cobaltstrike | 5257b10f59910b3b343c37204043bb42fbf2b68a9fb357d0726ef2a3456dbd73

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

27d52c7d8d09f9b5818d312820257d4d
SHA1

0a91899ed45d81d731df4711ca141fe52a794748
SHA256

5257b10f59910b3b343c37204043bb42fbf2b68a9fb357d0726ef2a3456dbd73
SHA512

fb12bf353dc30838c46f249a4b76788ac13a128102a0043d151e786998f339ca021b7c32d29d36cb971181bd996bad794134fab2066671652f3991d4caa24be1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUw

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023458-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-18.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-118.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023456-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2776-67-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp	xmrig
behavioral2/memory/1784-102-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp	xmrig
behavioral2/memory/4672-84-0x00007FF79DDB0000-0x00007FF79E101000-memory.dmp	xmrig
behavioral2/memory/2312-75-0x00007FF682CF0000-0x00007FF683041000-memory.dmp	xmrig
behavioral2/memory/3172-66-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp	xmrig
behavioral2/memory/3424-61-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp	xmrig
behavioral2/memory/4988-36-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp	xmrig
behavioral2/memory/5112-122-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	xmrig
behavioral2/memory/4504-121-0x00007FF60DFF0000-0x00007FF60E341000-memory.dmp	xmrig
behavioral2/memory/1128-126-0x00007FF633DC0000-0x00007FF634111000-memory.dmp	xmrig
behavioral2/memory/4576-125-0x00007FF73D0F0000-0x00007FF73D441000-memory.dmp	xmrig
behavioral2/memory/2516-127-0x00007FF61E430000-0x00007FF61E781000-memory.dmp	xmrig
behavioral2/memory/2700-124-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	xmrig
behavioral2/memory/3492-123-0x00007FF78BA50000-0x00007FF78BDA1000-memory.dmp	xmrig
behavioral2/memory/3564-120-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp	xmrig
behavioral2/memory/2372-130-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp	xmrig
behavioral2/memory/2552-132-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp	xmrig
behavioral2/memory/728-139-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp	xmrig
behavioral2/memory/3684-141-0x00007FF606230000-0x00007FF606581000-memory.dmp	xmrig
behavioral2/memory/4716-136-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp	xmrig
behavioral2/memory/380-128-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	xmrig
behavioral2/memory/4328-129-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp	xmrig
behavioral2/memory/380-150-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	xmrig
behavioral2/memory/380-151-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	xmrig
behavioral2/memory/4328-202-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp	xmrig
behavioral2/memory/2372-219-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp	xmrig
behavioral2/memory/2552-223-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp	xmrig
behavioral2/memory/4988-222-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp	xmrig
behavioral2/memory/3172-231-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp	xmrig
behavioral2/memory/2776-230-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp	xmrig
behavioral2/memory/2312-227-0x00007FF682CF0000-0x00007FF683041000-memory.dmp	xmrig
behavioral2/memory/3424-226-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp	xmrig
behavioral2/memory/1784-235-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp	xmrig
behavioral2/memory/4716-239-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp	xmrig
behavioral2/memory/3564-241-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp	xmrig
behavioral2/memory/3684-243-0x00007FF606230000-0x00007FF606581000-memory.dmp	xmrig
behavioral2/memory/728-238-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp	xmrig
behavioral2/memory/4672-233-0x00007FF79DDB0000-0x00007FF79E101000-memory.dmp	xmrig
behavioral2/memory/2516-251-0x00007FF61E430000-0x00007FF61E781000-memory.dmp	xmrig
behavioral2/memory/1128-252-0x00007FF633DC0000-0x00007FF634111000-memory.dmp	xmrig
behavioral2/memory/4576-254-0x00007FF73D0F0000-0x00007FF73D441000-memory.dmp	xmrig
behavioral2/memory/3492-256-0x00007FF78BA50000-0x00007FF78BDA1000-memory.dmp	xmrig
behavioral2/memory/2700-258-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	xmrig
behavioral2/memory/5112-249-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	xmrig
behavioral2/memory/4504-247-0x00007FF60DFF0000-0x00007FF60E341000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4328	kMJxWyh.exe
2372	nnTcfhf.exe
3424	YxPyCyt.exe
2552	hgsfzYP.exe
4988	hbDANda.exe
3172	hjadTsV.exe
2776	juobyiQ.exe
4716	ZbTtsuN.exe
4672	EHcNSGz.exe
728	KhfEDSF.exe
2312	PxuqbRx.exe
1784	MOUABPr.exe
3684	mjfVckU.exe
3564	TNFBtLh.exe
4576	EGcYgyb.exe
4504	ivDhKyF.exe
1128	LlgQcTL.exe
2516	cdSjjfk.exe
5112	anCRkWD.exe
3492	zABuLnr.exe
2700	lOCaSqc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/380-0-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	upx
behavioral2/files/0x0008000000023458-4.dat	upx
behavioral2/memory/4328-7-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp	upx
behavioral2/files/0x0007000000023459-10.dat	upx
behavioral2/files/0x000700000002345b-18.dat	upx
behavioral2/files/0x000700000002345d-28.dat	upx
behavioral2/memory/4716-47-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp	upx
