cobaltstrike | 821aa66f2f8eecb97043b5c5ef9ab4cc754224625a6f785b3f6206686c7cd2e5

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

05fda39761feb897ac04d98ca82a19c7
SHA1

35149c37beb5761f10ad0bd567cc2d9ab5a41bfe
SHA256

821aa66f2f8eecb97043b5c5ef9ab4cc754224625a6f785b3f6206686c7cd2e5
SHA512

7fd868e71f24be478d787d8003e6cba9b69def2e7a87e5c4e1d1bcb1323540f65bf185dabac08fcbcf38b8f21e27f9a9aab57aba6dfda9710d2d8f28e81e447b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lj:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002345c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-63.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-76.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2f-86.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db32-106.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69c-112.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345d-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-133.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001db34-124.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69a-118.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2b-88.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4412-42-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	xmrig
behavioral2/memory/1956-67-0x00007FF600C50000-0x00007FF600FA1000-memory.dmp	xmrig
behavioral2/memory/3660-61-0x00007FF611A70000-0x00007FF611DC1000-memory.dmp	xmrig
behavioral2/memory/3320-60-0x00007FF6D92B0000-0x00007FF6D9601000-memory.dmp	xmrig
behavioral2/memory/2960-128-0x00007FF6410B0000-0x00007FF641401000-memory.dmp	xmrig
behavioral2/memory/4908-131-0x00007FF693880000-0x00007FF693BD1000-memory.dmp	xmrig
behavioral2/memory/3220-116-0x00007FF721950000-0x00007FF721CA1000-memory.dmp	xmrig
behavioral2/memory/4556-99-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp	xmrig
behavioral2/memory/520-96-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp	xmrig
behavioral2/memory/400-92-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp	xmrig
behavioral2/memory/2528-91-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp	xmrig
behavioral2/memory/1780-84-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	xmrig
behavioral2/memory/1780-135-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	xmrig
behavioral2/memory/4196-136-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp	xmrig
behavioral2/memory/2892-148-0x00007FF623EE0000-0x00007FF624231000-memory.dmp	xmrig
behavioral2/memory/2392-149-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp	xmrig
behavioral2/memory/4620-150-0x00007FF684B30000-0x00007FF684E81000-memory.dmp	xmrig
behavioral2/memory/5100-152-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp	xmrig
behavioral2/memory/2596-158-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/2952-156-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp	xmrig
behavioral2/memory/2836-155-0x00007FF682930000-0x00007FF682C81000-memory.dmp	xmrig
behavioral2/memory/3560-154-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp	xmrig
behavioral2/memory/3724-159-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	xmrig
behavioral2/memory/1780-160-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	xmrig
behavioral2/memory/2528-215-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp	xmrig
behavioral2/memory/4556-218-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp	xmrig
behavioral2/memory/400-219-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp	xmrig
behavioral2/memory/3320-231-0x00007FF6D92B0000-0x00007FF6D9601000-memory.dmp	xmrig
behavioral2/memory/3660-230-0x00007FF611A70000-0x00007FF611DC1000-memory.dmp	xmrig
behavioral2/memory/4412-227-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	xmrig
behavioral2/memory/3220-233-0x00007FF721950000-0x00007FF721CA1000-memory.dmp	xmrig
behavioral2/memory/520-226-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp	xmrig
behavioral2/memory/1956-239-0x00007FF600C50000-0x00007FF600FA1000-memory.dmp	xmrig
behavioral2/memory/4908-241-0x00007FF693880000-0x00007FF693BD1000-memory.dmp	xmrig
behavioral2/memory/4196-237-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp	xmrig
behavioral2/memory/2892-236-0x00007FF623EE0000-0x00007FF624231000-memory.dmp	xmrig
behavioral2/memory/2392-251-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp	xmrig
behavioral2/memory/4620-253-0x00007FF684B30000-0x00007FF684E81000-memory.dmp	xmrig
behavioral2/memory/5100-255-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp	xmrig
behavioral2/memory/3560-257-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp	xmrig
behavioral2/memory/2952-259-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp	xmrig
behavioral2/memory/2960-261-0x00007FF6410B0000-0x00007FF641401000-memory.dmp	xmrig
behavioral2/memory/2836-265-0x00007FF682930000-0x00007FF682C81000-memory.dmp	xmrig
behavioral2/memory/2596-264-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/3724-268-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2528	jDsRfVu.exe
4556	MmrIbpy.exe
400	GVfWzxk.exe
520	JOXyvcW.exe
4412	fVOfCnj.exe
3320	tDYhYUj.exe
3220	Obtwzrz.exe
3660	HJouDpI.exe
1956	YFVQBxj.exe
4908	HTfYNym.exe
4196	yEZzphE.exe
2892	zSAszTF.exe
2392	kSMFlSs.exe
4620	sleSvMM.exe
5100	tBbYJAW.exe
3560	gsWSmJT.exe
2952	iSGCmqr.exe
2836	MMnRJCK.exe
2960	wimwHpz.exe
2596	CAgrpnA.exe
3724	XBMtpvn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1780-0-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	upx
behavioral2/files/0x000800000002345c-4.dat	upx
behavioral2/files/0x0007000000023461-9.dat	upx
