cobaltstrike | 748589d907016383d985edb79df8a3955a85d2aa7e4af5e50e2640e8e6a160ff

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e7e2c0d564d5532abfb755f1787d0f35
SHA1

b296ea056e62a4fef43b415a9778928e3e19e527
SHA256

748589d907016383d985edb79df8a3955a85d2aa7e4af5e50e2640e8e6a160ff
SHA512

9da4c98f45625b218c214db91a0958f6bf874b3035d69982fab3af2d78aea6856a0cfb04ed80d6e850dc69fccaead8a4f0f196096b41548229a6a29c2cc25295
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUE

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002340c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-60.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023469-37.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3316-81-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp	xmrig
behavioral2/memory/1020-132-0x00007FF664280000-0x00007FF6645D1000-memory.dmp	xmrig
behavioral2/memory/2408-131-0x00007FF7765B0000-0x00007FF776901000-memory.dmp	xmrig
behavioral2/memory/2296-128-0x00007FF69C380000-0x00007FF69C6D1000-memory.dmp	xmrig
behavioral2/memory/444-125-0x00007FF6A7040000-0x00007FF6A7391000-memory.dmp	xmrig
behavioral2/memory/3344-124-0x00007FF720DF0000-0x00007FF721141000-memory.dmp	xmrig
behavioral2/memory/4000-117-0x00007FF794370000-0x00007FF7946C1000-memory.dmp	xmrig
behavioral2/memory/3348-93-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp	xmrig
behavioral2/memory/4724-77-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp	xmrig
behavioral2/memory/3300-70-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	xmrig
behavioral2/memory/4628-133-0x00007FF70E510000-0x00007FF70E861000-memory.dmp	xmrig
behavioral2/memory/3300-134-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	xmrig
behavioral2/memory/2732-139-0x00007FF78C620000-0x00007FF78C971000-memory.dmp	xmrig
behavioral2/memory/916-138-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp	xmrig
behavioral2/memory/940-147-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp	xmrig
behavioral2/memory/3084-149-0x00007FF604CE0000-0x00007FF605031000-memory.dmp	xmrig
behavioral2/memory/3524-151-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp	xmrig
behavioral2/memory/2928-150-0x00007FF633650000-0x00007FF6339A1000-memory.dmp	xmrig
behavioral2/memory/2168-148-0x00007FF615460000-0x00007FF6157B1000-memory.dmp	xmrig
behavioral2/memory/4220-146-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp	xmrig
behavioral2/memory/1600-152-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp	xmrig
behavioral2/memory/1100-158-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp	xmrig
behavioral2/memory/732-153-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp	xmrig
behavioral2/memory/3300-160-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	xmrig
behavioral2/memory/4724-211-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp	xmrig
behavioral2/memory/3316-213-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp	xmrig
behavioral2/memory/3348-215-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp	xmrig
behavioral2/memory/3344-217-0x00007FF720DF0000-0x00007FF721141000-memory.dmp	xmrig
behavioral2/memory/4628-233-0x00007FF70E510000-0x00007FF70E861000-memory.dmp	xmrig
behavioral2/memory/916-235-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp	xmrig
behavioral2/memory/2928-237-0x00007FF633650000-0x00007FF6339A1000-memory.dmp	xmrig
behavioral2/memory/2732-239-0x00007FF78C620000-0x00007FF78C971000-memory.dmp	xmrig
behavioral2/memory/3524-242-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp	xmrig
behavioral2/memory/4220-243-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp	xmrig
behavioral2/memory/940-245-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp	xmrig
behavioral2/memory/2168-247-0x00007FF615460000-0x00007FF6157B1000-memory.dmp	xmrig
behavioral2/memory/3084-249-0x00007FF604CE0000-0x00007FF605031000-memory.dmp	xmrig
behavioral2/memory/1600-254-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp	xmrig
behavioral2/memory/444-255-0x00007FF6A7040000-0x00007FF6A7391000-memory.dmp	xmrig
behavioral2/memory/732-257-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp	xmrig
behavioral2/memory/4000-259-0x00007FF794370000-0x00007FF7946C1000-memory.dmp	xmrig
behavioral2/memory/1100-262-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp	xmrig
behavioral2/memory/2296-263-0x00007FF69C380000-0x00007FF69C6D1000-memory.dmp	xmrig
behavioral2/memory/2408-266-0x00007FF7765B0000-0x00007FF776901000-memory.dmp	xmrig
behavioral2/memory/1020-267-0x00007FF664280000-0x00007FF6645D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4724	fXNnQcc.exe
3316	NKbNqYi.exe
3348	JVetoSn.exe
3344	JatotEq.exe
4628	TbZmgRs.exe
916	GsvBPOd.exe
2928	XqFnwKa.exe
2732	dxZwumE.exe
3524	uhnvnNr.exe
4220	rjPwefG.exe
940	EaURQmy.exe
2168	DbOpbID.exe
3084	AHPWtTJ.exe
1600	guwvEvK.exe
732	HcxsqdV.exe
444	mVRjKcI.exe
4000	xqyUwuF.exe
2296	nQlYIEI.exe
1100	DpDCPMS.exe
2408	NNiNbpo.exe
1020	hYwIINe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3300-0-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	upx
behavioral2/files/0x000900000002340c-4.dat	upx
behavioral2/files/0x0007000000023470-11.dat	upx
behavioral2/memory/3316-12-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp	upx
behavioral2/memory/4724-7-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp	upx
behavioral2/files/0x0007000000023471-9.dat	upx
behavioral2/memory/3348-19-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp	upx
