cobaltstrike | 7ecab2cd297bc06b35d70462131e739a3a79ff871d94ce8f260da74a9f41ac2c

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7d161686a474232a0464bd3e13c487ec
SHA1

1ab7cecd2c9b569076677251ecf8dc8a9f9d22ff
SHA256

7ecab2cd297bc06b35d70462131e739a3a79ff871d94ce8f260da74a9f41ac2c
SHA512

7e371171e894680a182e8300030fc8d534473d6685479f6da761a6a064d1f78de32fc6c4a947b4eeb67f2aea6d7ee0abf58d02cb824732399dfba6d122ae29da
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234ae-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-13.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-21.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-107.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234af-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-68.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2136-100-0x00007FF713070000-0x00007FF7133C1000-memory.dmp	xmrig
behavioral2/memory/1504-110-0x00007FF60BE40000-0x00007FF60C191000-memory.dmp	xmrig
behavioral2/memory/3180-101-0x00007FF60CE40000-0x00007FF60D191000-memory.dmp	xmrig
behavioral2/memory/3048-84-0x00007FF7D6B40000-0x00007FF7D6E91000-memory.dmp	xmrig
behavioral2/memory/1356-81-0x00007FF650710000-0x00007FF650A61000-memory.dmp	xmrig
behavioral2/memory/2544-80-0x00007FF74EF10000-0x00007FF74F261000-memory.dmp	xmrig
behavioral2/memory/4632-74-0x00007FF63F2E0000-0x00007FF63F631000-memory.dmp	xmrig
behavioral2/memory/5044-73-0x00007FF628290000-0x00007FF6285E1000-memory.dmp	xmrig
behavioral2/memory/4904-64-0x00007FF722C80000-0x00007FF722FD1000-memory.dmp	xmrig
behavioral2/memory/1096-115-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp	xmrig
behavioral2/memory/4428-114-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	xmrig
behavioral2/memory/4288-129-0x00007FF7645E0000-0x00007FF764931000-memory.dmp	xmrig
behavioral2/memory/4352-130-0x00007FF69C280000-0x00007FF69C5D1000-memory.dmp	xmrig
behavioral2/memory/4428-131-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	xmrig
behavioral2/memory/4704-132-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp	xmrig
behavioral2/memory/4284-138-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp	xmrig
behavioral2/memory/3692-137-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	xmrig
behavioral2/memory/2136-146-0x00007FF713070000-0x00007FF7133C1000-memory.dmp	xmrig
behavioral2/memory/3996-150-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp	xmrig
behavioral2/memory/3176-149-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	xmrig
behavioral2/memory/3500-136-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp	xmrig
behavioral2/memory/3096-145-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp	xmrig
behavioral2/memory/1200-151-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp	xmrig
behavioral2/memory/4596-152-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp	xmrig
behavioral2/memory/4428-154-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	xmrig
behavioral2/memory/1096-208-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp	xmrig
behavioral2/memory/4288-210-0x00007FF7645E0000-0x00007FF764931000-memory.dmp	xmrig
behavioral2/memory/4704-212-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp	xmrig
behavioral2/memory/3500-214-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp	xmrig
behavioral2/memory/3692-227-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	xmrig
behavioral2/memory/4284-231-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp	xmrig
behavioral2/memory/4904-233-0x00007FF722C80000-0x00007FF722FD1000-memory.dmp	xmrig
behavioral2/memory/2544-230-0x00007FF74EF10000-0x00007FF74F261000-memory.dmp	xmrig
behavioral2/memory/1356-236-0x00007FF650710000-0x00007FF650A61000-memory.dmp	xmrig
behavioral2/memory/5044-237-0x00007FF628290000-0x00007FF6285E1000-memory.dmp	xmrig
behavioral2/memory/4632-239-0x00007FF63F2E0000-0x00007FF63F631000-memory.dmp	xmrig
behavioral2/memory/3180-243-0x00007FF60CE40000-0x00007FF60D191000-memory.dmp	xmrig
behavioral2/memory/2136-242-0x00007FF713070000-0x00007FF7133C1000-memory.dmp	xmrig
behavioral2/memory/3176-247-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	xmrig
behavioral2/memory/3048-253-0x00007FF7D6B40000-0x00007FF7D6E91000-memory.dmp	xmrig
behavioral2/memory/3096-252-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp	xmrig
behavioral2/memory/3996-249-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp	xmrig
behavioral2/memory/1504-246-0x00007FF60BE40000-0x00007FF60C191000-memory.dmp	xmrig
behavioral2/memory/1200-257-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp	xmrig
behavioral2/memory/4352-260-0x00007FF69C280000-0x00007FF69C5D1000-memory.dmp	xmrig
behavioral2/memory/4596-261-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1096	ObXecXs.exe
4288	tBEsntV.exe
4704	Onfssce.exe
3500	HYGRaTH.exe
3692	vHyDhoa.exe
4284	SUeJNvY.exe
2544	esoZANx.exe
4904	PDxSJVo.exe
5044	szuptHp.exe
1356	lfIPyYp.exe
4632	HSvtWzM.exe
3048	oLzpeBy.exe
3096	uPLTJbT.exe
2136	ssgcuKG.exe
3180	ybgMquk.exe
1504	HIZJNiI.exe
3176	lgWeZml.exe
3996	YaKCJSk.exe
1200	EalsGfn.exe
4596	pplpOfP.exe
4352	ylwssSD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4428-0-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	upx
behavioral2/files/0x00080000000234ae-4.dat	upx
behavioral2/memory/1096-11-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-13.dat	upx
behavioral2/files/0x00070000000234b3-22.dat	upx
behavioral2/files/0x00070000000234b4-21.dat	upx