behavioral2/memory/2528-7-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-13.dat	upx
behavioral2/files/0x0007000000023464-34.dat	upx
behavioral2/memory/520-31-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp	upx
behavioral2/memory/4412-42-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-58.dat	upx
behavioral2/files/0x0007000000023468-63.dat	upx
behavioral2/memory/4196-69-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp	upx
behavioral2/files/0x000700000002346a-73.dat	upx
behavioral2/files/0x0007000000023469-71.dat	upx
behavioral2/memory/2892-70-0x00007FF623EE0000-0x00007FF624231000-memory.dmp	upx
behavioral2/memory/1956-67-0x00007FF600C50000-0x00007FF600FA1000-memory.dmp	upx
behavioral2/memory/3660-61-0x00007FF611A70000-0x00007FF611DC1000-memory.dmp	upx
behavioral2/memory/3320-60-0x00007FF6D92B0000-0x00007FF6D9601000-memory.dmp	upx
behavioral2/memory/4908-54-0x00007FF693880000-0x00007FF693BD1000-memory.dmp	upx
behavioral2/files/0x0007000000023465-53.dat	upx
behavioral2/files/0x0007000000023466-50.dat	upx
behavioral2/memory/3220-45-0x00007FF721950000-0x00007FF721CA1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-35.dat	upx
behavioral2/files/0x0007000000023463-28.dat	upx
behavioral2/memory/400-23-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp	upx
behavioral2/memory/4556-15-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp	upx
behavioral2/files/0x000700000002346b-76.dat	upx
behavioral2/memory/2392-79-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp	upx
behavioral2/files/0x000500000001db2f-86.dat	upx
behavioral2/files/0x000400000001db32-106.dat	upx
behavioral2/files/0x000200000001e69c-112.dat	upx
behavioral2/files/0x000800000002345d-115.dat	upx
behavioral2/memory/2960-128-0x00007FF6410B0000-0x00007FF641401000-memory.dmp	upx
behavioral2/memory/2596-129-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-133.dat	upx
behavioral2/memory/3724-132-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	upx
behavioral2/memory/4908-131-0x00007FF693880000-0x00007FF693BD1000-memory.dmp	upx
behavioral2/memory/2836-122-0x00007FF682930000-0x00007FF682C81000-memory.dmp	upx
behavioral2/files/0x000600000001db34-124.dat	upx
behavioral2/memory/2952-117-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp	upx
behavioral2/memory/3220-116-0x00007FF721950000-0x00007FF721CA1000-memory.dmp	upx
behavioral2/files/0x000200000001e69a-118.dat	upx
behavioral2/memory/3560-105-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp	upx
behavioral2/memory/4556-99-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp	upx
behavioral2/memory/5100-98-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp	upx
behavioral2/memory/520-96-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp	upx
behavioral2/memory/400-92-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp	upx
behavioral2/memory/2528-91-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp	upx
behavioral2/memory/4620-89-0x00007FF684B30000-0x00007FF684E81000-memory.dmp	upx
behavioral2/files/0x000500000001db2b-88.dat	upx
behavioral2/memory/1780-84-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	upx
behavioral2/memory/1780-135-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	upx
behavioral2/memory/4196-136-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp	upx
behavioral2/memory/2892-148-0x00007FF623EE0000-0x00007FF624231000-memory.dmp	upx
behavioral2/memory/2392-149-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp	upx
behavioral2/memory/4620-150-0x00007FF684B30000-0x00007FF684E81000-memory.dmp	upx
behavioral2/memory/5100-152-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp	upx
behavioral2/memory/2596-158-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/memory/2952-156-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp	upx
behavioral2/memory/2836-155-0x00007FF682930000-0x00007FF682C81000-memory.dmp	upx
behavioral2/memory/3560-154-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp	upx
behavioral2/memory/3724-159-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp	upx
behavioral2/memory/1780-160-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp	upx
behavioral2/memory/2528-215-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp	upx
behavioral2/memory/4556-218-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YFVQBxj.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSMFlSs.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsWSmJT.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iSGCmqr.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJouDpI.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yEZzphE.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zSAszTF.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MMnRJCK.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBbYJAW.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XBMtpvn.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MmrIbpy.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JOXyvcW.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fVOfCnj.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sleSvMM.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTfYNym.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wimwHpz.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAgrpnA.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jDsRfVu.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GVfWzxk.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDYhYUj.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Obtwzrz.exe	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2528	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1780 wrote to memory of 2528	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1780 wrote to memory of 4556	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1780 wrote to memory of 4556	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1780 wrote to memory of 400	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1780 wrote to memory of 400	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1780 wrote to memory of 520	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1780 wrote to memory of 520	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1780 wrote to memory of 4412	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1780 wrote to memory of 4412	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1780 wrote to memory of 3320	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1780 wrote to memory of 3320	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1780 wrote to memory of 3220	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1780 wrote to memory of 3220	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1780 wrote to memory of 3660	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1780 wrote to memory of 3660	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1780 wrote to memory of 1956	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1780 wrote to memory of 1956	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1780 wrote to memory of 4908	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1780 wrote to memory of 4908	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1780 wrote to memory of 4196	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1780 wrote to memory of 4196	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1780 wrote to memory of 2892	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1780 wrote to memory of 2892	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1780 wrote to memory of 2392	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1780 wrote to memory of 2392	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1780 wrote to memory of 4620	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1780 wrote to memory of 4620	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1780 wrote to memory of 5100	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1780 wrote to memory of 5100	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1780 wrote to memory of 3560	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1780 wrote to memory of 3560	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1780 wrote to memory of 2836	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1780 wrote to memory of 2836	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1780 wrote to memory of 2952	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1780 wrote to memory of 2952	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1780 wrote to memory of 2960	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1780 wrote to memory of 2960	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1780 wrote to memory of 2596	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1780 wrote to memory of 2596	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1780 wrote to memory of 3724	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1780 wrote to memory of 3724	1780	2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_05fda39761feb897ac04d98ca82a19c7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\System\jDsRfVu.exe
  C:\Windows\System\jDsRfVu.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\MmrIbpy.exe
  C:\Windows\System\MmrIbpy.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\GVfWzxk.exe
  C:\Windows\System\GVfWzxk.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\JOXyvcW.exe
  C:\Windows\System\JOXyvcW.exe
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\System\fVOfCnj.exe
  C:\Windows\System\fVOfCnj.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\tDYhYUj.exe
  C:\Windows\System\tDYhYUj.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\Obtwzrz.exe
  C:\Windows\System\Obtwzrz.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\HJouDpI.exe
  C:\Windows\System\HJouDpI.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\YFVQBxj.exe
  C:\Windows\System\YFVQBxj.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\HTfYNym.exe
  C:\Windows\System\HTfYNym.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\yEZzphE.exe
  C:\Windows\System\yEZzphE.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\zSAszTF.exe
  C:\Windows\System\zSAszTF.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\kSMFlSs.exe
  C:\Windows\System\kSMFlSs.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\sleSvMM.exe
  C:\Windows\System\sleSvMM.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\tBbYJAW.exe
  C:\Windows\System\tBbYJAW.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\gsWSmJT.exe
  C:\Windows\System\gsWSmJT.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\MMnRJCK.exe
  C:\Windows\System\MMnRJCK.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\iSGCmqr.exe
  C:\Windows\System\iSGCmqr.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\wimwHpz.exe
  C:\Windows\System\wimwHpz.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\CAgrpnA.exe
  C:\Windows\System\CAgrpnA.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\XBMtpvn.exe
  C:\Windows\System\XBMtpvn.exe
  2⤵
  - Executes dropped EXE
  PID:3724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CAgrpnA.exe

