cobaltstrike | 8b7ad66431b8fe3f1f0c66cdfde9daa55fb08e1c50e3f711942c7e18984f4401

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0c546c996e815d799a63214a206ae6ba
SHA1

98e50794fc289ea161ecb8cda36d6b91f353355b
SHA256

8b7ad66431b8fe3f1f0c66cdfde9daa55fb08e1c50e3f711942c7e18984f4401
SHA512

b8477119d2e732a23848ac908749a91e8c695236b0c2c4a08596afb08bad04284dfcaff998bba514c6f565e5d5c1aa50ce281d44a7d3b83d54ab31cffefcdc59
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002345c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-28.dat	cobalt_reflective_dll
behavioral2/files/0x000500000001db2f-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-92.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db32-99.dat	cobalt_reflective_dll
behavioral2/files/0x000600000001db34-110.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69a-111.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002345d-129.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-131.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e69c-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3040-78-0x00007FF6D6F20000-0x00007FF6D7271000-memory.dmp	xmrig
behavioral2/memory/3352-81-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp	xmrig
behavioral2/memory/1996-80-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp	xmrig
behavioral2/memory/1684-79-0x00007FF785650000-0x00007FF7859A1000-memory.dmp	xmrig
behavioral2/memory/3032-73-0x00007FF60F610000-0x00007FF60F961000-memory.dmp	xmrig
behavioral2/memory/1444-72-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	xmrig
behavioral2/memory/520-88-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp	xmrig
behavioral2/memory/4284-102-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp	xmrig
behavioral2/memory/3220-103-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp	xmrig
behavioral2/memory/2268-112-0x00007FF642860000-0x00007FF642BB1000-memory.dmp	xmrig
behavioral2/memory/3660-122-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp	xmrig
behavioral2/memory/1444-135-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	xmrig
behavioral2/memory/4908-134-0x00007FF765650000-0x00007FF7659A1000-memory.dmp	xmrig
behavioral2/memory/3328-137-0x00007FF7C0AD0000-0x00007FF7C0E21000-memory.dmp	xmrig
behavioral2/memory/5020-136-0x00007FF762920000-0x00007FF762C71000-memory.dmp	xmrig
behavioral2/memory/2224-138-0x00007FF787420000-0x00007FF787771000-memory.dmp	xmrig
behavioral2/memory/3488-139-0x00007FF6FB540000-0x00007FF6FB891000-memory.dmp	xmrig
behavioral2/memory/2892-152-0x00007FF699630000-0x00007FF699981000-memory.dmp	xmrig
behavioral2/memory/2660-153-0x00007FF74FF40000-0x00007FF750291000-memory.dmp	xmrig
behavioral2/memory/2956-154-0x00007FF691960000-0x00007FF691CB1000-memory.dmp	xmrig
behavioral2/memory/3560-155-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp	xmrig
behavioral2/memory/3284-157-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp	xmrig
behavioral2/memory/3248-156-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp	xmrig
behavioral2/memory/1444-161-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	xmrig
behavioral2/memory/1996-214-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp	xmrig
behavioral2/memory/3352-216-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp	xmrig
behavioral2/memory/1684-220-0x00007FF785650000-0x00007FF7859A1000-memory.dmp	xmrig
behavioral2/memory/520-219-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp	xmrig
behavioral2/memory/4284-229-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp	xmrig
behavioral2/memory/3220-231-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp	xmrig
behavioral2/memory/3660-233-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp	xmrig
behavioral2/memory/2268-235-0x00007FF642860000-0x00007FF642BB1000-memory.dmp	xmrig
behavioral2/memory/4908-242-0x00007FF765650000-0x00007FF7659A1000-memory.dmp	xmrig
behavioral2/memory/3032-243-0x00007FF60F610000-0x00007FF60F961000-memory.dmp	xmrig
behavioral2/memory/3040-240-0x00007FF6D6F20000-0x00007FF6D7271000-memory.dmp	xmrig
behavioral2/memory/5020-238-0x00007FF762920000-0x00007FF762C71000-memory.dmp	xmrig
behavioral2/memory/2892-245-0x00007FF699630000-0x00007FF699981000-memory.dmp	xmrig
behavioral2/memory/2660-251-0x00007FF74FF40000-0x00007FF750291000-memory.dmp	xmrig
behavioral2/memory/2956-253-0x00007FF691960000-0x00007FF691CB1000-memory.dmp	xmrig
behavioral2/memory/3560-255-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp	xmrig
behavioral2/memory/3248-260-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp	xmrig
behavioral2/memory/3284-262-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp	xmrig
behavioral2/memory/2224-264-0x00007FF787420000-0x00007FF787771000-memory.dmp	xmrig
behavioral2/memory/3488-266-0x00007FF6FB540000-0x00007FF6FB891000-memory.dmp	xmrig
behavioral2/memory/3328-268-0x00007FF7C0AD0000-0x00007FF7C0E21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1996	sVHDjyj.exe
3352	iMfxgNn.exe
1684	OfVkEzO.exe
520	agHtWvG.exe
4284	mRzEPWH.exe
3220	mvJwvkx.exe
3660	trUiqNj.exe
2268	IKZVkJs.exe
4908	HDzDYHh.exe
5020	xjfqiLX.exe
3032	XwCLRwj.exe
3040	BVmlDho.exe
2892	aphmHQQ.exe
2660	TDhZytl.exe
2956	aCjiUCx.exe
3560	oyUOSAT.exe
3248	IixQdNd.exe
3284	KXAAwUr.exe
2224	Hiytnrs.exe
3488	WdPUJCq.exe
3328	ByEluBp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1444-0-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	upx
behavioral2/files/0x000800000002345c-4.dat	upx
behavioral2/files/0x0007000000023461-8.dat	upx
behavioral2/memory/1996-9-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-15.dat	upx
