cobaltstrike | eacfabc4033cf437190dd4749f25f8fd22cff273445c5b3e5a6c0bacda0b1ae5

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

eabd878d23e3cfc8ace84db6f6f164df
SHA1

e049e08d8c1ac3a55f51dc4e62a076695474fe72
SHA256

eacfabc4033cf437190dd4749f25f8fd22cff273445c5b3e5a6c0bacda0b1ae5
SHA512

c9960c0c4490a36f55d48edc5a9b56566499fd5d47ddc52078381eeb736a8441550348bc01f5f444bcdddc4d5eb8e857da0e58d48b6dd3c0171d93b734d2906a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lUO

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233db-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023442-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-38.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-116.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023443-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-43.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4040-100-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp	xmrig
behavioral2/memory/3672-89-0x00007FF7733F0000-0x00007FF773741000-memory.dmp	xmrig
behavioral2/memory/4784-88-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp	xmrig
behavioral2/memory/3392-79-0x00007FF72A500000-0x00007FF72A851000-memory.dmp	xmrig
behavioral2/memory/1436-118-0x00007FF61C150000-0x00007FF61C4A1000-memory.dmp	xmrig
behavioral2/memory/4312-120-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	xmrig
behavioral2/memory/4844-119-0x00007FF67E600000-0x00007FF67E951000-memory.dmp	xmrig
behavioral2/memory/2188-121-0x00007FF7724D0000-0x00007FF772821000-memory.dmp	xmrig
behavioral2/memory/2012-122-0x00007FF6FFAD0000-0x00007FF6FFE21000-memory.dmp	xmrig
behavioral2/memory/1524-124-0x00007FF766B10000-0x00007FF766E61000-memory.dmp	xmrig
behavioral2/memory/4968-123-0x00007FF7FDC00000-0x00007FF7FDF51000-memory.dmp	xmrig
behavioral2/memory/2876-125-0x00007FF6BD8A0000-0x00007FF6BDBF1000-memory.dmp	xmrig
behavioral2/memory/3040-126-0x00007FF7434A0000-0x00007FF7437F1000-memory.dmp	xmrig
behavioral2/memory/244-127-0x00007FF77FD10000-0x00007FF780061000-memory.dmp	xmrig
behavioral2/memory/3932-130-0x00007FF6880D0000-0x00007FF688421000-memory.dmp	xmrig
behavioral2/memory/4432-138-0x00007FF683620000-0x00007FF683971000-memory.dmp	xmrig
behavioral2/memory/996-136-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp	xmrig
behavioral2/memory/544-132-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp	xmrig
behavioral2/memory/1188-135-0x00007FF798240000-0x00007FF798591000-memory.dmp	xmrig
behavioral2/memory/3832-129-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp	xmrig
behavioral2/memory/3524-128-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	xmrig
behavioral2/memory/1928-140-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp	xmrig
behavioral2/memory/3524-150-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	xmrig
behavioral2/memory/3524-151-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	xmrig
behavioral2/memory/3832-214-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp	xmrig
behavioral2/memory/4784-216-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp	xmrig
behavioral2/memory/3932-218-0x00007FF6880D0000-0x00007FF688421000-memory.dmp	xmrig
behavioral2/memory/544-220-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp	xmrig
behavioral2/memory/3672-222-0x00007FF7733F0000-0x00007FF773741000-memory.dmp	xmrig
behavioral2/memory/1188-228-0x00007FF798240000-0x00007FF798591000-memory.dmp	xmrig
behavioral2/memory/996-226-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp	xmrig
behavioral2/memory/3392-225-0x00007FF72A500000-0x00007FF72A851000-memory.dmp	xmrig
behavioral2/memory/4040-231-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp	xmrig
behavioral2/memory/1928-236-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp	xmrig
behavioral2/memory/4844-242-0x00007FF67E600000-0x00007FF67E951000-memory.dmp	xmrig
behavioral2/memory/4432-234-0x00007FF683620000-0x00007FF683971000-memory.dmp	xmrig
behavioral2/memory/1436-233-0x00007FF61C150000-0x00007FF61C4A1000-memory.dmp	xmrig
behavioral2/memory/3040-248-0x00007FF7434A0000-0x00007FF7437F1000-memory.dmp	xmrig
behavioral2/memory/2188-250-0x00007FF7724D0000-0x00007FF772821000-memory.dmp	xmrig
behavioral2/memory/1524-256-0x00007FF766B10000-0x00007FF766E61000-memory.dmp	xmrig
behavioral2/memory/244-258-0x00007FF77FD10000-0x00007FF780061000-memory.dmp	xmrig
behavioral2/memory/2012-254-0x00007FF6FFAD0000-0x00007FF6FFE21000-memory.dmp	xmrig
behavioral2/memory/4968-252-0x00007FF7FDC00000-0x00007FF7FDF51000-memory.dmp	xmrig
behavioral2/memory/2876-247-0x00007FF6BD8A0000-0x00007FF6BDBF1000-memory.dmp	xmrig
behavioral2/memory/4312-245-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3832	PUtRbtj.exe
3932	vJKUoft.exe
4784	vqAivGI.exe
544	LMlYdoI.exe
3672	OtBFdIG.exe
1188	AQIsmDq.exe
4040	nowMiHn.exe
996	eRjFzEW.exe
1436	KbjIZmv.exe
4432	ldBlKLk.exe
4844	nhJLVjh.exe
1928	pnelOiR.exe
3392	LPZoRtr.exe
4312	vgOHlWR.exe
2876	cosQvnz.exe
3040	NFKzCmK.exe
2188	rERIrwk.exe
2012	zwgJqLH.exe
4968	ZOcfYJx.exe
1524	hISdlmI.exe
244	YXhkbFi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3524-0-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	upx
behavioral2/files/0x00090000000233db-5.dat	upx
behavioral2/memory/3832-6-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp	upx
behavioral2/files/0x0008000000023442-10.dat	upx
behavioral2/files/0x0007000000023447-19.dat	upx
behavioral2/files/0x0007000000023446-15.dat	upx
behavioral2/files/0x0007000000023449-28.dat	upx
behavioral2/files/0x0007000000023448-38.dat	upx