behavioral2/files/0x0007000000023472-22.dat	upx
behavioral2/memory/3344-24-0x00007FF720DF0000-0x00007FF721141000-memory.dmp	upx
behavioral2/files/0x0007000000023473-28.dat	upx
behavioral2/memory/916-39-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp	upx
behavioral2/files/0x0007000000023475-45.dat	upx
behavioral2/files/0x0007000000023474-49.dat	upx
behavioral2/memory/3524-59-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp	upx
behavioral2/memory/4220-62-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp	upx
behavioral2/memory/940-71-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp	upx
behavioral2/memory/2168-76-0x00007FF615460000-0x00007FF6157B1000-memory.dmp	upx
behavioral2/memory/3316-81-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp	upx
behavioral2/files/0x000700000002347c-91.dat	upx
behavioral2/files/0x000700000002347d-95.dat	upx
behavioral2/files/0x0007000000023481-122.dat	upx
behavioral2/files/0x0007000000023482-129.dat	upx
behavioral2/memory/1020-132-0x00007FF664280000-0x00007FF6645D1000-memory.dmp	upx
behavioral2/memory/2408-131-0x00007FF7765B0000-0x00007FF776901000-memory.dmp	upx
behavioral2/memory/2296-128-0x00007FF69C380000-0x00007FF69C6D1000-memory.dmp	upx
behavioral2/files/0x0007000000023480-126.dat	upx
behavioral2/memory/444-125-0x00007FF6A7040000-0x00007FF6A7391000-memory.dmp	upx
behavioral2/memory/3344-124-0x00007FF720DF0000-0x00007FF721141000-memory.dmp	upx
behavioral2/files/0x000700000002347f-119.dat	upx
behavioral2/memory/1100-118-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp	upx
behavioral2/memory/4000-117-0x00007FF794370000-0x00007FF7946C1000-memory.dmp	upx
behavioral2/memory/732-114-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp	upx
behavioral2/files/0x000700000002347e-111.dat	upx
behavioral2/memory/1600-102-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp	upx
behavioral2/files/0x000700000002347b-101.dat	upx
behavioral2/memory/3348-93-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp	upx
behavioral2/files/0x000700000002347a-82.dat	upx
behavioral2/memory/3084-80-0x00007FF604CE0000-0x00007FF605031000-memory.dmp	upx
behavioral2/files/0x0007000000023479-78.dat	upx
behavioral2/memory/4724-77-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp	upx
behavioral2/files/0x0007000000023478-73.dat	upx
behavioral2/memory/3300-70-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	upx
behavioral2/files/0x0007000000023477-66.dat	upx
behavioral2/files/0x0007000000023476-60.dat	upx
behavioral2/memory/2732-52-0x00007FF78C620000-0x00007FF78C971000-memory.dmp	upx
behavioral2/memory/2928-46-0x00007FF633650000-0x00007FF6339A1000-memory.dmp	upx
behavioral2/files/0x0009000000023469-37.dat	upx
behavioral2/memory/4628-31-0x00007FF70E510000-0x00007FF70E861000-memory.dmp	upx
behavioral2/memory/4628-133-0x00007FF70E510000-0x00007FF70E861000-memory.dmp	upx
behavioral2/memory/3300-134-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	upx
behavioral2/memory/2732-139-0x00007FF78C620000-0x00007FF78C971000-memory.dmp	upx
behavioral2/memory/916-138-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp	upx
behavioral2/memory/940-147-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp	upx
behavioral2/memory/3084-149-0x00007FF604CE0000-0x00007FF605031000-memory.dmp	upx
behavioral2/memory/3524-151-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp	upx
behavioral2/memory/2928-150-0x00007FF633650000-0x00007FF6339A1000-memory.dmp	upx
behavioral2/memory/2168-148-0x00007FF615460000-0x00007FF6157B1000-memory.dmp	upx
behavioral2/memory/4220-146-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp	upx
behavioral2/memory/1600-152-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp	upx
behavioral2/memory/1100-158-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp	upx
behavioral2/memory/732-153-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp	upx
behavioral2/memory/3300-160-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp	upx
behavioral2/memory/4724-211-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp	upx
behavioral2/memory/3316-213-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GsvBPOd.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AHPWtTJ.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JatotEq.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxZwumE.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xqyUwuF.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQlYIEI.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXNnQcc.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbZmgRs.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhnvnNr.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HcxsqdV.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mVRjKcI.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNiNbpo.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DpDCPMS.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NKbNqYi.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XqFnwKa.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rjPwefG.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaURQmy.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbOpbID.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\guwvEvK.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYwIINe.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JVetoSn.exe	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 4724	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3300 wrote to memory of 4724	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3300 wrote to memory of 3316	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3300 wrote to memory of 3316	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3300 wrote to memory of 3348	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3300 wrote to memory of 3348	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3300 wrote to memory of 3344	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3300 wrote to memory of 3344	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3300 wrote to memory of 4628	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3300 wrote to memory of 4628	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3300 wrote to memory of 916	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3300 wrote to memory of 916	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3300 wrote to memory of 2928	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3300 wrote to memory of 2928	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3300 wrote to memory of 2732	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3300 wrote to memory of 2732	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3300 wrote to memory of 3524	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3300 wrote to memory of 3524	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3300 wrote to memory of 4220	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3300 wrote to memory of 4220	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3300 wrote to memory of 940	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3300 wrote to memory of 940	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3300 wrote to memory of 2168	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3300 wrote to memory of 2168	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3300 wrote to memory of 3084	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3300 wrote to memory of 3084	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3300 wrote to memory of 1600	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3300 wrote to memory of 1600	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3300 wrote to memory of 732	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3300 wrote to memory of 732	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3300 wrote to memory of 444	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3300 wrote to memory of 444	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3300 wrote to memory of 4000	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3300 wrote to memory of 4000	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3300 wrote to memory of 2296	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3300 wrote to memory of 2296	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3300 wrote to memory of 2408	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3300 wrote to memory of 2408	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3300 wrote to memory of 1100	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3300 wrote to memory of 1100	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3300 wrote to memory of 1020	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3300 wrote to memory of 1020	3300	2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_e7e2c0d564d5532abfb755f1787d0f35_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\System\fXNnQcc.exe
  C:\Windows\System\fXNnQcc.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\NKbNqYi.exe
  C:\Windows\System\NKbNqYi.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\JVetoSn.exe
  C:\Windows\System\JVetoSn.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\JatotEq.exe
  C:\Windows\System\JatotEq.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\TbZmgRs.exe
  C:\Windows\System\TbZmgRs.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\GsvBPOd.exe
  C:\Windows\System\GsvBPOd.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\XqFnwKa.exe
  C:\Windows\System\XqFnwKa.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\dxZwumE.exe
  C:\Windows\System\dxZwumE.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\uhnvnNr.exe
  C:\Windows\System\uhnvnNr.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\rjPwefG.exe
  C:\Windows\System\rjPwefG.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\EaURQmy.exe
  C:\Windows\System\EaURQmy.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\DbOpbID.exe
  C:\Windows\System\DbOpbID.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\AHPWtTJ.exe
  C:\Windows\System\AHPWtTJ.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\guwvEvK.exe
  C:\Windows\System\guwvEvK.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\HcxsqdV.exe
  C:\Windows\System\HcxsqdV.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\mVRjKcI.exe
  C:\Windows\System\mVRjKcI.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\xqyUwuF.exe
  C:\Windows\System\xqyUwuF.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\nQlYIEI.exe
  C:\Windows\System\nQlYIEI.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\NNiNbpo.exe
  C:\Windows\System\NNiNbpo.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\DpDCPMS.exe
  C:\Windows\System\DpDCPMS.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\hYwIINe.exe
  C:\Windows\System\hYwIINe.exe
  2⤵
  - Executes dropped EXE
  PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AHPWtTJ.exe