behavioral2/files/0x000700000002345e-54.dat	upx
behavioral2/memory/2776-67-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp	upx
behavioral2/memory/728-74-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp	upx
behavioral2/files/0x0007000000023462-77.dat	upx
behavioral2/files/0x0007000000023467-92.dat	upx
behavioral2/memory/1784-102-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp	upx
behavioral2/files/0x0007000000023468-94.dat	upx
behavioral2/files/0x000700000002346a-116.dat	upx
behavioral2/files/0x000700000002346b-118.dat	upx
behavioral2/files/0x0008000000023456-114.dat	upx
behavioral2/files/0x0007000000023469-112.dat	upx
behavioral2/files/0x0007000000023466-93.dat	upx
behavioral2/files/0x0007000000023465-85.dat	upx
behavioral2/memory/4672-84-0x00007FF79DDB0000-0x00007FF79E101000-memory.dmp	upx
behavioral2/memory/3684-82-0x00007FF606230000-0x00007FF606581000-memory.dmp	upx
behavioral2/memory/2312-75-0x00007FF682CF0000-0x00007FF683041000-memory.dmp	upx
behavioral2/files/0x0007000000023464-80.dat	upx
behavioral2/files/0x000700000002345f-72.dat	upx
behavioral2/files/0x0007000000023461-70.dat	upx
behavioral2/files/0x0007000000023463-68.dat	upx
behavioral2/memory/3172-66-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp	upx
behavioral2/memory/3424-61-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp	upx
behavioral2/files/0x0007000000023460-57.dat	upx
behavioral2/memory/2552-32-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp	upx
behavioral2/files/0x000700000002345c-29.dat	upx
behavioral2/memory/4988-36-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp	upx
behavioral2/files/0x000700000002345a-26.dat	upx
behavioral2/memory/2372-23-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp	upx
behavioral2/memory/5112-122-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp	upx
behavioral2/memory/4504-121-0x00007FF60DFF0000-0x00007FF60E341000-memory.dmp	upx
behavioral2/memory/1128-126-0x00007FF633DC0000-0x00007FF634111000-memory.dmp	upx
behavioral2/memory/4576-125-0x00007FF73D0F0000-0x00007FF73D441000-memory.dmp	upx
behavioral2/memory/2516-127-0x00007FF61E430000-0x00007FF61E781000-memory.dmp	upx
behavioral2/memory/2700-124-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp	upx
behavioral2/memory/3492-123-0x00007FF78BA50000-0x00007FF78BDA1000-memory.dmp	upx
behavioral2/memory/3564-120-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp	upx
behavioral2/memory/2372-130-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp	upx
behavioral2/memory/2552-132-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp	upx
behavioral2/memory/728-139-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp	upx
behavioral2/memory/3684-141-0x00007FF606230000-0x00007FF606581000-memory.dmp	upx
behavioral2/memory/4716-136-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp	upx
behavioral2/memory/380-128-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	upx
behavioral2/memory/4328-129-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp	upx
behavioral2/memory/380-150-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	upx
behavioral2/memory/380-151-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp	upx
behavioral2/memory/4328-202-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp	upx
behavioral2/memory/2372-219-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp	upx
behavioral2/memory/2552-223-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp	upx
behavioral2/memory/4988-222-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp	upx
behavioral2/memory/3172-231-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp	upx
behavioral2/memory/2776-230-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp	upx
behavioral2/memory/2312-227-0x00007FF682CF0000-0x00007FF683041000-memory.dmp	upx
behavioral2/memory/3424-226-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp	upx
behavioral2/memory/1784-235-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp	upx
behavioral2/memory/4716-239-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp	upx
behavioral2/memory/3564-241-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp	upx
behavioral2/memory/3684-243-0x00007FF606230000-0x00007FF606581000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cdSjjfk.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOUABPr.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ivDhKyF.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHcNSGz.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LlgQcTL.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZbTtsuN.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxuqbRx.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TNFBtLh.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EGcYgyb.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\anCRkWD.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOCaSqc.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kMJxWyh.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KhfEDSF.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hgsfzYP.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hbDANda.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjadTsV.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\juobyiQ.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mjfVckU.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zABuLnr.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nnTcfhf.