behavioral2/files/0x000700000002344d-45.dat	upx
behavioral2/files/0x000700000002344e-57.dat	upx
behavioral2/files/0x000700000002344c-64.dat	upx
behavioral2/files/0x0007000000023455-96.dat	upx
behavioral2/files/0x0007000000023456-98.dat	upx
behavioral2/files/0x0007000000023454-104.dat	upx
behavioral2/files/0x0007000000023457-116.dat	upx
behavioral2/files/0x0008000000023443-114.dat	upx
behavioral2/files/0x0007000000023453-110.dat	upx
behavioral2/files/0x0007000000023452-102.dat	upx
behavioral2/memory/4040-100-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp	upx
behavioral2/files/0x0007000000023451-95.dat	upx
behavioral2/memory/3672-89-0x00007FF7733F0000-0x00007FF773741000-memory.dmp	upx
behavioral2/memory/4784-88-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp	upx
behavioral2/files/0x000700000002344f-80.dat	upx
behavioral2/memory/3392-79-0x00007FF72A500000-0x00007FF72A851000-memory.dmp	upx
behavioral2/memory/1928-76-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp	upx
behavioral2/memory/4432-62-0x00007FF683620000-0x00007FF683971000-memory.dmp	upx
behavioral2/files/0x0007000000023450-61.dat	upx
behavioral2/memory/996-52-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp	upx
behavioral2/files/0x000700000002344b-46.dat	upx
behavioral2/memory/1188-39-0x00007FF798240000-0x00007FF798591000-memory.dmp	upx
behavioral2/memory/544-35-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp	upx
behavioral2/files/0x000700000002344a-43.dat	upx
behavioral2/memory/3932-24-0x00007FF6880D0000-0x00007FF688421000-memory.dmp	upx
behavioral2/memory/1436-118-0x00007FF61C150000-0x00007FF61C4A1000-memory.dmp	upx
behavioral2/memory/4312-120-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	upx
behavioral2/memory/4844-119-0x00007FF67E600000-0x00007FF67E951000-memory.dmp	upx
behavioral2/memory/2188-121-0x00007FF7724D0000-0x00007FF772821000-memory.dmp	upx
behavioral2/memory/2012-122-0x00007FF6FFAD0000-0x00007FF6FFE21000-memory.dmp	upx
behavioral2/memory/1524-124-0x00007FF766B10000-0x00007FF766E61000-memory.dmp	upx
behavioral2/memory/4968-123-0x00007FF7FDC00000-0x00007FF7FDF51000-memory.dmp	upx
behavioral2/memory/2876-125-0x00007FF6BD8A0000-0x00007FF6BDBF1000-memory.dmp	upx
behavioral2/memory/3040-126-0x00007FF7434A0000-0x00007FF7437F1000-memory.dmp	upx
behavioral2/memory/244-127-0x00007FF77FD10000-0x00007FF780061000-memory.dmp	upx
behavioral2/memory/3932-130-0x00007FF6880D0000-0x00007FF688421000-memory.dmp	upx
behavioral2/memory/4432-138-0x00007FF683620000-0x00007FF683971000-memory.dmp	upx
behavioral2/memory/996-136-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp	upx
behavioral2/memory/544-132-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp	upx
behavioral2/memory/1188-135-0x00007FF798240000-0x00007FF798591000-memory.dmp	upx
behavioral2/memory/3832-129-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp	upx
behavioral2/memory/3524-128-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	upx
behavioral2/memory/1928-140-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp	upx
behavioral2/memory/3524-150-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	upx
behavioral2/memory/3524-151-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp	upx
behavioral2/memory/3832-214-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp	upx
behavioral2/memory/4784-216-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp	upx
behavioral2/memory/3932-218-0x00007FF6880D0000-0x00007FF688421000-memory.dmp	upx
behavioral2/memory/544-220-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp	upx
behavioral2/memory/3672-222-0x00007FF7733F0000-0x00007FF773741000-memory.dmp	upx
behavioral2/memory/1188-228-0x00007FF798240000-0x00007FF798591000-memory.dmp	upx
behavioral2/memory/996-226-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp	upx
behavioral2/memory/3392-225-0x00007FF72A500000-0x00007FF72A851000-memory.dmp	upx
behavioral2/memory/4040-231-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp	upx
behavioral2/memory/1928-236-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp	upx
behavioral2/memory/4844-242-0x00007FF67E600000-0x00007FF67E951000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vJKUoft.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPZoRtr.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rERIrwk.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUtRbtj.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vqAivGI.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AQIsmDq.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zwgJqLH.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFKzCmK.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hISdlmI.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LMlYdoI.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ldBlKLk.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pnelOiR.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgOHlWR.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZOcfYJx.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YXhkbFi.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nowMiHn.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OtBFdIG.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eRjFzEW.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbjIZmv.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nhJLVjh.