behavioral2/memory/3352-16-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp	upx
behavioral2/files/0x0007000000023463-26.dat	upx
behavioral2/files/0x0007000000023464-33.dat	upx
behavioral2/files/0x0007000000023465-40.dat	upx
behavioral2/memory/2268-45-0x00007FF642860000-0x00007FF642BB1000-memory.dmp	upx
behavioral2/memory/3660-49-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp	upx
behavioral2/files/0x0007000000023467-61.dat	upx
behavioral2/files/0x0007000000023469-67.dat	upx
behavioral2/memory/3040-78-0x00007FF6D6F20000-0x00007FF6D7271000-memory.dmp	upx
behavioral2/files/0x000700000002346b-83.dat	upx
behavioral2/memory/2892-82-0x00007FF699630000-0x00007FF699981000-memory.dmp	upx
behavioral2/memory/3352-81-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp	upx
behavioral2/memory/1996-80-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp	upx
behavioral2/memory/1684-79-0x00007FF785650000-0x00007FF7859A1000-memory.dmp	upx
behavioral2/files/0x0007000000023468-74.dat	upx
behavioral2/memory/3032-73-0x00007FF60F610000-0x00007FF60F961000-memory.dmp	upx
behavioral2/memory/1444-72-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	upx
behavioral2/files/0x000700000002346a-71.dat	upx
behavioral2/memory/5020-62-0x00007FF762920000-0x00007FF762C71000-memory.dmp	upx
behavioral2/memory/4908-59-0x00007FF765650000-0x00007FF7659A1000-memory.dmp	upx
behavioral2/files/0x0007000000023466-53.dat	upx
behavioral2/memory/3220-44-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp	upx
behavioral2/memory/4284-32-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp	upx
behavioral2/memory/520-24-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp	upx
behavioral2/memory/1684-21-0x00007FF785650000-0x00007FF7859A1000-memory.dmp	upx
behavioral2/files/0x0007000000023462-28.dat	upx
behavioral2/memory/520-88-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp	upx
behavioral2/files/0x000500000001db2f-94.dat	upx
behavioral2/memory/2956-95-0x00007FF691960000-0x00007FF691CB1000-memory.dmp	upx
behavioral2/files/0x000700000002346c-92.dat	upx
behavioral2/memory/2660-91-0x00007FF74FF40000-0x00007FF750291000-memory.dmp	upx
behavioral2/files/0x000400000001db32-99.dat	upx
behavioral2/memory/4284-102-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp	upx
behavioral2/memory/3560-104-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp	upx
behavioral2/files/0x000600000001db34-110.dat	upx
behavioral2/memory/3220-103-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp	upx
behavioral2/files/0x000200000001e69a-111.dat	upx
behavioral2/memory/2268-112-0x00007FF642860000-0x00007FF642BB1000-memory.dmp	upx
behavioral2/files/0x000800000002345d-129.dat	upx
behavioral2/memory/3284-132-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp	upx
behavioral2/files/0x000700000002346d-131.dat	upx
behavioral2/files/0x000200000001e69c-127.dat	upx
behavioral2/memory/3660-122-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp	upx
behavioral2/memory/3248-115-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp	upx
behavioral2/memory/1444-135-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	upx
behavioral2/memory/4908-134-0x00007FF765650000-0x00007FF7659A1000-memory.dmp	upx
behavioral2/memory/3328-137-0x00007FF7C0AD0000-0x00007FF7C0E21000-memory.dmp	upx
behavioral2/memory/5020-136-0x00007FF762920000-0x00007FF762C71000-memory.dmp	upx
behavioral2/memory/2224-138-0x00007FF787420000-0x00007FF787771000-memory.dmp	upx
behavioral2/memory/3488-139-0x00007FF6FB540000-0x00007FF6FB891000-memory.dmp	upx
behavioral2/memory/2892-152-0x00007FF699630000-0x00007FF699981000-memory.dmp	upx
behavioral2/memory/2660-153-0x00007FF74FF40000-0x00007FF750291000-memory.dmp	upx
behavioral2/memory/2956-154-0x00007FF691960000-0x00007FF691CB1000-memory.dmp	upx
behavioral2/memory/3560-155-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp	upx
behavioral2/memory/3284-157-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp	upx
behavioral2/memory/3248-156-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp	upx
behavioral2/memory/1444-161-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp	upx
behavioral2/memory/1996-214-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp	upx
behavioral2/memory/3352-216-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BVmlDho.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WdPUJCq.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mvJwvkx.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\trUiqNj.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDzDYHh.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Hiytnrs.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ByEluBp.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\agHtWvG.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mRzEPWH.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IKZVkJs.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwCLRwj.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aCjiUCx.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sVHDjyj.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iMfxgNn.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OfVkEzO.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oyUOSAT.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IixQdNd.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXAAwUr.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjfqiLX.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aphmHQQ.