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YxPyCyt.exe	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4328	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 380 wrote to memory of 4328	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 380 wrote to memory of 2372	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 380 wrote to memory of 2372	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 380 wrote to memory of 3424	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 380 wrote to memory of 3424	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 380 wrote to memory of 2552	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 380 wrote to memory of 2552	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 380 wrote to memory of 4988	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 380 wrote to memory of 4988	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 380 wrote to memory of 3172	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 380 wrote to memory of 3172	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 380 wrote to memory of 2776	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 380 wrote to memory of 2776	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 380 wrote to memory of 4716	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 380 wrote to memory of 4716	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 380 wrote to memory of 2312	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 380 wrote to memory of 2312	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 380 wrote to memory of 4672	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 380 wrote to memory of 4672	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 380 wrote to memory of 728	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 380 wrote to memory of 728	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 380 wrote to memory of 1784	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 380 wrote to memory of 1784	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 380 wrote to memory of 3684	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 380 wrote to memory of 3684	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 380 wrote to memory of 3564	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 380 wrote to memory of 3564	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 380 wrote to memory of 4576	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 380 wrote to memory of 4576	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 380 wrote to memory of 4504	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 380 wrote to memory of 4504	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 380 wrote to memory of 1128	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 380 wrote to memory of 1128	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 380 wrote to memory of 5112	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 380 wrote to memory of 5112	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 380 wrote to memory of 2516	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 380 wrote to memory of 2516	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 380 wrote to memory of 3492	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 380 wrote to memory of 3492	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 380 wrote to memory of 2700	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 380 wrote to memory of 2700	380	2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_27d52c7d8d09f9b5818d312820257d4d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\System\kMJxWyh.exe
  C:\Windows\System\kMJxWyh.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\nnTcfhf.exe
  C:\Windows\System\nnTcfhf.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\YxPyCyt.exe
  C:\Windows\System\YxPyCyt.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\hgsfzYP.exe
  C:\Windows\System\hgsfzYP.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\hbDANda.exe
  C:\Windows\System\hbDANda.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\hjadTsV.exe
  C:\Windows\System\hjadTsV.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\juobyiQ.exe
  C:\Windows\System\juobyiQ.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\ZbTtsuN.exe
  C:\Windows\System\ZbTtsuN.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\PxuqbRx.exe
  C:\Windows\System\PxuqbRx.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\EHcNSGz.exe
  C:\Windows\System\EHcNSGz.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\KhfEDSF.exe
  C:\Windows\System\KhfEDSF.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\MOUABPr.exe
  C:\Windows\System\MOUABPr.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\mjfVckU.exe
  C:\Windows\System\mjfVckU.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\TNFBtLh.exe
  C:\Windows\System\TNFBtLh.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\EGcYgyb.exe
  C:\Windows\System\EGcYgyb.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\ivDhKyF.exe
  C:\Windows\System\ivDhKyF.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\LlgQcTL.exe
  C:\Windows\System\LlgQcTL.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\anCRkWD.exe
  C:\Windows\System\anCRkWD.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\cdSjjfk.exe
  C:\Windows\System\cdSjjfk.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\zABuLnr.exe
  C:\Windows\System\zABuLnr.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\lOCaSqc.exe
  C:\Windows\System\lOCaSqc.exe
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EGcYgyb.exe