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cosQvnz.exe	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3832	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3524 wrote to memory of 3832	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3524 wrote to memory of 3932	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3524 wrote to memory of 3932	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3524 wrote to memory of 4784	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3524 wrote to memory of 4784	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3524 wrote to memory of 544	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3524 wrote to memory of 544	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3524 wrote to memory of 4040	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3524 wrote to memory of 4040	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3524 wrote to memory of 3672	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3524 wrote to memory of 3672	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3524 wrote to memory of 1188	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3524 wrote to memory of 1188	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3524 wrote to memory of 996	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3524 wrote to memory of 996	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3524 wrote to memory of 1436	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3524 wrote to memory of 1436	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3524 wrote to memory of 4432	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3524 wrote to memory of 4432	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3524 wrote to memory of 4844	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3524 wrote to memory of 4844	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3524 wrote to memory of 1928	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3524 wrote to memory of 1928	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3524 wrote to memory of 3392	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3524 wrote to memory of 3392	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3524 wrote to memory of 4312	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3524 wrote to memory of 4312	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3524 wrote to memory of 2876	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3524 wrote to memory of 2876	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3524 wrote to memory of 2012	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3524 wrote to memory of 2012	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3524 wrote to memory of 3040	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3524 wrote to memory of 3040	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3524 wrote to memory of 2188	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3524 wrote to memory of 2188	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3524 wrote to memory of 4968	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3524 wrote to memory of 4968	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3524 wrote to memory of 1524	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3524 wrote to memory of 1524	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3524 wrote to memory of 244	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3524 wrote to memory of 244	3524	2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_eabd878d23e3cfc8ace84db6f6f164df_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\System\PUtRbtj.exe
  C:\Windows\System\PUtRbtj.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\vJKUoft.exe
  C:\Windows\System\vJKUoft.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\vqAivGI.exe
  C:\Windows\System\vqAivGI.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\LMlYdoI.exe
  C:\Windows\System\LMlYdoI.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\nowMiHn.exe
  C:\Windows\System\nowMiHn.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\OtBFdIG.exe
  C:\Windows\System\OtBFdIG.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\AQIsmDq.exe
  C:\Windows\System\AQIsmDq.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\eRjFzEW.exe
  C:\Windows\System\eRjFzEW.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\KbjIZmv.exe
  C:\Windows\System\KbjIZmv.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\ldBlKLk.exe
  C:\Windows\System\ldBlKLk.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\nhJLVjh.exe
  C:\Windows\System\nhJLVjh.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\pnelOiR.exe
  C:\Windows\System\pnelOiR.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\LPZoRtr.exe
  C:\Windows\System\LPZoRtr.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\vgOHlWR.exe
  C:\Windows\System\vgOHlWR.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\cosQvnz.exe
  C:\Windows\System\cosQvnz.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\zwgJqLH.exe
  C:\Windows\System\zwgJqLH.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\NFKzCmK.exe
  C:\Windows\System\NFKzCmK.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\rERIrwk.exe
  C:\Windows\System\rERIrwk.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\ZOcfYJx.exe
  C:\Windows\System\ZOcfYJx.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\hISdlmI.exe
  C:\Windows\System\hISdlmI.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\YXhkbFi.exe
  C:\Windows\System\YXhkbFi.exe
  2⤵
  - Executes dropped EXE
  PID:244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AQIsmDq.exe