Filesize
5.2MB

MD5
eed1fb2f7ccf7f902fb120ce2bcf2e4b

SHA1
9aff0f3ccc4fa303d23077494df568d590fb2397

SHA256
9408960ffcaec3370b9e53ac07cf3ba5406210c3839eebd9f46493a4fd386e10

SHA512
7006751e3dd2fa11e97c3cdd13ab17fa1b9367f055431ecf48fd09227e2e664486eacd8da72bea33bfde0c07e4b4a256ba4e55a9558ba6a40f392adada6b1858

Download Submit
C:\Windows\System\DbOpbID.exe

Filesize
5.2MB

MD5
a4544d25b66b95e047cdbde6f7ba4d5e

SHA1
d483b34e0b4e68b6677b5ce9e1eba517e2f890ed

SHA256
bb9b4b6def7f34126cc6a076e21f0a1fa29bc15209793e421b3c0a6adb90065e

SHA512
3842e1ad4cee14e904e2f7bd2bdf4019cfa2b49235026b8c1e8230bfa176179ee674570afe3aaa12c392b70cc7ac296229191233f21c5c25d944b8ac4eb0c69a

Download Submit
C:\Windows\System\DpDCPMS.exe

Filesize
5.2MB

MD5
98b002dde3192127c64436bd26c77776

SHA1
aa5e9f6e390b921b37d1e8d7e2ed81762d933435

SHA256
ef4ea46b48b4cf619651cd92ea11da5a3e1e3ce2d362361f7002ed4af33da410

SHA512
6f22eb94e9df568d4817e1b0637eaee3f4addd22659ed189c3863037ea34eacc8ebb072a23bfe14e3c7e372d28fe58d73b2b1c9d43cc6372d4f34de3bb23be2b

Download Submit
C:\Windows\System\EaURQmy.exe

Filesize
5.2MB

MD5
947b220dff6ab716d6397c7df44708df

SHA1
35431992a0348fb22e306926c4b7100f85b2010d

SHA256
5753795977b0a40509fb53a7180195e9fe124bd9128b1a6a4e267514540f0018

SHA512
5edb118350a5f3e59f5e6a5d5ebeaf31ce2e1fa3eda7f6e1cb0da1554578e8cc78142397dc6efc8d31813f4307d1b9c045dec3dca5c8d2ac178b2fbf593a8ef9

Download Submit
C:\Windows\System\GsvBPOd.exe

Filesize
5.2MB

MD5
4a0790dbdb73cb05bd7f7e1da2c29cb7

SHA1
2a30b62d75228ff467d62b4dabaff033e4a33012

SHA256
e673bb699c161a572ec40b1b4ad3fa51684dab82373d2e9ac20914c44166a5a9

SHA512
12ffa0fef45d87e1215ab3f1e5d5cf1a76786fd29ea04a35302f24049009d944c3195bcb3e1e6db20e9caef54d208e0e710c0703867e204f2aa73a4da4fade11

Download Submit
C:\Windows\System\HcxsqdV.exe

Filesize
5.2MB

MD5
0fcfbb1e64baf5df60bc12df3a5de131

SHA1
b74635facbc6b7236851551ecab06bce8fa0bb50

SHA256
510e06dcc2a33d664bdbbb6166ccdf290930880dd5cfb3e12af649cbc543bce2

SHA512
5c9f70cdf66926d9676e4fb4817751c5819cee264a799d8d0cab7b66b72b9c7b829a799144ebe3d1331801d3e94fd7a6c3e7d87a4cfdcd09271d384e2fe95e87

Download Submit
C:\Windows\System\JVetoSn.exe

Filesize
5.2MB

MD5
d5c34c5e9de7b7918397391f641f033b

SHA1
9e5a1766990af0ff96832e17d632ac1d125e2c58

SHA256
2212ce5f1b93d2336e35cbfd31a2f5ea9f4d034654d5ba0eda70d8c1cb10a219

SHA512
e95b5388ab90c621d85fefe0657143a9c9e34a78127b27daee86d7c9376ed2bd320b17f797b5a522727ca19ca32130b31ebd41a107f3c30502307df69b8873fd