behavioral2/memory/4704-19-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp	upx
behavioral2/memory/4288-12-0x00007FF7645E0000-0x00007FF764931000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-38.dat	upx
behavioral2/files/0x00070000000234b5-37.dat	upx
behavioral2/files/0x00070000000234ba-66.dat	upx
behavioral2/files/0x00070000000234be-79.dat	upx
behavioral2/files/0x00070000000234bd-83.dat	upx
behavioral2/memory/3096-89-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp	upx
behavioral2/memory/2136-100-0x00007FF713070000-0x00007FF7133C1000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-105.dat	upx
behavioral2/memory/1504-110-0x00007FF60BE40000-0x00007FF60C191000-memory.dmp	upx
behavioral2/memory/3996-109-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-107.dat	upx
behavioral2/files/0x00080000000234af-103.dat	upx
behavioral2/memory/3176-102-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	upx
behavioral2/memory/3180-101-0x00007FF60CE40000-0x00007FF60D191000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-94.dat	upx
behavioral2/memory/3048-84-0x00007FF7D6B40000-0x00007FF7D6E91000-memory.dmp	upx
behavioral2/memory/1356-81-0x00007FF650710000-0x00007FF650A61000-memory.dmp	upx
behavioral2/memory/2544-80-0x00007FF74EF10000-0x00007FF74F261000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-75.dat	upx
behavioral2/memory/4632-74-0x00007FF63F2E0000-0x00007FF63F631000-memory.dmp	upx
behavioral2/memory/5044-73-0x00007FF628290000-0x00007FF6285E1000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-68.dat	upx
behavioral2/memory/4904-64-0x00007FF722C80000-0x00007FF722FD1000-memory.dmp	upx
behavioral2/files/0x00070000000234b8-54.dat	upx
behavioral2/files/0x00070000000234b9-61.dat	upx
behavioral2/files/0x00070000000234b6-52.dat	upx
behavioral2/memory/4284-51-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp	upx
behavioral2/memory/3692-50-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/memory/3500-30-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-118.dat	upx
behavioral2/memory/1096-115-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-121.dat	upx
behavioral2/memory/4596-125-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-124.dat	upx
behavioral2/memory/1200-119-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp	upx
behavioral2/memory/4428-114-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	upx
behavioral2/memory/4288-129-0x00007FF7645E0000-0x00007FF764931000-memory.dmp	upx
behavioral2/memory/4352-130-0x00007FF69C280000-0x00007FF69C5D1000-memory.dmp	upx
behavioral2/memory/4428-131-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	upx
behavioral2/memory/4704-132-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp	upx
behavioral2/memory/4284-138-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp	upx
behavioral2/memory/3692-137-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/memory/2136-146-0x00007FF713070000-0x00007FF7133C1000-memory.dmp	upx
behavioral2/memory/3996-150-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp	upx
behavioral2/memory/3176-149-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	upx
behavioral2/memory/3500-136-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp	upx
behavioral2/memory/3096-145-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp	upx
behavioral2/memory/1200-151-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp	upx
behavioral2/memory/4596-152-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp	upx
behavioral2/memory/4428-154-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp	upx
behavioral2/memory/1096-208-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp	upx
behavioral2/memory/4288-210-0x00007FF7645E0000-0x00007FF764931000-memory.dmp	upx
behavioral2/memory/4704-212-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp	upx
behavioral2/memory/3500-214-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp	upx
behavioral2/memory/3692-227-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/memory/4284-231-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ssgcuKG.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HIZJNiI.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgWeZml.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uPLTJbT.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybgMquk.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Onfssce.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HYGRaTH.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHyDhoa.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\szuptHp.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfIPyYp.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YaKCJSk.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ylwssSD.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObXecXs.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SUeJNvY.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDxSJVo.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLzpeBy.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EalsGfn.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pplpOfP.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBEsntV.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\esoZANx.