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDhZytl.exe	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1996	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1444 wrote to memory of 1996	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1444 wrote to memory of 3352	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1444 wrote to memory of 3352	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1444 wrote to memory of 1684	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1444 wrote to memory of 1684	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1444 wrote to memory of 520	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1444 wrote to memory of 520	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1444 wrote to memory of 4284	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1444 wrote to memory of 4284	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1444 wrote to memory of 3220	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1444 wrote to memory of 3220	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1444 wrote to memory of 3660	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1444 wrote to memory of 3660	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1444 wrote to memory of 2268	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1444 wrote to memory of 2268	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1444 wrote to memory of 4908	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1444 wrote to memory of 4908	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1444 wrote to memory of 5020	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1444 wrote to memory of 5020	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1444 wrote to memory of 3032	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1444 wrote to memory of 3032	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1444 wrote to memory of 3040	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1444 wrote to memory of 3040	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1444 wrote to memory of 2892	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1444 wrote to memory of 2892	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1444 wrote to memory of 2660	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1444 wrote to memory of 2660	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1444 wrote to memory of 2956	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1444 wrote to memory of 2956	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1444 wrote to memory of 3560	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1444 wrote to memory of 3560	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1444 wrote to memory of 3248	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1444 wrote to memory of 3248	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1444 wrote to memory of 3284	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1444 wrote to memory of 3284	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1444 wrote to memory of 2224	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1444 wrote to memory of 2224	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1444 wrote to memory of 3488	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1444 wrote to memory of 3488	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1444 wrote to memory of 3328	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1444 wrote to memory of 3328	1444	2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_0c546c996e815d799a63214a206ae6ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\System\sVHDjyj.exe
  C:\Windows\System\sVHDjyj.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\iMfxgNn.exe
  C:\Windows\System\iMfxgNn.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\OfVkEzO.exe
  C:\Windows\System\OfVkEzO.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\agHtWvG.exe
  C:\Windows\System\agHtWvG.exe
  2⤵
  - Executes dropped EXE
  PID:520
- C:\Windows\System\mRzEPWH.exe
  C:\Windows\System\mRzEPWH.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\mvJwvkx.exe
  C:\Windows\System\mvJwvkx.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\trUiqNj.exe
  C:\Windows\System\trUiqNj.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\IKZVkJs.exe
  C:\Windows\System\IKZVkJs.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\HDzDYHh.exe
  C:\Windows\System\HDzDYHh.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\xjfqiLX.exe
  C:\Windows\System\xjfqiLX.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\XwCLRwj.exe
  C:\Windows\System\XwCLRwj.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\BVmlDho.exe
  C:\Windows\System\BVmlDho.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\aphmHQQ.exe
  C:\Windows\System\aphmHQQ.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\TDhZytl.exe
  C:\Windows\System\TDhZytl.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\aCjiUCx.exe
  C:\Windows\System\aCjiUCx.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\oyUOSAT.exe
  C:\Windows\System\oyUOSAT.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\IixQdNd.exe
  C:\Windows\System\IixQdNd.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\KXAAwUr.exe
  C:\Windows\System\KXAAwUr.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\Hiytnrs.exe
  C:\Windows\System\Hiytnrs.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\WdPUJCq.exe
  C:\Windows\System\WdPUJCq.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\ByEluBp.exe
  C:\Windows\System\ByEluBp.exe
  2⤵
  - Executes dropped EXE
  PID:3328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BVmlDho.exe