Download Submit
C:\Windows\System\JatotEq.exe

Filesize
5.2MB

MD5
1ff4a85cec82f1343b2a0a8d031208f5

SHA1
a4c5a03fdf6882151be6efcdb2f6d8643a282e37

SHA256
a011398a2ee189413fc42cac7149f41b3d64079da90a64328e35bb8f43329765

SHA512
9cb5725b29d3156a3c87d78ed4725b380e763f41b7326eabc7dfb2882859f758b62f9ea176f90e93c6d176eba2ea6d0762bb3822e246d782b55202793963ffb0

Download Submit
C:\Windows\System\NKbNqYi.exe

Filesize
5.2MB

MD5
bd6b13729bdad4a1f587310303ceb519

SHA1
11f602debe7fb9d1df1595010c94dfd2cd3e4cf1

SHA256
1fc3c0d77b0b13dc93bcbdc2caa5e88c4d70825ab61fe77b1b2039c9b0915617

SHA512
d500bb6f7049e864143240e75d012883d25c9775ffb64f3b6ab7848dbf5af9192ce850a8d61da5bf8a811bbb46bf9121e658f97122d852ebe0a0d4ebe01f8a91

Download Submit
C:\Windows\System\NNiNbpo.exe

Filesize
5.2MB

MD5
d564c2ca7ef60a1964afea328ed664d3

SHA1
51b38585b868d2f20564732c887585ef9847a430

SHA256
e0f82bc5f7d1ff34ad6b00690b54f57e47ab8f0edaadcaebf94fa7de07dab44d

SHA512
e8f3c64a17e373d9a35bd798312bf2d72e55a9778923ffca29a068f4cf0703bd5537b23043c0f5bdbc61a09b543bad8b9e2bc5f06daf7851617bb95e48ef1783

Download Submit
C:\Windows\System\TbZmgRs.exe

Filesize
5.2MB

MD5
ef1f204b320bd56969d17f734435bd5b

SHA1
4de5bdafafa9ae787feb2b54943b7ac86ec2e14d

SHA256
4c30bc71305759303df7eeabec4cad10113c6c6ca5c7b0940f7b37f0bfe33b67

SHA512
22e2d41aded5c3afce633866ca9a2ce8c57624e8332dfe6246fed77a3feb962915d510b2352df0e382564ce3e5378ae5e88c4523ba0c0e9c43fe0b1cbd149b4d

Download Submit
C:\Windows\System\XqFnwKa.exe

Filesize
5.2MB

MD5
aae0b57c46eaa1d5b8c05177d9765d4c

SHA1
248b4f098e07a05ffa7cc6f9e54fd81bdf07f57d

SHA256
8566fee94a7e990bfc749491ccc6806913eaa8c808853295edd06ad043c0376c

SHA512
b3bb5dac0e63f474bc3cbc32df9b2b9ea807e8d454ca9d76e4496edf991b139ec27601ed49d7f8dbf62f39b19c18bd7ecc2e0292d7c32272c2e3419df2f32378

Download Submit
C:\Windows\System\dxZwumE.exe

Filesize
5.2MB

MD5
42e847f858c99d4b72cea8ffe94d0b9c

SHA1
cc7c7eee7edd9d0a9452804d275bbb00537fec0d

SHA256
5396816cda59bdcf828c9b51f1c289d5452804423197dcf574b08609a166b767

SHA512
a0520601dee50ed4f16c8acaa0d8688ff2de5577f596cb0222148d07981bf3215283aacb54856d4b5996eddee694de20a74361a01ee604195ab85a96af08f678

Download Submit
C:\Windows\System\fXNnQcc.exe

Filesize
5.2MB

MD5
b5c8812be5060426b4bfcbcb5a255078

SHA1
80a064d63394d853ac75cd097452876702dc5b46

SHA256
362ce1b5c92ec08d0dbc87ace5857a0e8d460692358c82053433a5477c8d92e9

SHA512
d2cf9062fe39eff1973542b52fa4b23e25dd0d5c275cf9e28f164c2e76231b3c31ed470f3e0eccd1af2d434b8d4384ba00be98fa88c7d11725b2701379be7799