Filesize
5.2MB

MD5
62ee675d50d47d96f8f9b69ba88e3d7c

SHA1
684297d2e4d45375ef92f61459ccb86dd799e99e

SHA256
4e530fe1f80d820d9410f6392a80537264962ef737e3bba26d264bde0bee758c

SHA512
5dfd6fdaef0c191d0d5212d0fffc076b2e0430f0b057778f7259268291ef2e165545f526c60a2745b8197fa530b53c117233e7a7ddd74046fb6d04d49b3ebc19

Download Submit
C:\Windows\System\EHcNSGz.exe

Filesize
5.2MB

MD5
af152d0d72b393ab1c152d8daf3739b2

SHA1
41095f5995305ab48c467a555f48cc389bae5167

SHA256
0b20748ae56e4397ddb7916731a2dfda1aae4d1f096d4f184852ea782471e43a

SHA512
00c30d45d98a4210779a2a35218ca033be817dd4dbf8444c66ed518899a3f7ffd77389b3ef7d0e723f1a94003eb1e72d371a2b67f308e98f389d84a88fb8f364

Download Submit
C:\Windows\System\KhfEDSF.exe

Filesize
5.2MB

MD5
a787b4157db211b98802bc96779dda0c

SHA1
e4343339564d9963f30d9f9db849b6ccbb011f20

SHA256
0f45a1ccb7a508a3d4a9c704be2cc86daa05797ceed8118d06651b58b1cb904c

SHA512
8b704cebdb6debc4d5ebdfab5214b8d76a13e704a86239263120c7069962960a90843ff3f976f8c6a0d2419d86a407bd9794ff38611a16028b2ab967d9a7c429

Download Submit
C:\Windows\System\LlgQcTL.exe

Filesize
5.2MB

MD5
2632c41c7e834267c57d7070f6e1f204

SHA1
aad98f0170d0933a526db3960e3d8072bac940b0

SHA256
4fa6a0f9a1ff2713d6df0fd3dc075e6bd01726cb995d4ffe36e9369e3fd5f305

SHA512
49445ab84f68f0976ca733f5ff449b0c8c9d1dacf588388b78290c46fadc6f8039db5f97e7f60f68368f5b37ec94f8a83e2d7059546d072d7188d55d170863c1

Download Submit
C:\Windows\System\MOUABPr.exe

Filesize
5.2MB

MD5
047c8e89a23f1b839df397f2f9ff90a9

SHA1
46b0397d2d158f622f78962930ba56d298faff16

SHA256
ddbcd279c72f32e5b7e78e0f446f5dc62c60b177d3a44e811a417af92de7b9b1

SHA512
a957cdf2adc6481d7a0ab784ef6931648055223c0e114a48887ddc5fd662c2862b197fe7358ef1231e86870f04f1d7d080ab7329b3d2401f57737a6c06f1659c

Download Submit
C:\Windows\System\PxuqbRx.exe

Filesize
5.2MB

MD5
acd6d8cdc67d19be2936d8979cada1b7

SHA1
bbb8bd31358b6105f4314e0aff54cb2a81e63579

SHA256
53026d7922b2b45fc609faffddd361583314c0cef53fce733df5409438df66d5

SHA512
9c6e9a0bb435152daa0993f37271e06201734076844401556187b5d56c124f0f510dc51e7355692b2056e7be60fe1b33b596e669bf7d1c62d8cf122fa3b338d8

Download Submit
C:\Windows\System\TNFBtLh.exe

Filesize
5.2MB

MD5
6aeb1cfb066e6aa40111685fb87d0518

SHA1
6e2a0cb97ad58daddaeb65f3c0343c1f6c984138

SHA256
2eea8515c09fcc9dd6cf1095a443c8db76809d82496257af3f604268c334489d

SHA512
71b778fbcc17f668cd7a74ad5bb7d19aa00208c60f2d6b1afd93d8d51086272eade6be5c39f43b4cffaf5d3fe022956720090c6b10aaff681142e51c10da80db

