
memory/4524-163-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp

Filesize
3.3MB

Download
memory/4524-137-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp

Filesize
3.3MB

Download
memory/4524-273-0x00007FF6E4F00000-0x00007FF6E5251000-memory.dmp

Filesize
3.3MB

Download
memory/4972-103-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-157-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-259-0x00007FF6BFB50000-0x00007FF6BFEA1000-memory.dmp

Filesize
3.3MB

Download