Download Submit
C:\Windows\System\guwvEvK.exe

Filesize
5.2MB

MD5
8ee8ba02372f7ca2c50decf8ec6ced8f

SHA1
0f22d34817e70664fed2581573c8e676a629fdf4

SHA256
286891b02d918759f57e0375e203de196786e619fad8053e637c997b421378e5

SHA512
984ddb7b023d647f7fc055ebc27e8d02fecd242c0e273c34240ce11ef990b801de27aa71a6db8ae1ca18d5685d445c716d8ebff04249c4d511a426fa1850a964

Download Submit
C:\Windows\System\hYwIINe.exe

Filesize
5.2MB

MD5
fac865c5bedf1bfe0ea4a247e2d21755

SHA1
b1d2336ab8b8a8f4403e3ccff298830e9c59f108

SHA256
c004100d27178872d1c00c3402d5fb2dbfcccc19ee142e50efcde4433bd4907a

SHA512
a2d901de4dd52d0c1571d29ca8e57e22ea46a915a0822b503430502bc04dd148dc017d80dc35a5473cf65539acb1b8d97a279eeaee0185c93bd84e4b1d82a33e

Download Submit
C:\Windows\System\mVRjKcI.exe

Filesize
5.2MB

MD5
6e2e77c0f48591989aef1494dd6bbd11

SHA1
38db2943dd5d77713e0a45bbf02aeee260b231c0

SHA256
651450bf21832fc4fe20e605668b7b15c5ea729cb48bf63701de76c39cf94f15

SHA512
1acb0e6da350804ed5821ac7df9dd7d37c094b8e08bdecd2f821a3a5ba9d8e8beafe2dd0f82c9c47d8313fc1579577d19afb7dfaed989aa1285eea14c135f299

Download Submit
C:\Windows\System\nQlYIEI.exe

Filesize
5.2MB

MD5
a62c2c5b896a433eef129926e9259e4c

SHA1
8d3812362dbcf8de3f2b696e04c167d185531d59

SHA256
cda24ca42deb1cd347d561eded9905a38d72b4e693c98056cafe554d5240feb0

SHA512
e96c691a65025627d5913d7431a1518ffc6fd1fbbc4d2ce2fdb3e51bdadd1fc2d21c47a2ef854dd603ced3cd92a19c327f6f0a779ce57061e9bb7e92335d91aa

Download Submit
C:\Windows\System\rjPwefG.exe

Filesize
5.2MB

MD5
e88e51acbd599e33ad799c1fd7d2fcc0

SHA1
d418ba121001e0ff14f88b88550d2739b36cf8b2

SHA256
6b1193fc14cf1b07aaa4c0cbd611ca3b13b19ba3640ccc0b22e8d220cc002f79

SHA512
e2d1a839acf821d7b38da76fd9b217d221a16b564b094561c967046b08e175b6a028b0b49d3c7de88d582ed4af32ba7be3c2d0092227de8a732e29ebc172bf4f

Download Submit
C:\Windows\System\uhnvnNr.exe

Filesize
5.2MB

MD5
4dd571527ff9490514dc3099bb0bcf0c

SHA1
d51534da785fafb2b46dc27b3567d45bf3dc7f85

SHA256
b964ce5d1973c6aa3c432ebfb56bcaedcab6609d78f94f74bdefd2a662edb7a8

SHA512
d53bed9298303b92e06f05cff40f75ca5e0fc46e77a3cf089f2e7e37c1b41d8f049911e4ce126dd01f8434e262d83c43ee38d41cd301f0a0d2bb3aa247793e79

Download Submit
C:\Windows\System\xqyUwuF.exe

Filesize
5.2MB

MD5
ced25ed47deb67d8fe0a7d4e1ee66d37

SHA1
e9268c6b5d625d126d23dd1fb03d44af5a7aef0e

SHA256
ea925a9feb57845b1867d6dc4e928466a98374cef41d56f54a2f43a27aee326c

SHA512
92bdf718326cafe270a927d383a435f360881b7f540b869aa195dc38beb6e6aca424bcb7f3a55d08b6c28d92ca31fd5925241cb168ff162dbc5cb3e4c4f973a0

Download Submit
memory/444-255-0x00007FF6A7040000-0x00007FF6A7391000-memory.dmp

Filesize
3.3MB

Download
memory/444-125-0x00007FF6A7040000-0x00007FF6A7391000-memory.dmp

Filesize
3.3MB

Download
memory/732-114-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/732-153-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/732-257-0x00007FF69A170000-0x00007FF69A4C1000-memory.dmp