Download Submit
C:\Windows\System\YxPyCyt.exe

Filesize
5.2MB

MD5
40e7533435907b5c65c0ead6253e0c93

SHA1
3318b80314cef869370703542a4334103fe8710c

SHA256
0d6fffb897cf573f34e1ae319be2e09b459ee77829a138fee04ca888294893f5

SHA512
e47cb207543b727c10e3fae209a6c75ff85af86405b20b51ae3d0406c2aec4420f1208612c56683b188737be0f12259625f494d336d593739cede4a4addc564d

Download Submit
C:\Windows\System\ZbTtsuN.exe

Filesize
5.2MB

MD5
4a7d0b42ece60cca165cca1f62136d46

SHA1
b9dd89ec9f8cf9c0b64c87751551a5cf655e9029

SHA256
432aebed6f530b76bdfb26ca255712f37aaf0109a67c2e911e04a7deb7b994e1

SHA512
9d95104066f07be76cc149d84416dc713e790ae4d86185478f619eee787f025c8091bb9d41fbc46922003e4af2709914b911b9ac01f9d0460ccc3556e38f7e2b

Download Submit
C:\Windows\System\anCRkWD.exe

Filesize
5.2MB

MD5
187faf5c89cf33c8ccb9fa4be104258d

SHA1
b2d642e99486c0a8e019d76fa40cbf24325430c3

SHA256
6cf0f3d9c3dd8f587e0ee681cf14ab9a264e9644031cd9919b262b281a636ac7

SHA512
765a744a223abae6511c61c1a9a7c12275c1e9a98afe11b2ca488aa0d0e54cbe1bdf70ffdf99a2f8758e7120511580eacb0591e23ba3b4d8af372685cab5a369

Download Submit
C:\Windows\System\cdSjjfk.exe

Filesize
5.2MB

MD5
f91e06aed03481e45e3d93e42bc593ad

SHA1
8cd27d3062b8974a215099b983dff8febcbab239

SHA256
1ff58a7136553c108419cc8d242f906eb7400e9574224d6eec76a42b443168ef

SHA512
95e56059b5af46babec4f97ce65324ca31b612321cf2fdb77b338435188df6c4fd1f8f661d782daea77e5bd089dadb259fa8a70fb7584aaad93b1f69c0bf478a

Download Submit
C:\Windows\System\hbDANda.exe

Filesize
5.2MB

MD5
ca40a23ac16203a050cb74bfb127a930

SHA1
7263da2537e3c375b9a7ff61f8cbd844e4f3e6a4

SHA256
fd6a881459021f77f7eb868eaa108da174178b79ce90621b0c089fcb1e500c66

SHA512
f5d623780ccd42a70897ae67b3a4d2381cf57cad81b50a22df4b22e354ffaafa10bf2a12bb9564d59f960bfca37bc8a87efc8effb63a2f3624bcbf596f1fb47d

Download Submit
C:\Windows\System\hgsfzYP.exe

Filesize
5.2MB

MD5
16d289d1fc29ca562b8507c6da1852b5

SHA1
e252c4994ae42bff97a8d4405a2b8ba9a3a991bd

SHA256
eb57ff9a5378005f3b52cd44068d4ed83ddcb0572ec982d5c2a15dc694e7891f

SHA512
9d8fe0b82589b1439e2f0a48eff53436ae217c8f0ffd038a3aba688cf148d0fc2f6a1d5d8fd9971f2ceb8fcda945e7bcca2fe5b281f513ed18dab5cb27cb2869

Download Submit
C:\Windows\System\hjadTsV.exe

Filesize
5.2MB

MD5
a84062ce1da17375caba6e91a8e0e706

SHA1
d98a94105a906404bcd2685f012c9d37c059aabf

SHA256
9048d865e1b2d3c5444376f845481124a437461fcab22ced7bad071ac1c1a1ee

SHA512
f29b6b07c0e686425eed82186761aba2847890e9beeed2d92db732c5999663f9f6ca13307bb3c4c0de70de12fa443d89270f95d107ee60b3d32d10fe6f20b28f