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSvtWzM.exe	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1096	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4428 wrote to memory of 1096	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4428 wrote to memory of 4288	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4428 wrote to memory of 4288	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4428 wrote to memory of 4704	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4428 wrote to memory of 4704	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4428 wrote to memory of 3500	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4428 wrote to memory of 3500	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4428 wrote to memory of 3692	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4428 wrote to memory of 3692	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4428 wrote to memory of 4284	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4428 wrote to memory of 4284	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4428 wrote to memory of 2544	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4428 wrote to memory of 2544	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4428 wrote to memory of 4904	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4428 wrote to memory of 4904	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4428 wrote to memory of 5044	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4428 wrote to memory of 5044	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4428 wrote to memory of 1356	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4428 wrote to memory of 1356	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4428 wrote to memory of 4632	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4428 wrote to memory of 4632	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4428 wrote to memory of 3048	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4428 wrote to memory of 3048	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4428 wrote to memory of 3096	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4428 wrote to memory of 3096	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4428 wrote to memory of 2136	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4428 wrote to memory of 2136	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4428 wrote to memory of 3180	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4428 wrote to memory of 3180	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4428 wrote to memory of 1504	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4428 wrote to memory of 1504	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4428 wrote to memory of 3176	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4428 wrote to memory of 3176	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4428 wrote to memory of 3996	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4428 wrote to memory of 3996	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4428 wrote to memory of 1200	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4428 wrote to memory of 1200	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4428 wrote to memory of 4596	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4428 wrote to memory of 4596	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4428 wrote to memory of 4352	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4428 wrote to memory of 4352	4428	2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_7d161686a474232a0464bd3e13c487ec_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\System\ObXecXs.exe
  C:\Windows\System\ObXecXs.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\tBEsntV.exe
  C:\Windows\System\tBEsntV.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\Onfssce.exe
  C:\Windows\System\Onfssce.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\HYGRaTH.exe
  C:\Windows\System\HYGRaTH.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\vHyDhoa.exe
  C:\Windows\System\vHyDhoa.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\SUeJNvY.exe
  C:\Windows\System\SUeJNvY.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\esoZANx.exe
  C:\Windows\System\esoZANx.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\PDxSJVo.exe
  C:\Windows\System\PDxSJVo.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\szuptHp.exe
  C:\Windows\System\szuptHp.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\lfIPyYp.exe
  C:\Windows\System\lfIPyYp.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\HSvtWzM.exe
  C:\Windows\System\HSvtWzM.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\oLzpeBy.exe
  C:\Windows\System\oLzpeBy.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\uPLTJbT.exe
  C:\Windows\System\uPLTJbT.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\ssgcuKG.exe
  C:\Windows\System\ssgcuKG.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\ybgMquk.exe
  C:\Windows\System\ybgMquk.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\HIZJNiI.exe
  C:\Windows\System\HIZJNiI.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\lgWeZml.exe
  C:\Windows\System\lgWeZml.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\YaKCJSk.exe
  C:\Windows\System\YaKCJSk.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\EalsGfn.exe
  C:\Windows\System\EalsGfn.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\pplpOfP.exe
  C:\Windows\System\pplpOfP.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\ylwssSD.exe
  C:\Windows\System\ylwssSD.exe
  2⤵
  - Executes dropped EXE
  PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EalsGfn.exe