Filesize
5.2MB

MD5
494944909d4d74e23d0bb67673a36bff

SHA1
0e0af6d9422e1721958569f909671df54df6c209

SHA256
17c586c2d6d974b85ec8cd47aab034e4a5fdbc505708bd7219008bcfac3f6cf5

SHA512
02c9e4fde8d699d60e41d771fe3e682f352311994992dc443574f135a11ded5c827c2614fa45f9851268b3de9c1cf8899d1d8b06a9fe3d4811eb6e0356248829

Download Submit
C:\Windows\System\ByEluBp.exe

Filesize
5.2MB

MD5
734aaf456576d0a55303825bed2a9183

SHA1
026d4c49ce94c62fbe759f9f1611b928ed6cc111

SHA256
f5258a237de4bea3d2b2d51b745428a4b4e65ca1432aa6161d753e06a71f6cee

SHA512
1af2a6fc584bdb1c9ae9bd86e6b71ab099d25ea06eee91b9e150c454a3b66eac006e50ba912c5158bd6d9e79afacb726d819acc8ce9225bd9a09e8ddb7cc0fb6

Download Submit
C:\Windows\System\HDzDYHh.exe

Filesize
5.2MB

MD5
3ee6587711aec4281ea8ef7236ef3f46

SHA1
60f819913a972b8f75915e0245172f5556d1d3a8

SHA256
2681370f9b405c072959826461ad03d75b0686ee435a72a99437528138859ee6

SHA512
60a8440a2dd5870a112106e8c5253aabe2e08af99c990c2a6b9b2d0d068ab4f24ede163d21f2b04223b167dfec7894adaa17598f291b8e077d7c062dfa560787

Download Submit
C:\Windows\System\Hiytnrs.exe

Filesize
5.2MB

MD5
ae54a1ff953bd10ef9108eec0bb82a46

SHA1
4d9aeccb309ecf3e28e6a3bc9375f99140fe3d2c

SHA256
eb28ff1eaa14830b7c883f9bf3296e56aca7d3d5e0a93cc240f65c379b4da4d9

SHA512
4849e34b3eaa9c25826c4733d57eb16c6629679378b3e97815038a8a820a52a586c89807816da46e153edc8d1f41a65494d3ef57eec1962dfdb0036a2b476dc7