Filesize
5.2MB

MD5
35f50db2c84ba67170f62db898c72cbb

SHA1
187c7dc2fc0810225d5a3fc8bbce6ec2de6224f4

SHA256
4158bed4e3a0e5c1346189a60f15c87e23ed027f0d62b205a4b075dca66c854b

SHA512
0edd4158170a0c4b4c6921a0c0d105dc731afcfa0c0b18fe5bf54515634016c9de0f83add44e636e3de6ef14b53c904793ee1dbb19267c2c7df5fb72ff030356

Download Submit
C:\Windows\System\KbjIZmv.exe

Filesize
5.2MB

MD5
0371fb8c0d461372aea91012ff638cf7

SHA1
ed2c61c2c21ccdedcea8c363abd5dc8f6c8dfc54

SHA256
dbe2ccad2e6bc29857378e80d6fa0eddc639cf8a35c66c71a3d1e0f8e826bc20

SHA512
726dcbe30c2613720bc5c35565f3a25a82d0f118d1f90f6c8f8fb6d90b3067581d3ae38f0f85e0a027f07bb03f08fd275c0da39f8ef9b83f0715d9ab9e5d6c22

Download Submit
C:\Windows\System\LMlYdoI.exe

Filesize
5.2MB

MD5
9301e706f2c25d3a5b568d152c4e3792

SHA1
3115a7ad6d101e1df797d8699bc509dea23b71bb

SHA256
22788fadd2a78a7b7582b62d7d26dd47804b99782f57a62b2395d484193bbb42

SHA512
781960331875c71554a72b318a73dcf5d7b60269d3355043e05e3c365c0cb3c3cdc198b4a27858facba32afd14c16b9e89358b1dbd0b552500c3bfc785587077