Filesize
5.2MB

MD5
3af81a9fba7a75941614664249237cdb

SHA1
d960fb3014355af1d27b518fa047d7f88a911f3c

SHA256
7f7f68ae7a14c952faf322fb3aaae31800ebc0621e6276804c5dcdd5cb5fd10a

SHA512
6acc1e2c01532eaffc131176efcd24844f55295ef4ce0bfd073871fbb619f174d9c20396cb78d4446dee7d677ceaa5cb4dc84905731544ec07e6c4f9d7512b20

Download Submit
C:\Windows\System\HIZJNiI.exe

Filesize
5.2MB

MD5
5b2415a51b1ec834fb4481693974395f

SHA1
a3d728b468f2944aedd1a7b80173d8fe32ea7ab6

SHA256
fb926b6ba3c3d95de06aaff299c8c4e3dcc116ec0d9209d447c86c88d2444806

SHA512
e2a59cf99c1b0c509e430ad610b44e217a86698a123a3cdaa0a1e391ca8a05aa9a4d98d9d16a4d91a6f6025ed6beeb5e531e3f06d2bc24cd1050685feddc424e

Download Submit
C:\Windows\System\HSvtWzM.exe

Filesize
5.2MB

MD5
7cdc30fa442887adcbeddaf309846bcb

SHA1
3fcdb8dc56869a18d48314788235c346742e3306

SHA256
8166c65ed5472317283906ff6202dba75ca9ecf59f5fbdbd54dad99aaf71b940

SHA512
48a6ef9fb0d78466622f6abccfd6cb3b0b6104640c6d8ee365ae7036483ca905d7b25bd856cc55b9b6b14d09b998e17f03b43354e674b317b4cb711fa7602b46

Download Submit
C:\Windows\System\HYGRaTH.exe

Filesize
5.2MB

MD5
7a9c49751d3897e9b5c767203b145d2f

SHA1
f160904aa9314a8d13864587fe59398ca39d811b

SHA256
805b9c960a3569d5537bc0d40f51c5feb7ab850b718ebef83d04f80b0faceb22

SHA512
6d13d34ba5624c1b17d9c73d7803394be463c61045f443421c41b19d31e50025ffe06baf403757615a8379a409aab04ae4ec8a6e2899718b80265c49057caccb

Download Submit
C:\Windows\System\ObXecXs.exe

Filesize
5.2MB

MD5
f16cf5c090ac2ca50b7adddde617385c

SHA1
fdb86cc3aeb6c5f8f08a3436dd50a75b050e0e8a

SHA256
b2c85f1af5d794eff14d8afca2e065c30ab4129852909e90ff60828c4a46b954

SHA512
49335347f2ad6948d2da62f071629a65df323fbb9322f8afe9e942fe2dd07090c8ed7abfa2e93bb7728fd1ea8670a5db8a399f40677646adc11f29cd36568394

Download Submit
C:\Windows\System\Onfssce.exe

Filesize
5.2MB

MD5
124bd4514f3b9e7e41d3a927f2944cb1

SHA1
142694117ed8b13b9633457de533e2d76d9261df

SHA256
8d9de79b289ad1905fcc14af0db8c12db246e2a279c359549469826107c99eab

SHA512
ac437dc7eb3defcc68051f70a68707ddf85a6087200385258418c1433044cf3296a301c388f8cd3ef4cc76d7b1a24656d9ffbc11e7b80953582bb66edd1db3a7

Download Submit
C:\Windows\System\PDxSJVo.exe

Filesize
5.2MB

MD5
77c442468d7dbde4524281043079a0bc

SHA1
23b52b81dd2a5501cc390580941e1401a00273ed

SHA256
c331e88d65b77b66fd8da7ff305669f51d69638600afd75a2cc94e20c03759ef

SHA512
cabe0cc36a545aaafe1b2ce85b808c0b4a1bf949f36d239b0d725da69483d3994e7969be2db1484e2a5ea1201cda95aae53c9a5d570297efd6c830b0a8a3c96e