Download Submit
C:\Windows\System\IKZVkJs.exe

Filesize
5.2MB

MD5
cb667774531e3e0ef384951690f22e1e

SHA1
2d4b8641ca50a5d0296f381e09604d5d34b468e4

SHA256
9e57beabac478b79c774eb7bfe903302ad5d1d52a1c8091473c1d13245d62b4e

SHA512
75a1614bd438cfcd94d4e209f6b3de8cb573776113cabad18ee4ce6e00d75788d8b006cff55124c8da47cd21fd05ee093bad5849c9f790093bd40fb73bc1f2fb

Download Submit
C:\Windows\System\IixQdNd.exe

Filesize
5.2MB

MD5
bb57c457c1b8e24ca66c4779ebaf9fd8

SHA1
fbd224de83238c4d5a45ef3c6ef08031adee8313

SHA256
db3a12fffbd0c1523f75bca1a735e76ba94bf690171b7c0a35491263d11d150d

SHA512
dca5ceda0ba71ca32f9c259244a3dbfedd9320948a04910af93d6f1344976ff95e70f4e783f77fcf3b31116c6288e9e39b06ef639c771b1b3eae6ecf50579d23

Download Submit
C:\Windows\System\KXAAwUr.exe

Filesize
5.2MB

MD5
61241a253fbdea2d1a10bed104d40b47

SHA1
d6b1d45ce18a2ef56d597ad5ddc8406e959bc7d9

SHA256
2118a9efcf672fa528802b2448516d4d462face978b59a770880f1d9960a14d3

SHA512
2712797d522a4f177f5b1f9dc70edf5e768b44d8461822d61b28837084309902c1f2341986fde64380c39f030c964de970deb004ef7f729d22bfea091700a388

Download Submit
C:\Windows\System\OfVkEzO.exe

Filesize
5.2MB

MD5
cd6cb23c79c01b331f29cd77845732ab

SHA1
e35ce9564a46b13d5a324671e7680662ec7fcd3d

SHA256
1ada1c2e6bd29d8d39c092150868c970d613039ffe600e0e6a4b6b76c72f4c48

SHA512
4de9a7621fcb0eda76a7eab00d02dc99f6fa144b40aeed057c06f45eb3069bdd2c916e56870f93dde492962712a6b4dc82be9caa1abc9ccc0e82b38f7d5beb8d

Download Submit
C:\Windows\System\TDhZytl.exe

Filesize
5.2MB

MD5
96c1cf05f660c13a69a341a4789d7606

SHA1
2e9b525d027b98272ab88b448476dd4b33e454a9

SHA256
38a4039d7965325e01ab14c2b5f55b3c70b2f035ae2755adaa53c54f1d6acbe8

SHA512
43d52637a004141c1f22c335d04402fcd911bd3e1baa3872b307240524b87da1c8882dbd7961ea1eb0dffe2fa3d1ef6a9fa52abc72b2af0cc3331b1f9612aaf9

Download Submit
C:\Windows\System\WdPUJCq.exe

Filesize
5.2MB

MD5
9d52c11a92adb5fb616029a35dc1f9b5

SHA1
861e35d47afbca9a944c72c9f390f59476b91730

SHA256
69e74cc7ad97bbff286ce14eaa82b847bdbaeb81c3ec2ae5f0d85b2c82e1f0b9

SHA512
9aace267285cfadb9e86a34b6d58ddf259e57c05d2b87ce7de16fe0442d43fdf01527b8e7511129d056611575d9216235a4536fdefd4af092c5c692ab8c84b8d

Download Submit
C:\Windows\System\XwCLRwj.exe

Filesize
5.2MB

MD5
75c990eb1299fec1834d6d9b56f59d1b

SHA1
54f627b59e10f5a33eec71ecdbad007f3e578742

SHA256
ea9e67cc759665d08825ef4c690759554ad8abd8619e9146a1e0f114c13dab97

SHA512
d659e3c0d028bbaae80a0c4f139e0a8487c46705da278222ac19ad0d48c200447c577881dd452c0d0f0e113d5de2094575d8c6eba5b07625cf04123be3e1234b