Download Submit
C:\Windows\System\LPZoRtr.exe

Filesize
5.2MB

MD5
f4712b72b9b96c694ab572040308483b

SHA1
68f96f5d820998f029f43aed3ef6ee4e91c46d70

SHA256
b370d1cb638d82da742e0b9063efbe1a490d2ea2c282f930bb033d8358b3088a

SHA512
a23d2d478dc51a03f3971fa26df7a56eb00756b9e985e2293ad8768b51809a2772f6bc415bb36b1f5e7656b55c6e9bcfc268d4dcc58b84f61aea656f52d6113c

Download Submit
C:\Windows\System\NFKzCmK.exe

Filesize
5.2MB

MD5
8838b2b9e2371b4523a77c15ec082e4f

SHA1
da12770d4f010c635b1bed6c91bdf541c2b199df

SHA256
fdc6649aef096629ea3e63b095071c2ffaec84bc4d78d6d70ebbc93fc244674f

SHA512
6a1b51c8040711e3a6f8ea5c8bea8fa37c7b03eadd89e25ddd10701d343661356cae5025130b5b5542a2cb85c5d8b561a9b6a7da9d0a6142c519dedcbc5d36d5

Download Submit
C:\Windows\System\OtBFdIG.exe

Filesize
5.2MB

MD5
2f9bc7eecf5d4d17b2b51bb6349ae928

SHA1
1be31d63dc4054f043c9c039988a7895bc03734d

SHA256
2bdcc2a0b8b9f2593b83b8015ca0385fd0bdb70c0f88471376a25e56f1b7528f

SHA512
750b3a75be6c9130f16b7b8c15da18e2433d6fcc1d22cf78aa3a05bf6b2436aeac0f70f005e835bfa1f275aa598b29930fbe7e8c6a8aa81cc7400c86452549c9

Download Submit
C:\Windows\System\PUtRbtj.exe

Filesize
5.2MB

MD5
b899faa2dff52a0cb841a96a9e89c618

SHA1
6f4f1f4fb292038aad524cabea727a097f36a2d3

SHA256
a58e88864387408a8ff7c105b389062e5d1cf34bcc07353df8d9b816fbef7ac9

SHA512
f3f09a896f61189588c4b2fd0940416ab7ac07881df971c9dd6bf3e67b700af28edd4764bc581246835b4c25b94237598c536ecf9ecc6b40cbe963a849ca86ab

Download Submit
C:\Windows\System\YXhkbFi.exe

Filesize
5.2MB

MD5
84f29b7245582a7e77d9b5618f8f822c

SHA1
410900a393dc745d3c7784a34fd3d03eae1613a0

SHA256
c9f20d9cf8469659b09f472d3cfa17584980cf35d185e1aedf95a85e5b3f5b00

SHA512
c9d668f56cf6c085f88c19562aeecfc398299c743212ca555b7a9694aff379fbd812a99e77e9811386ca9b7f14640fcb6ff90d44db4166213c6d2ecdc03a6c30

Download Submit
C:\Windows\System\ZOcfYJx.exe

Filesize
5.2MB

MD5
96dd9e2895b072a25aff8df1d682bbad

SHA1
9cf4afa1e5c505ebee4f71348b7e9b99e8357506

SHA256
32dfb258f09885fe7b820ac33e1b02686aa8ed6eb19a10448b84abe908b85845

SHA512
f7a1abec0e59462f97c2f9741676db87b6e7816d2fc2c56ec6a08318539046960feb34e3368cb6f37c7f46611eee6e1e470c3ad7dd072c9304d785aed81cb299

Download Submit
C:\Windows\System\cosQvnz.exe

Filesize
5.2MB

MD5
a233e270ba1b27f244a30d728155d636

SHA1
3ceba4a96ed30f46453ddaa19be07ad9c382bc9d

SHA256
2dad3d36f3f4b2caf0f82cef505868a92a7859f03e27bd7815ac8cb5c10d728c

SHA512
c5a07f7156c833953008ae6f4e33498bff76cbe669b4d619bd029ddfebe80cef99c68937e898a2b6018b23d8c2a7450cdaac997859a49643ac6c45cb6b5d6a04