Filesize
5.2MB

MD5
928284d650ba9fad926066536ad94b2f

SHA1
e5ad832f8bd26dc2150c5b7ed630dec64167c6f9

SHA256
ddaf59d1a0de3991ab10e907c271816e73fc4e9760d2dd9ee4aada7b3a0af3e6

SHA512
355872157d8b8dfd192cdd1d6273a0b1fe87180733a1954c44e81ec6faef6ac2dce45131ae9cdaadca8eb54baa36aa13060d988a924b22d39c033a8e6762dce3

Download Submit
C:\Windows\System\GVfWzxk.exe

Filesize
5.2MB

MD5
226059eedeb30bc543dc79b39f9730c0

SHA1
5b7fbdd62921ed53749f09482b5e041feabd7601

SHA256
c28a80d4de2427f588bddd0161c454564da25f2460148871cfed8e00cbc54b33

SHA512
3b7dc22c30800f13315dacec98d381c40e14688b1e7a71f6be027cf3cc65e53320619b68693d76c1b8b10ba7f4111e1a72f056e43fb003931bcff022422dad53

Download Submit
C:\Windows\System\HJouDpI.exe

Filesize
5.2MB

MD5
4f0721482911fe35d67315888da2f55c

SHA1
e28c9317004db2b234310cffea135e7479d9821e

SHA256
d34d819c306f2046afa885e64ff359a8741213f635b90b8ff0b25eca06cb7aa5

SHA512
df74a710e5b1fa82e57fc1fe9156e2ee0e664ca7caefc4b22ac5caa68abd01ae4068268fcbba95155c04bffb847dc1bf050c09d4373ece4077511a9dc52d142f

Download Submit
C:\Windows\System\HTfYNym.exe

Filesize
5.2MB

MD5
13458b50d0cc7a6f0e95873b1510e1ee

SHA1
f45382f8009ff2ec0d2ebe9f64637230c24ccace

SHA256
7f0291061265aaeef28942664c81b0f3fb9b8cf850737b71448e35d0d6ea433f

SHA512
b484594b2eb578ef0d7449e94c25eda422db25e5d5f2c78212474e1da943e9594e7bdb93bb94450b7f94d0bd3c99d40747af270ee5ed0c1442df1ea384748e74

Download Submit
C:\Windows\System\JOXyvcW.exe

Filesize
5.2MB

MD5
669a6208c4fdbb7efb771ef8b01fa033

SHA1
bb5e88a624654800bc2511b2dc1eb278ec6b70de

SHA256
6f46423896d1915a8c57de7170fc6fda23595090a0218ab0997a165520bee688

SHA512
6653451b982af01c80cc00ee8a664a550414e808fcea831a106c72abae2d5d384d487f4746cccdd2b8b50016ef6f8a84c651aec219bf4c443544bbb695b06854

Download Submit
C:\Windows\System\MMnRJCK.exe

Filesize
5.2MB

MD5
5d8034b063522c0e64cbed8005ed28af

SHA1
ed4c1cfa42d9d7b37984f84eeef8905f040d8a83

SHA256
9ffdcf42f954840effe42d50591d87ef362dc16ac96eadc6463269f566668fdd

SHA512
629e6b81075a3fb68d7d66bf9e19393d6a1c6f9d0e67a6e0fa837a166efd96faa13ba63af0e8985c26938d3e4110f0c819b2c456a64eed09922911fe8ed6d46d

Download Submit
C:\Windows\System\MmrIbpy.exe

Filesize
5.2MB

MD5
7cfe8ac1aca5ab89bb9bd1080b34d9bb

SHA1
62d738efe1af3c01d39ae0d7e90393305775a898

SHA256
8ae8face16abeca5a8069fd67365d1f47df5962ad75d222abf112da9e4917d5f

SHA512
f7ae7f31223275963a5104c208ee87c89f4ed4c829a88720acf50a413cbd2e1769e130dcdb7ad0899b5f7993f66141228e6ebb8ddd1609a2529e020463d57187