Download Submit
C:\Windows\System\ivDhKyF.exe

Filesize
5.2MB

MD5
47ee6ff58c5d907ab227d6cc7a6ac0eb

SHA1
4b13d1a9f6cf27140ad0b7ef1d7120bd3e6d46e7

SHA256
d14242e1cbbea3bb275cec94f7cb3b340221c91727c165b2864f3b9e9150e4c2

SHA512
b9b5839b2ec548d033cfacbbff25fc90ce408aa97356d446972c31bd164b83f3d5b31d850871f2b047fd452d47f7ddbe0e53e6a2cec9509442aac78c45f42fe4

Download Submit
C:\Windows\System\juobyiQ.exe

Filesize
5.2MB

MD5
27adada0b83d73bef5dfd34b8f4bd470

SHA1
84349e15ff083a5b44257beffe98622b6afb6f34

SHA256
c5c4815fbbebd2e527e13c2b2f182385a3693be00d7c18229ca00528620b0e01

SHA512
ea05aa8906a4f09a4a2fc038f68857cf097e44e5cebdb79a139a77c308a4119354f262a05f3893df826640d3b57bee1c3ae2d4f2e9a5e729687930687d1f236a

Download Submit
C:\Windows\System\kMJxWyh.exe

Filesize
5.2MB

MD5
b4ef8656eeed6fa1dead15edef282f39

SHA1
4035df294df74328364bdd69d1e03876c9c4d0a8

SHA256
cb372dd77cd4cc985b0b63a8d69b57d33d34215d101585dae58969a3c1a197b0

SHA512
dd739ddf11154ae93a3992bb18f4273355e0fd8c6a6778744d464775648122163deb90af5442a856bd929f1d046f7f99af66d7a6c7a66f8bfb6794a3befd4989

Download Submit
C:\Windows\System\lOCaSqc.exe

Filesize
5.2MB

MD5
70a7a9b1cd7c43060dc4456f17c33f36

SHA1
af73f6caefeb6d7a0977dcf5699ab98050222db8

SHA256
079a28fb4349819bf3180768018564bf6b9f6dffa97b52a161414952fbd615a1

SHA512
12b682a868fb7186c56625df47a64ad3015c2d3ec06ff0683dd6b06b571ffd4806d4549692e2cd9b76ba41bdcb9f822ad7ce44d4e86dc8d7e414362feabfe9b4

Download Submit
C:\Windows\System\mjfVckU.exe

Filesize
5.2MB

MD5
09e8b520ba6990b6f952ec7eb071bcf5

SHA1
7a565376743858872ee7e1a066763421b3df9b27

SHA256
8f9e3b1d930b527313500cd6d72445254616f58425aa935504e4997bcf51c77e

SHA512
81d520d5c62f5b5e1f909d924a199612c100565ce8f594341b4bbcd78b3efbba84cb3ba85b153cb42f3853c48bf77a068f5120d58876eeadac486fb46c594f9a

Download Submit
C:\Windows\System\nnTcfhf.exe

Filesize
5.2MB

MD5
1dbe71d88cb57b8a19322065aaad2c59

SHA1
4fe28406638360dfa0ee4ee2ea72aac61f414faf

SHA256
967eb197f492ac02bce32e9a8164dd1fc99b35d1068facd5b89f04803a95a79a

SHA512
151950dee94eadb73b78432020e3e0e317231d885d81eeaf0b282edf9901e5d531818aac633801dce9e0658bb17ec73341e1737c9b680b1b11e4125e99f44d05

Download Submit
C:\Windows\System\zABuLnr.exe

Filesize
5.2MB

MD5
1a55bc0a6e162205478f9c2e2e40bb91

SHA1
bc6f545b6cfef284b3146a8bfbd1cdde5647ba0e

SHA256
bba6abed28723459efbfd322bee713a9bad53394f9ba6e0d7f80f488c0b8452b

SHA512
e7808e5536ef975b10f3c6364ebd13bf5aa787d4654fd3c1eb044f874580093a1305338e2044dfae2a2f8b135f3fac0dbe439c69e13599105582bff8c2ef33b7

Download Submit
memory/380-151-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/380-0-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/380-128-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/380-150-0x00007FF7E7980000-0x00007FF7E7CD1000-memory.dmp