Download Submit
C:\Windows\System\eRjFzEW.exe

Filesize
5.2MB

MD5
1f454946d9d9c6eb1ee8a91cf5faf9e8

SHA1
67aa8634de138096253aa49c74e53c605595069b

SHA256
0590dff032d2421e716e9473e64b34599ffcb359f2a91f7939bcc0fe8b8dab2a

SHA512
4764d1e694a6af9c1c4d129f49ec4406f7fe2301908cb79bcae239bf123b889e98594e7b9bba02f718547b1b31bbb2c2f42e45869a475cc7e18502377fc561fe

Download Submit
C:\Windows\System\hISdlmI.exe

Filesize
5.2MB

MD5
d3a8fb49362d1b341f35c88919edbc21

SHA1
ea252f6478a7dd9974e25af144782f26feeef9b5

SHA256
1aeba1b94d0f02dcae3bf74f213fd8dd46b5f0e52197b73c15dd07e722bd29cb

SHA512
a015a0ba8450ebfc5ccff3c1a026f66ccfad8f76f39e007a7d3e547009aff09dcb288c161c29ec5debca0063c738493ed106815a209798d73a353366ca0cabba

Download Submit
C:\Windows\System\ldBlKLk.exe

Filesize
5.2MB

MD5
649888b7bf8b2376d22f29b3ff6cacb5

SHA1
1a005d5f769d7be8cbab647f3213133999d66286

SHA256
81523bb4422f203a3d94e26164e7aa8147822fbbc26a4d94f5da47ed0c2bda84

SHA512
616160cd4e29b9ddff558d44ca0044ff6c442fc169e0483b58ce1a97b23a368509a70e61fabc6e3d9787cda383b03e2534c9d31aad77f9da661b9f262d338185

Download Submit
C:\Windows\System\nhJLVjh.exe

Filesize
5.2MB

MD5
5614301799467e5544470acb4bd40d0f

SHA1
1831ad2f72949d4b31ecc428ae7f2475d5f938d8

SHA256
a126da2b5f53cdbe86d7a617de70f2d33453dd8930c41c19e37004d6c6f18b13

SHA512
e0759cc9a06a757a5e8ffcc924392e5359f845d9929889e35caadacedf3ce21981314d82293995c3f68a3874a43707e37223d2c7bef4bdd26b149a1fccad0f5a

Download Submit
C:\Windows\System\nowMiHn.exe

Filesize
5.2MB

MD5
1bee44b2d29e8c33bd794ba36b26b32e

SHA1
7a6a3cc7ba9491a52e7a7fd63ada0632d7d512f4

SHA256
51573c492929b65aaace136883f5341b54efd318f55338a602fe899c50d9b787

SHA512
12d9ea08fecb4e8a8845b1295a630b20ec38b45334696ef59ea74477cd59865e8a1841ed1c0813c8497c890a49e3adbf07b1ac1074ff896e818a605f09aecce2

Download Submit
C:\Windows\System\pnelOiR.exe

Filesize
5.2MB

MD5
82f1657dcf14e8f90d482f4c0213c825

SHA1
8783079119b61709c4b9989c83979427f7dbdcbe

SHA256
3dc8fc108a95c3e69155070c3a4cae68547ce8ea2716dd2a6952de1d1e4c691b

SHA512
31589b9bfe6fac2ebd51ef4058f5208018125e92ef604791459f82ba5b3f49cbbee89cd1271104433241b3b0af4ba2bb9372a5a3e46ff2ddd2a18ec50c53bb4c

Download Submit
C:\Windows\System\rERIrwk.exe

Filesize
5.2MB

MD5
931b56ebeada2ec212bb4f6aff3cafc8

SHA1
c47b42177bcd8a4d749b5be01716ca695f497d11

SHA256
c9f477b0e81119b8da71e2c0b5279a3c3be0db1b70e559fde28ab3e9a7bdcff5

SHA512
852526ee1b4f2efd8b15bee2f694ecb84facbe4947c5723d6911b6382ad989e3aeaf7ffa4dcddbc524f8f50b995c3696305b124c3678bedbb5b6838a0e9ad7a2