Download Submit
C:\Windows\System\SUeJNvY.exe

Filesize
5.2MB

MD5
ee534e0efc42a836904dc436b01a9907

SHA1
e7d6b2cd3ec65cbab9e6bce222bff271d5e89183

SHA256
69fb4597dff3d8014f41ff78179b177c6cc061ea23683e457c662d364cdcfc0a

SHA512
e922d4e34b1d7743f6411c9936071984f56e6a3c744cb43a0370d0bd4745c300b817d445deec4717a40c3fe35418dbd18e38eb45de3d53940e78000b5e55b9d7

Download Submit
C:\Windows\System\YaKCJSk.exe

Filesize
5.2MB

MD5
8137d75df54fd9e59141ab84c02b9b0f

SHA1
6b4bb509091d3a110b19da44ea2f42df158825db

SHA256
a93b7b2f82d73213bc5435a5041f7e2a1ea880c32b1bc914ee73526861cf2d6d

SHA512
fbb1a5e1c4961e4588ff14370b664a253f00165c71e2a085d8e403dc317fabc60e40d65686b2221cdffa8e8f480a91d7ebd2e5150605a607a90c095fc1e22409

Download Submit
C:\Windows\System\esoZANx.exe

Filesize
5.2MB

MD5
0714c52f7a762b309c5d609d8b004eaa

SHA1
414c17fafbf328983078f17b566187db557d8a98

SHA256
c4f92c90d7beb7050f43d921b8a69ae8d3b86496f926015a3faef69753dba762

SHA512
07de0a766f40c8179beaaf7a9c769a37cb6f0d54022eb282454aef593738f1ffc1576d2ebfaf9db3a19aca3bdd7a577dde845e084b5a8de23a91dd4e9f7d9782

Download Submit
C:\Windows\System\lfIPyYp.exe

Filesize
5.2MB

MD5
7d8598739c9562bbe60227df792122bd

SHA1
8eedb156133dfcbcd79f26160dc5392fe117f437

SHA256
f58349700bd4fc2168e3708dba0b91ebd8681e82d85c8cd313275ed68ccd9519

SHA512
ea449d77dc2f190d5e1552ea07e4649c3e344c545c16b38fd1f17adb24141224149692734f447bd67a2059ea226d85bb64356d20a1379e55eb6cd40ac164de33

Download Submit
C:\Windows\System\lgWeZml.exe

Filesize
5.2MB

MD5
5432aff88106c84e1a27863a0158d275

SHA1
2d1c5c1cbd916eb2cb13691b0af7a8f3dd823248

SHA256
545a4080bc819033647fb9d04899553650d6e7e91a1c1b6c714d9064cf2a4e27

SHA512
1eb7650b7a7352c85693d8e221a81a3d2c2eb19cb8d62076a7dbb48b2081d2b16a356fd30e9670dc55ba003513beee6b89699569227f860c9bc80a1f0d2b17c9

Download Submit
C:\Windows\System\oLzpeBy.exe

Filesize
5.2MB

MD5
76fa8e4e0a92c4d7fa30b4ca9a75a2ae

SHA1
829f702e9da5441311d1767b28b9df8f2cb7a6bd

SHA256
69e581e6b3ff356230140d04726cb4a6cfe28a34862c89d98507bc4aca0db744

SHA512
b23ee6ef7dafbfe90030793519702dd8eae3ef864027e43bb640688d1485484cd341558865ede83a3b86bac3b1c95943edd51514e53dc863e36a38ef1738defd

Download Submit
C:\Windows\System\pplpOfP.exe

Filesize
5.2MB

MD5
8e8c9b37dee773f16cf2fd4b30440ff3

SHA1
f4fdce9f72bb4772bbd7e2afa38835a7007bdcc0

SHA256
4ef3fbb69178db453ef71643f7b0bca3121efab67171fa279750e4eb2cfb06ca

SHA512
9b2c6b9178309657cd11e9691769aa8ce56b5cdbb4402987ceb840055d635c6dbc7bb0887b52bee97b2895289432e86ff9013d5e232122508870ddad0be296c6