Download Submit
C:\Windows\System\aCjiUCx.exe

Filesize
5.2MB

MD5
4aba13ce90a480b1bffb6d9f890866b8

SHA1
e7169114e37c59764c4e2887a53ef1b9385ad6de

SHA256
ee8ed5420472d3892108967704121a5b408cdfba3fd972cc546850c5be742fc4

SHA512
718da197e4fa61fb77be5469f59e5cf18487c493a8c8661c8fb919fe34bc9cb078eddb6c19c715cf15704d16b0d0044b8a707620ee0eb8775f2df581b7abaab9

Download Submit
C:\Windows\System\agHtWvG.exe

Filesize
5.2MB

MD5
a13c5d5e19b65f8789b5d770222ae23b

SHA1
a8a173536afb107ddbc1be7845d04bb02c998d23

SHA256
6ffa63b5bb7548574576ba9f2743f250d5e593ee2b4cd22fc191e851b3feb701

SHA512
2461592c321b8ba3e913b08461c859ca2b9d72230209d6a7d57b05ee058d0d651e724f3b698c4203a0286390356d9e39980a8a0c2bd01c7d86a0a21b72bd59af

Download Submit
C:\Windows\System\aphmHQQ.exe

Filesize
5.2MB

MD5
9e73bc34879ba5355f98b416b0dabb32

SHA1
b132a21fb4a42d77c3fc9f6e4ce368341715749d

SHA256
979981d0c6fa20b0605224b1093594f4e6c8e3c652550503e8f41ba6cc469661

SHA512
453b3cc7136ed4795102bd0c60f96cc27353656cf32becf7ab245bfa938910bc83352e1650545f44fbc75489a067bb7fb811058470262602cf4fdf3c61ab7b29

Download Submit
C:\Windows\System\iMfxgNn.exe

Filesize
5.2MB

MD5
dab3d69842eb68ed7de830092bcaf2ec

SHA1
7665416a58ff86096f2f42f77c83f3723e4ad983

SHA256
1d2970c026fff38480ce8e82b7cc3ad671ee99351f93a4ecdef6be8f96828a4a

SHA512
73a04b017768acd860bf4e557707541ce7d2de2ae3bf4522c8c7e30a8dcb61956c735453f669cef2b2c128ca498c1d98af1f36f228d2cfb6e01797cbf1bc130e

Download Submit
C:\Windows\System\mRzEPWH.exe

Filesize
5.2MB

MD5
31ce1d38d703a1952354433fe9ff2b8a

SHA1
d9c9dca4eae304e5033c7f224192e579a303120e

SHA256
b6a9dc98b57e3bbcae87c9dd70b59ea8bfe2799f6b6cbbe0f4fe891ce7c7a353

SHA512
8b9355133d07853b9cbe3656ad7170039d992880bb356bf7572bf053216fe999c4d0cc0aa27d568061b33d7ba9656a19a9c6aa0b150d90a0aa9974e3020f1b32

Download Submit
C:\Windows\System\mvJwvkx.exe

Filesize
5.2MB

MD5
24b9c5c2d9bdde377469f218cf158c48

SHA1
4a009b15cc5d5ebcdf99b9402ffe16a53dfbb91d

SHA256
fc65ab163fcc91ba1084b09c5aee7e6cb55962f2e0c4d2f3f30ce431e6bc52dc

SHA512
e2fc01cce3009776d7dab0cb392c58370ae87043e0eaed6abd5e5653ca00c748160e2e627d6c5233784b3d914cb2207f74907940f1368d9d27b13b1603291a98

Download Submit
C:\Windows\System\oyUOSAT.exe

Filesize
5.2MB

MD5
f1053c17421ae1408e87440d59fa4348

SHA1
6789643066ee26e507003185b7ae4f85580556d7

SHA256
1650fbc0f2081ea6fbb8b4ef7c40f12a9c9223ea6a2ff9140dcf54a310da3a76

SHA512
52f9dd2b618581129414d6e8176aaae63b350c0098ba65ff5163b9add2e32b349ed6f6216791b56e7a45c9cf2d6dee41b9f52d4ab6219876095f8c6cbc6d89bf