Filesize
3.3MB

Download
memory/380-1-0x000002390EC50000-0x000002390EC60000-memory.dmp

Filesize
64KB

Download
memory/728-238-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp

Filesize
3.3MB

Download
memory/728-139-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp

Filesize
3.3MB

Download
memory/728-74-0x00007FF68D9B0000-0x00007FF68DD01000-memory.dmp

Filesize
3.3MB

Download
memory/1128-252-0x00007FF633DC0000-0x00007FF634111000-memory.dmp

Filesize
3.3MB

Download
memory/1128-126-0x00007FF633DC0000-0x00007FF634111000-memory.dmp

Filesize
3.3MB

Download
memory/1784-235-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp

Filesize
3.3MB

Download
memory/1784-102-0x00007FF753BE0000-0x00007FF753F31000-memory.dmp

Filesize
3.3MB

Download
memory/2312-75-0x00007FF682CF0000-0x00007FF683041000-memory.dmp

Filesize
3.3MB

Download
memory/2312-227-0x00007FF682CF0000-0x00007FF683041000-memory.dmp

Filesize
3.3MB

Download
memory/2372-23-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-219-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-130-0x00007FF7C75A0000-0x00007FF7C78F1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-251-0x00007FF61E430000-0x00007FF61E781000-memory.dmp

Filesize
3.3MB

Download
memory/2516-127-0x00007FF61E430000-0x00007FF61E781000-memory.dmp

Filesize
3.3MB

Download
memory/2552-223-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp

Filesize
3.3MB

Download
memory/2552-32-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp

Filesize
3.3MB

Download
memory/2552-132-0x00007FF7BC730000-0x00007FF7BCA81000-memory.dmp

Filesize
3.3MB

Download
memory/2700-258-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp

Filesize
3.3MB

Download
memory/2700-124-0x00007FF6FB600000-0x00007FF6FB951000-memory.dmp

Filesize
3.3MB

Download
memory/2776-67-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp

Filesize
3.3MB

Download
memory/2776-230-0x00007FF7F5310000-0x00007FF7F5661000-memory.dmp

Filesize
3.3MB

Download
memory/3172-231-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp

Filesize
3.3MB

Download
memory/3172-66-0x00007FF6E27F0000-0x00007FF6E2B41000-memory.dmp

Filesize
3.3MB

Download
memory/3424-226-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp

Filesize
3.3MB

Download
memory/3424-61-0x00007FF6E2900000-0x00007FF6E2C51000-memory.dmp

Filesize
3.3MB

Download
memory/3492-123-0x00007FF78BA50000-0x00007FF78BDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3492-256-0x00007FF78BA50000-0x00007FF78BDA1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-120-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-241-0x00007FF6A2870000-0x00007FF6A2BC1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-82-0x00007FF606230000-0x00007FF606581000-memory.dmp

Filesize
3.3MB

Download
memory/3684-141-0x00007FF606230000-0x00007FF606581000-memory.dmp

Filesize
3.3MB

Download
memory/3684-243-0x00007FF606230000-0x00007FF606581000-memory.dmp

Filesize
3.3MB

Download
memory/4328-202-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-7-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-129-0x00007FF68E670000-0x00007FF68E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-247-0x00007FF60DFF0000-0x00007FF60E341000-memory.dmp

Filesize
3.3MB

Download
memory/4504-121-0x00007FF60DFF0000-0x00007FF60E341000-memory.dmp

Filesize
3.3MB

Download
memory/4576-125-0x00007FF73D0F0000-0x00007FF73D441000-memory.dmp

Filesize
3.3MB

Download
memory/4576-254-0x00007FF73D0F0000-0x00007FF73D441000-memory.dmp

Filesize
3.3MB

Download
memory/4672-84-0x00007FF79DDB0000-0x00007FF79E101000-memory.dmp

Filesize
3.3MB

Download
memory/4672-233-0x00007FF79DDB0000-0x00007FF79E101000-memory.dmp

Filesize
3.3MB

Download
memory/4716-47-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-239-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp

Filesize
3.3MB

Download
memory/4716-136-0x00007FF7B2380000-0x00007FF7B26D1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-36-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp

Filesize
3.3MB

Download
memory/4988-222-0x00007FF7DC220000-0x00007FF7DC571000-memory.dmp

Filesize
3.3MB

Download
memory/5112-122-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download
memory/5112-249-0x00007FF622BB0000-0x00007FF622F01000-memory.dmp

Filesize
3.3MB

Download