Download Submit
C:\Windows\System\ssgcuKG.exe

Filesize
5.2MB

MD5
41189957aeb32bc536337f9a7d5c6926

SHA1
b379ffce3d5342bd86f177d03843e7dcd5ff6a19

SHA256
cf2bb0a182230663a13c513a71bf6c63b61aedf9afb492abca091452534e8d55

SHA512
46233a8eb9fcd761bf5feddb16514a2e1174714d84943c7ebc5a1f23059827bfb3a2f22ccab2e82f327f4b4302aed882c69eb3bbb4507242e37e5ff45e2dd2a5

Download Submit
C:\Windows\System\szuptHp.exe

Filesize
5.2MB

MD5
d9d303f9e1e31ac4956a3008fabd9909

SHA1
8996c08d523589170e65c6adaa067c6a2d574a33

SHA256
86ab37147e678f6b906646c834ea2c957327c284d8d809fd5c9cf19dab7165cf

SHA512
e42c4f1399265b542a2cf355f913f7895e2f74fe5afd343ec3350bed5f9e4ee2dc4428abc3263d7995ffa16a2e6ca038199e72f7009371ed8b6cef1c79daf7fc

Download Submit
C:\Windows\System\tBEsntV.exe

Filesize
5.2MB

MD5
9a00b428c985d8e0f77c781ee3407380

SHA1
06c0230cd2fa2eb1cbd24bbe5822c50e939613de

SHA256
adb94533096513a96784b4c6156ab74c5ab80fa527a9eb979f62ee592e11aa09

SHA512
68bdc2f1bf19fd6ce5d0025b6f1ad0ec0cf9e3852796eacebad90ae60453135138fa48b09be6b2da33c4308d68204baf10fc28235e08580d6f2c7de3f34e7bdf

Download Submit
C:\Windows\System\uPLTJbT.exe

Filesize
5.2MB

MD5
ad90dd74c6d85367dce459e127063b3b

SHA1
2bd41a79917af97799f13345a8931afbea641eb9

SHA256
c22fdb2cc1e91ad3af0c3aca37d7a158851d53e59d436bbef62a7344dd1bedc3

SHA512
27d8640bf7c6aa381ffe8e7702d29a6a1ab2ce42cf2bca7dbbcfc24878fa25a3930996793837e18c90721c0aa2f031c0b8fd3e7c099b43cd8b1277c677e7eb1c

Download Submit
C:\Windows\System\vHyDhoa.exe

Filesize
5.2MB

MD5
eeb440834cb411bc3866d871eb6edc10

SHA1
44df529382eb71052d18e3e72273be3b09364efa

SHA256
cd37d0e2bee92c09744503d3ecc01387b70b7a6cdc8ea737edbfeec4f0232f05

SHA512
c55f753ab65e783b86cd5aa458cdb0ed46e75c3c630b3baa47f551c268effc7cef33244c54155d1eba3e9e306b59d4751e9d3edf8ecfddab296005764c639614

Download Submit
C:\Windows\System\ybgMquk.exe

Filesize
5.2MB

MD5
f71bde823a1c1b2b2e59325003dfc9ab

SHA1
5dcbd6cf821bf5bb22ee047a039dc3306ce68ccb

SHA256
9c1690cf4ea6a0bd6a2d310d2027c25c8d5088d2c3497cece2dbf786baf23d57

SHA512
4a5a6d541d781bb697001f6355f4cdb0b2110cf1bd2f1e81d590322c6c0836420e723c02ba7a91a65f703927c9bf6083e6b82b9f1e711c72caa07225bb1fe072

Download Submit
C:\Windows\System\ylwssSD.exe

Filesize
5.2MB

MD5
a8b5640375dec50022af3efd0d652fa6

SHA1
f7309a78436492dc692dae3bd7c156441ec31528

SHA256
4135f7197196890f25b6720b91499e8df70526fbf595ce7c1ef45d85e1ee5d76

SHA512
b857006c21e5c08ccfb1dd4756d19878280c67a522d0adde1b5e2f10e790f4e0f1600631c831ffe82a4303531ff2994f87b2bbc5882a3417f2374794c0c62948

Download Submit
memory/1096-115-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-208-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-11-0x00007FF7D6A60000-0x00007FF7D6DB1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-151-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp

Filesize
3.3MB

Download
memory/1200-119-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp

Filesize
3.3MB

Download
memory/1200-257-0x00007FF6C26D0000-0x00007FF6C2A21000-memory.dmp

Filesize
3.3MB

Download
memory/1356-236-0x00007FF650710000-0x00007FF650A61000-memory.dmp

Filesize
3.3MB

Download
memory/1356-81-0x00007FF650710000-0x00007FF650A61000-memory.dmp

Filesize
3.3MB

Download
memory/1504-246-0x00007FF60BE40000-0x00007FF60C191000-memory.dmp

Filesize
3.3MB

Download
memory/1504-110-0x00007FF60BE40000-0x00007FF60C191000-memory.dmp

Filesize
3.3MB

Download
memory/2136-100-0x00007FF713070000-0x00007FF7133C1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-146-0x00007FF713070000-0x00007FF7133C1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-242-0x00007FF713070000-0x00007FF7133C1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-80-0x00007FF74EF10000-0x00007FF74F261000-memory.dmp

Filesize
3.3MB

Download
memory/2544-230-0x00007FF74EF10000-0x00007FF74F261000-memory.dmp

Filesize
3.3MB

Download
memory/3048-253-0x00007FF7D6B40000-0x00007FF7D6E91000-memory.dmp

Filesize
3.3MB

Download
memory/3048-84-0x00007FF7D6B40000-0x00007FF7D6E91000-memory.dmp

Filesize
3.3MB

Download
memory/3096-252-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp

Filesize
3.3MB

Download
memory/3096-145-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp

Filesize
3.3MB

Download
memory/3096-89-0x00007FF60BF20000-0x00007FF60C271000-memory.dmp

Filesize
3.3MB

Download
memory/3176-247-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/3176-102-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/3176-149-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/3180-101-0x00007FF60CE40000-0x00007FF60D191000-memory.dmp

Filesize
3.3MB

Download
memory/3180-243-0x00007FF60CE40000-0x00007FF60D191000-memory.dmp

Filesize
3.3MB

Download
memory/3500-30-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-214-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3500-136-0x00007FF7F1C50000-0x00007FF7F1FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3692-137-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3692-227-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3692-50-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3996-109-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp

Filesize
3.3MB

Download
memory/3996-150-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp

Filesize
3.3MB

Download
memory/3996-249-0x00007FF6B0930000-0x00007FF6B0C81000-memory.dmp

Filesize
3.3MB

Download
memory/4284-51-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-138-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-231-0x00007FF725E80000-0x00007FF7261D1000-memory.dmp

Filesize
3.3MB

Download
memory/4288-129-0x00007FF7645E0000-0x00007FF764931000-memory.dmp

Filesize
3.3MB

Download
memory/4288-12-0x00007FF7645E0000-0x00007FF764931000-memory.dmp

Filesize
3.3MB

Download
memory/4288-210-0x00007FF7645E0000-0x00007FF764931000-memory.dmp

Filesize
3.3MB

Download
memory/4352-130-0x00007FF69C280000-0x00007FF69C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4352-260-0x00007FF69C280000-0x00007FF69C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-114-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-131-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-1-0x000001B524A00000-0x000001B524A10000-memory.dmp

Filesize
64KB

Download
memory/4428-154-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-0-0x00007FF67D880000-0x00007FF67DBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-152-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp

Filesize
3.3MB

Download
memory/4596-125-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp

Filesize
3.3MB

Download
memory/4596-261-0x00007FF67CBB0000-0x00007FF67CF01000-memory.dmp

Filesize
3.3MB

Download
memory/4632-74-0x00007FF63F2E0000-0x00007FF63F631000-memory.dmp

Filesize
3.3MB

Download
memory/4632-239-0x00007FF63F2E0000-0x00007FF63F631000-memory.dmp

Filesize
3.3MB

Download
memory/4704-212-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-132-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-19-0x00007FF7D3670000-0x00007FF7D39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-64-0x00007FF722C80000-0x00007FF722FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4904-233-0x00007FF722C80000-0x00007FF722FD1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-237-0x00007FF628290000-0x00007FF6285E1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-73-0x00007FF628290000-0x00007FF6285E1000-memory.dmp

Filesize
3.3MB

Download