Download Submit
C:\Windows\System\Obtwzrz.exe

Filesize
5.2MB

MD5
02bd77e470c55c663b3ebfe38313d65a

SHA1
ac5f2a789104256869f8cfea0dc97d08982235f5

SHA256
ae367fb6cd967275fc93ce1bcb9399aec81a76cb7179de7e87975b4fdacae5b3

SHA512
ddefcc313bd19e2a61257b98d58f2e6208d6b53b742fb31bee475938f8a4cecfe150cfd21b61a48be4db260726d21676f83ad82216245e2cd3eee1e5aa014a06

Download Submit
C:\Windows\System\XBMtpvn.exe

Filesize
5.2MB

MD5
7e8057bf9fa1b602dc2f81843941d3e0

SHA1
2ec246c05afcaf19b0244ca51b57988194e513aa

SHA256
8264556b76499ea51a23f490843cbf7a5ac3774c592356df1ecba83e15323cf1

SHA512
c06bc978812e539b84653bcee1b30ea5df90e6c84564f305b9c4072f175cb4e735c331271d0dfd6c1fdb1bd8d20ba8069a78936031451b14c328d3760127999d

Download Submit
C:\Windows\System\YFVQBxj.exe

Filesize
5.2MB

MD5
bca6908371e11c2dc984aa7963eb6619

SHA1
7887ea3523a232ba18b71bd13351dcba559f9f2a

SHA256
747cfa5c623ea8899d138b6fbe8b09eb807ab5ec2664e827cf35ecb6a7d9d222

SHA512
f4c5eea4c332486f0a75aad1ec90c83a1f8edb5b93bdbb61149aeb75daa2b52158a20ac473ccb299f60e5da8da6912df9b5201263c366d285e1a7898cd3dcb5d

Download Submit
C:\Windows\System\fVOfCnj.exe

Filesize
5.2MB

MD5
7da6f2d14de105ec42827255bfd7fa3e

SHA1
dba1ad14bb9d48a45e2ca482445e36bac9934fd0

SHA256
7ccb9ed6fb56a1b3f6f576d940082d505e5a2fb948be30ba47ebe66481548933

SHA512
8252101b0cf3209bf593c8aaf4a8f810635781c0004b84cbea353a6ccb5f6c0daf2cf9622e2cb9d2dc54b6e81ce918b0b5add75fcb211627cb455c89fabe598f

Download Submit
C:\Windows\System\gsWSmJT.exe

Filesize
5.2MB

MD5
273096824b5600b9fe6c58e0d5417e8a

SHA1
404dbe6639ed83ae89f59e6bad3f01ffab3a4ce7

SHA256
113f442571be7306950d55a29ce40881d3003c97424568b5c0bf729bead0eedc

SHA512
fac02d3399cb3e7b923ed4132b60f5bea724fb64e26fc04dcf842a96f3f192e31387a8c84dbbc077cacf3ad211262566390c4a648549470949958103fbf9f8b7

Download Submit
C:\Windows\System\iSGCmqr.exe

Filesize
5.2MB

MD5
57d87ed9c172b81526d75ac5c6ca560f

SHA1
c6d3c55fd5d6e464b7b2f59e2b6719e00463e02a

SHA256
1ea567575644e80cd8a4c00014666f550a6569f9710165061f99366fd4d1b2d4

SHA512
ee358778bc94d1289e727ab2cd0065b1787481ee775df19137a79297eb2a249ee83b5294d6c098d51d9e043d118b9e4cc2e003efe042e953198ed1dcb936e62d

Download Submit
C:\Windows\System\jDsRfVu.exe

Filesize
5.2MB

MD5
ed3c537679f183b1bc1fd5e9693946be

SHA1
d799fd35feebf31a536c229b2c16d7b1f36b3a14

SHA256
439f347bd7a7777c3f4169923209182a6e4ea4e3375ebdfa225e09d12cc8b66f

SHA512
1d5a1be9abfee098021e6e84cb18f89d69142659fcf6f82bdc38e4a7eb1ba0d754f628f9878d673fd52d39827ad16ff75648e99303632b497ea72ef1a9e64ffe