Download Submit
C:\Windows\System\vJKUoft.exe

Filesize
5.2MB

MD5
5f500d53181d184c91ca34c66a54c17b

SHA1
c7bbcd6afe6c3cc66555f61a7ae6593a5c56c177

SHA256
e0fa07a33b097fbfce2432dea4bedf72f90c7efc919328156978149e6074e447

SHA512
2aeeabd9b6dce87b6022de8a0fce4b01f548db17566d0466b98615e383d55cdff867203776deff6b674445246d44d0a90fd70b5e0d0c00b7858e4e52594d50a1

Download Submit
C:\Windows\System\vgOHlWR.exe

Filesize
5.2MB

MD5
7eca851e1437a477ec76a7ead0bb64c5

SHA1
07ba90b7751c758b51e3691d64ef602086d7a7d8

SHA256
0c60593661d9e355a125d34b9cf82e9a35d1d2ca71448764a3232440158f4057

SHA512
0a3322c8e7f96e7522ea414128c15e213a328a9c73fedde6c433b594f1a1748c81ea58a6b6c88ec8ae59378a53cfcae5a9978f493b0373e91a88aae70aff6041

Download Submit
C:\Windows\System\vqAivGI.exe

Filesize
5.2MB

MD5
0e7b2ccad5eb4974092f98fd91606d7b

SHA1
f5d65ccd6bf37ba0c69371dd1bd1f981f92c7e2b

SHA256
68aeea76475bf6e97d0a26b577d8b5c621ff5066109fd8fbda2182556d901dfc

SHA512
14033f764f170263791eb8a29ad12c163f06e9af3b70db30df3e6f5b06ee481b5baf6cebc5f5fa5dfb77e1105f82af6418da35630279a4a270bd36af56d230a0

Download Submit
C:\Windows\System\zwgJqLH.exe

Filesize
5.2MB

MD5
728bb2b12869e3daadb6652d2b638db5

SHA1
a09567459d179cfea052581a6bbac25ae44371fa

SHA256
46cf68a75c87a76a7fb0c39b3cec032ed9331f57dfd0c0f603624b2a707c357d

SHA512
ddaca3d4890b0e858715fbda1d188b39a68dd5143c1ca9408cdae1bf348d2569aae7aff4fa38bbd1927171e8691fb827a7738d2160adf87bb53e0dda7dd45aed

Download Submit
memory/244-127-0x00007FF77FD10000-0x00007FF780061000-memory.dmp

Filesize
3.3MB

Download
memory/244-258-0x00007FF77FD10000-0x00007FF780061000-memory.dmp

Filesize
3.3MB

Download
memory/544-132-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp

Filesize
3.3MB

Download
memory/544-220-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp

Filesize
3.3MB

Download
memory/544-35-0x00007FF7CBA10000-0x00007FF7CBD61000-memory.dmp

Filesize
3.3MB

Download
memory/996-136-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp

Filesize
3.3MB

Download
memory/996-226-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp

Filesize
3.3MB

Download
memory/996-52-0x00007FF74D720000-0x00007FF74DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1188-228-0x00007FF798240000-0x00007FF798591000-memory.dmp

Filesize
3.3MB

Download
memory/1188-135-0x00007FF798240000-0x00007FF798591000-memory.dmp

Filesize
3.3MB

Download
memory/1188-39-0x00007FF798240000-0x00007FF798591000-memory.dmp

Filesize
3.3MB

Download
memory/1436-233-0x00007FF61C150000-0x00007FF61C4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-118-0x00007FF61C150000-0x00007FF61C4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-256-0x00007FF766B10000-0x00007FF766E61000-memory.dmp