Filesize
3.3MB

Download
memory/916-39-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp

Filesize
3.3MB

Download
memory/916-235-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp

Filesize
3.3MB

Download
memory/916-138-0x00007FF7F4BD0000-0x00007FF7F4F21000-memory.dmp

Filesize
3.3MB

Download
memory/940-245-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/940-147-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/940-71-0x00007FF6EE050000-0x00007FF6EE3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1020-132-0x00007FF664280000-0x00007FF6645D1000-memory.dmp

Filesize
3.3MB

Download
memory/1020-267-0x00007FF664280000-0x00007FF6645D1000-memory.dmp

Filesize
3.3MB

Download
memory/1100-118-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp

Filesize
3.3MB

Download
memory/1100-158-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp

Filesize
3.3MB

Download
memory/1100-262-0x00007FF7BCDB0000-0x00007FF7BD101000-memory.dmp

Filesize
3.3MB

Download
memory/1600-102-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp

Filesize
3.3MB

Download
memory/1600-152-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp

Filesize
3.3MB

Download
memory/1600-254-0x00007FF6D47F0000-0x00007FF6D4B41000-memory.dmp

Filesize
3.3MB

Download
memory/2168-76-0x00007FF615460000-0x00007FF6157B1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-148-0x00007FF615460000-0x00007FF6157B1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-247-0x00007FF615460000-0x00007FF6157B1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-128-0x00007FF69C380000-0x00007FF69C6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-263-0x00007FF69C380000-0x00007FF69C6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-131-0x00007FF7765B0000-0x00007FF776901000-memory.dmp

Filesize
3.3MB

Download
memory/2408-266-0x00007FF7765B0000-0x00007FF776901000-memory.dmp

Filesize
3.3MB

Download
memory/2732-139-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

Filesize
3.3MB

Download
memory/2732-239-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

Filesize
3.3MB

Download
memory/2732-52-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

Filesize
3.3MB

Download
memory/2928-150-0x00007FF633650000-0x00007FF6339A1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-237-0x00007FF633650000-0x00007FF6339A1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-46-0x00007FF633650000-0x00007FF6339A1000-memory.dmp

Filesize
3.3MB

Download
memory/3084-80-0x00007FF604CE0000-0x00007FF605031000-memory.dmp

Filesize
3.3MB

Download
memory/3084-149-0x00007FF604CE0000-0x00007FF605031000-memory.dmp

Filesize
3.3MB

Download
memory/3084-249-0x00007FF604CE0000-0x00007FF605031000-memory.dmp

Filesize
3.3MB

Download
memory/3300-0-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-134-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-70-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-160-0x00007FF635F80000-0x00007FF6362D1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-1-0x000001BE5AD20000-0x000001BE5AD30000-memory.dmp

Filesize
64KB

Download
memory/3316-81-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-12-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-213-0x00007FF7EEE90000-0x00007FF7EF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/3344-24-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

Filesize
3.3MB

Download
memory/3344-217-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

Filesize
3.3MB

Download
memory/3344-124-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

Filesize
3.3MB

Download
memory/3348-19-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp

Filesize
3.3MB

Download
memory/3348-215-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp

Filesize
3.3MB

Download
memory/3348-93-0x00007FF7B0EC0000-0x00007FF7B1211000-memory.dmp

Filesize
3.3MB

Download
memory/3524-59-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp

Filesize
3.3MB

Download
memory/3524-151-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp

Filesize
3.3MB

Download
memory/3524-242-0x00007FF7C6230000-0x00007FF7C6581000-memory.dmp

Filesize
3.3MB

Download
memory/4000-117-0x00007FF794370000-0x00007FF7946C1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-259-0x00007FF794370000-0x00007FF7946C1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-146-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-243-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-62-0x00007FF6FB280000-0x00007FF6FB5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-31-0x00007FF70E510000-0x00007FF70E861000-memory.dmp

Filesize
3.3MB

Download
memory/4628-133-0x00007FF70E510000-0x00007FF70E861000-memory.dmp

Filesize
3.3MB

Download
memory/4628-233-0x00007FF70E510000-0x00007FF70E861000-memory.dmp

Filesize
3.3MB

Download
memory/4724-7-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp

Filesize
3.3MB

Download
memory/4724-77-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp

Filesize
3.3MB

Download
memory/4724-211-0x00007FF64B700000-0x00007FF64BA51000-memory.dmp

Filesize
3.3MB

Download