Download Submit
C:\Windows\System\kSMFlSs.exe

Filesize
5.2MB

MD5
7fa66a7f2db74f03221985e4abf397e6

SHA1
e9413187e08c7656cd26de5180111050208e0d8d

SHA256
576448cb353aeda3447c7538bf8544197ef16393d5d6aa5fbb7350d3e7dd6015

SHA512
2c62a3dba2281e36e431e228ccfce8d3a538b12443987c2c7e502e0cf1dc5c8f2003ed5de897f1877f10599b3a5d93ac48dc14ff0d0706223e59569e8ed6e030

Download Submit
C:\Windows\System\sleSvMM.exe

Filesize
5.2MB

MD5
ebd3e3ca6bf7acda495ddf8af41eebcd

SHA1
d725c631f9dca61ae1e2c58adf6e91d3b7b7b27e

SHA256
6482fb070bd7dd9aaf26a9257173cfaf9d4b495cbf0511334589260245a09827

SHA512
695829f7cbf54ea9a74b025aac736e3339ddae50286fde98a4e2eaae94b3171530d007f69ac7e09c2167e3610274eb5308fab08aa0aa5502c82afe767d458c5f

Download Submit
C:\Windows\System\tBbYJAW.exe

Filesize
5.2MB

MD5
7ee66aea0cb1268c6cd9bb40a994ff6a

SHA1
e59dbf3fd305e6dd85cdfacbc34888df57fe1baf

SHA256
551a6774734d5c3219b5d1120f3034770ea3b400dc0aaf0a6d3d825810469bf2

SHA512
4660f0c22ffa0cf5bca61c827d6cdaa26c9f6fe53940840eb60037cb71a46f63863de15c870fc9aff5b77f0305632efc5049b348042b4ee64e86753c81a4421d

Download Submit
C:\Windows\System\tDYhYUj.exe

Filesize
5.2MB

MD5
b9b1f2b5285df9c973708596db59ea27

SHA1
c3ac279191ed78dc32bb3d35c5042a45544d31cc

SHA256
2b2abe7ae07e4ca81a8bfc280b420ff1c93fa2ed515f0c9d33f26d203d6f5656

SHA512
a6255afdf4a763ec8dff184634dcdac1baf58cdf91599a5a1936567f4e3767e4b9458cf9ffb59eade4b60e61d2f5e0972148fd43b1d9282304d44526572dc06b

Download Submit
C:\Windows\System\wimwHpz.exe

Filesize
5.2MB

MD5
f4843a5808169b4b84f6b6bea36877fd

SHA1
cb389119f901dddf14f1896f456de44a9151b4a3

SHA256
30ee00aa914a9b03daff9a47291d620358b052129750e6d6b7941ffab6f67624

SHA512
a8c4bf019ce2f2c5735ef7ec5668d282f0e8aec46dee2850700e6103b3754ee343ec7b8016128292d4fbcd512c0ba3a10ac681f84d6b87eaf4f86b57252a891e

Download Submit
C:\Windows\System\yEZzphE.exe

Filesize
5.2MB

MD5
fdbf6e49b6c579ae23d16994bf217bc0

SHA1
937d230ff6195c0f4893d95be8293e23417e03ae

SHA256
73d2466e2c14e01edb1300e9a832dad3dfb3c64af5f626ec3cf72fdb99e1d483

SHA512
8809a90f242fcda0e95ca69772a6a526ed119bf59dffcc64bdaaba03776db41d3f020519bf52436daeef20cc6062c8e8336ec43e0e545864856e62e32b02ac46

Download Submit
C:\Windows\System\zSAszTF.exe

Filesize
5.2MB

MD5
80e434a02b7a6c2799816b80afdfcd17

SHA1
ff77f67ed6443bb0094c010a2402b1c650684a79

SHA256
bd157b7c695c28ff02d2c9a4058ba14e49b9b183849e8cf57b64e177d6f0f9fb

SHA512
17f83cd08cb40905470b6b5af8691246fddf2ba2a0033a2667c5d0a16e056b8cb4f3513dbe7fb21b46c99d9b11723d208035a0281f24bbdf57da19f8a52f922a

Download Submit
memory/400-23-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp

Filesize
3.3MB

Download
memory/400-219-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp

Filesize
3.3MB

Download
memory/400-92-0x00007FF7576F0000-0x00007FF757A41000-memory.dmp

Filesize
3.3MB

Download
memory/520-226-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp

Filesize
3.3MB

Download
memory/520-96-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp

Filesize
3.3MB

Download
memory/520-31-0x00007FF71A6C0000-0x00007FF71AA11000-memory.dmp

Filesize
3.3MB

Download
memory/1780-135-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-84-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-160-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-0-0x00007FF62B960000-0x00007FF62BCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-1-0x0000025275C30000-0x0000025275C40000-memory.dmp

Filesize
64KB

Download
memory/1956-239-0x00007FF600C50000-0x00007FF600FA1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-67-0x00007FF600C50000-0x00007FF600FA1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-149-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-79-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-251-0x00007FF668B60000-0x00007FF668EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-215-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-91-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-7-0x00007FF640D80000-0x00007FF6410D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-129-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-158-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-264-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-122-0x00007FF682930000-0x00007FF682C81000-memory.dmp

Filesize
3.3MB

Download
memory/2836-265-0x00007FF682930000-0x00007FF682C81000-memory.dmp

Filesize
3.3MB

Download
memory/2836-155-0x00007FF682930000-0x00007FF682C81000-memory.dmp

Filesize
3.3MB

Download
memory/2892-148-0x00007FF623EE0000-0x00007FF624231000-memory.dmp

Filesize
3.3MB

Download
memory/2892-236-0x00007FF623EE0000-0x00007FF624231000-memory.dmp

Filesize
3.3MB

Download
memory/2892-70-0x00007FF623EE0000-0x00007FF624231000-memory.dmp

Filesize
3.3MB

Download
memory/2952-259-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp

Filesize
3.3MB

Download
memory/2952-117-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp

Filesize
3.3MB

Download
memory/2952-156-0x00007FF68B5B0000-0x00007FF68B901000-memory.dmp

Filesize
3.3MB

Download
memory/2960-128-0x00007FF6410B0000-0x00007FF641401000-memory.dmp

Filesize
3.3MB

Download
memory/2960-261-0x00007FF6410B0000-0x00007FF641401000-memory.dmp

Filesize
3.3MB

Download
memory/3220-233-0x00007FF721950000-0x00007FF721CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-45-0x00007FF721950000-0x00007FF721CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3220-116-0x00007FF721950000-0x00007FF721CA1000-memory.dmp

Filesize
3.3MB

Download
memory/3320-231-0x00007FF6D92B0000-0x00007FF6D9601000-memory.dmp

Filesize
3.3MB

Download
memory/3320-60-0x00007FF6D92B0000-0x00007FF6D9601000-memory.dmp

Filesize
3.3MB

Download
memory/3560-154-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-105-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-257-0x00007FF7DC990000-0x00007FF7DCCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-230-0x00007FF611A70000-0x00007FF611DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-61-0x00007FF611A70000-0x00007FF611DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3724-159-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download
memory/3724-268-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download
memory/3724-132-0x00007FF6BF7E0000-0x00007FF6BFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4196-136-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp

Filesize
3.3MB

Download
memory/4196-69-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp

Filesize
3.3MB

Download
memory/4196-237-0x00007FF7386C0000-0x00007FF738A11000-memory.dmp

Filesize
3.3MB

Download
memory/4412-227-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4412-42-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-15-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp

Filesize
3.3MB

Download
memory/4556-218-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp

Filesize
3.3MB

Download
memory/4556-99-0x00007FF6EDBB0000-0x00007FF6EDF01000-memory.dmp

Filesize
3.3MB

Download
memory/4620-253-0x00007FF684B30000-0x00007FF684E81000-memory.dmp

Filesize
3.3MB

Download
memory/4620-89-0x00007FF684B30000-0x00007FF684E81000-memory.dmp

Filesize
3.3MB

Download
memory/4620-150-0x00007FF684B30000-0x00007FF684E81000-memory.dmp

Filesize
3.3MB

Download
memory/4908-54-0x00007FF693880000-0x00007FF693BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-241-0x00007FF693880000-0x00007FF693BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-131-0x00007FF693880000-0x00007FF693BD1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-152-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp

Filesize
3.3MB

Download
memory/5100-255-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp

Filesize
3.3MB

Download
memory/5100-98-0x00007FF7EB7C0000-0x00007FF7EBB11000-memory.dmp

Filesize
3.3MB

Download