Filesize
3.3MB

Download
memory/1524-124-0x00007FF766B10000-0x00007FF766E61000-memory.dmp

Filesize
3.3MB

Download
memory/1928-140-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp

Filesize
3.3MB

Download
memory/1928-76-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp

Filesize
3.3MB

Download
memory/1928-236-0x00007FF7DACB0000-0x00007FF7DB001000-memory.dmp

Filesize
3.3MB

Download
memory/2012-254-0x00007FF6FFAD0000-0x00007FF6FFE21000-memory.dmp

Filesize
3.3MB

Download
memory/2012-122-0x00007FF6FFAD0000-0x00007FF6FFE21000-memory.dmp

Filesize
3.3MB

Download
memory/2188-250-0x00007FF7724D0000-0x00007FF772821000-memory.dmp

Filesize
3.3MB

Download
memory/2188-121-0x00007FF7724D0000-0x00007FF772821000-memory.dmp

Filesize
3.3MB

Download
memory/2876-247-0x00007FF6BD8A0000-0x00007FF6BDBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-125-0x00007FF6BD8A0000-0x00007FF6BDBF1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-248-0x00007FF7434A0000-0x00007FF7437F1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-126-0x00007FF7434A0000-0x00007FF7437F1000-memory.dmp

Filesize
3.3MB

Download
memory/3392-225-0x00007FF72A500000-0x00007FF72A851000-memory.dmp

Filesize
3.3MB

Download
memory/3392-79-0x00007FF72A500000-0x00007FF72A851000-memory.dmp

Filesize
3.3MB

Download
memory/3524-1-0x00000191CE820000-0x00000191CE830000-memory.dmp

Filesize
64KB

Download
memory/3524-128-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp

Filesize
3.3MB

Download
memory/3524-150-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp

Filesize
3.3MB

Download
memory/3524-151-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp

Filesize
3.3MB

Download
memory/3524-0-0x00007FF6286E0000-0x00007FF628A31000-memory.dmp

Filesize
3.3MB

Download
memory/3672-89-0x00007FF7733F0000-0x00007FF773741000-memory.dmp

Filesize
3.3MB

Download
memory/3672-222-0x00007FF7733F0000-0x00007FF773741000-memory.dmp

Filesize
3.3MB

Download
memory/3832-214-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp

Filesize
3.3MB

Download
memory/3832-129-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp

Filesize
3.3MB

Download
memory/3832-6-0x00007FF7A34C0000-0x00007FF7A3811000-memory.dmp

Filesize
3.3MB

Download
memory/3932-130-0x00007FF6880D0000-0x00007FF688421000-memory.dmp

Filesize
3.3MB

Download
memory/3932-24-0x00007FF6880D0000-0x00007FF688421000-memory.dmp

Filesize
3.3MB

Download
memory/3932-218-0x00007FF6880D0000-0x00007FF688421000-memory.dmp

Filesize
3.3MB

Download
memory/4040-231-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp

Filesize
3.3MB

Download
memory/4040-100-0x00007FF6B4CF0000-0x00007FF6B5041000-memory.dmp

Filesize
3.3MB

Download
memory/4312-120-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp

Filesize
3.3MB

Download
memory/4312-245-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp

Filesize
3.3MB

Download
memory/4432-234-0x00007FF683620000-0x00007FF683971000-memory.dmp

Filesize
3.3MB

Download
memory/4432-62-0x00007FF683620000-0x00007FF683971000-memory.dmp

Filesize
3.3MB

Download
memory/4432-138-0x00007FF683620000-0x00007FF683971000-memory.dmp

Filesize
3.3MB

Download
memory/4784-88-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-216-0x00007FF62D650000-0x00007FF62D9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-119-0x00007FF67E600000-0x00007FF67E951000-memory.dmp

Filesize
3.3MB

Download
memory/4844-242-0x00007FF67E600000-0x00007FF67E951000-memory.dmp

Filesize
3.3MB

Download
memory/4968-123-0x00007FF7FDC00000-0x00007FF7FDF51000-memory.dmp

Filesize
3.3MB

Download
memory/4968-252-0x00007FF7FDC00000-0x00007FF7FDF51000-memory.dmp

Filesize
3.3MB

Download