Download Submit
C:\Windows\System\sVHDjyj.exe

Filesize
5.2MB

MD5
5b0c471b4cf7c217dbd1dc660e843f6e

SHA1
f59b040cd2ddaf47bfcd35dd2983238e067bc793

SHA256
02e648a7eafe3b3b653b8b454c1aba80962c2637d6bfe9e72bb9692501b5286f

SHA512
36bf2a08e53b56ed1d536a20b137931defaad273f7b35b9513e90bfa1a480966b8847fb0b594f10212422f122f8f4a6f9a6f49ad96bd60f940d4579480d8380c

Download Submit
C:\Windows\System\trUiqNj.exe

Filesize
5.2MB

MD5
fb18088813080a4e0d8b6c9ee3badf2a

SHA1
84d112db2c162b0b67a52d8d1b29a6066cec2100

SHA256
81b1ab6566c6f177d40356e206ce176dbfa5cadcee2857d779dfbd1148b0220b

SHA512
b52a34cafc48d9ef6af3ea0ba623850faa8dcd6b801301b1ad652d7fcbbdcad73df0a12077c0750976705031a577784026da7086b889ae2d7f3e35510be36440

Download Submit
C:\Windows\System\xjfqiLX.exe

Filesize
5.2MB

MD5
aadea1fe35631ebaf4a0be6b84095b08

SHA1
aa575bfe2bf9e37c331a2fbe05356031e57a4183

SHA256
38f708ca8aff28b1bbd41bc8d2f913602e85c008b4a9cfbde97fb4ca067fcd22

SHA512
34ebe53fbdced5a9c5a3d820e01c899978cc4a4393da80fb12e0f65473f4f2e3338f9f184505995cc8f263ea1914b1f43cbe6032392e9d58ba6a343a6beb883c

Download Submit
memory/520-88-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp

Filesize
3.3MB

Download
memory/520-24-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp

Filesize
3.3MB

Download
memory/520-219-0x00007FF67AD40000-0x00007FF67B091000-memory.dmp

Filesize
3.3MB

Download
memory/1444-0-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-72-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-161-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-1-0x000002DECA020000-0x000002DECA030000-memory.dmp

Filesize
64KB

Download
memory/1444-135-0x00007FF76CFA0000-0x00007FF76D2F1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-79-0x00007FF785650000-0x00007FF7859A1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-220-0x00007FF785650000-0x00007FF7859A1000-memory.dmp

Filesize
3.3MB

Download
memory/1684-21-0x00007FF785650000-0x00007FF7859A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-214-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-80-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-9-0x00007FF7ED850000-0x00007FF7EDBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-138-0x00007FF787420000-0x00007FF787771000-memory.dmp

Filesize
3.3MB

Download
memory/2224-264-0x00007FF787420000-0x00007FF787771000-memory.dmp

Filesize
3.3MB

Download
memory/2268-45-0x00007FF642860000-0x00007FF642BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-112-0x00007FF642860000-0x00007FF642BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-235-0x00007FF642860000-0x00007FF642BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-91-0x00007FF74FF40000-0x00007FF750291000-memory.dmp

Filesize
3.3MB

Download
memory/2660-153-0x00007FF74FF40000-0x00007FF750291000-memory.dmp

Filesize
3.3MB

Download
memory/2660-251-0x00007FF74FF40000-0x00007FF750291000-memory.dmp

Filesize
3.3MB

Download
memory/2892-245-0x00007FF699630000-0x00007FF699981000-memory.dmp

Filesize
3.3MB

Download
memory/2892-152-0x00007FF699630000-0x00007FF699981000-memory.dmp

Filesize
3.3MB

Download
memory/2892-82-0x00007FF699630000-0x00007FF699981000-memory.dmp

Filesize
3.3MB

Download
memory/2956-253-0x00007FF691960000-0x00007FF691CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-95-0x00007FF691960000-0x00007FF691CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-154-0x00007FF691960000-0x00007FF691CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-73-0x00007FF60F610000-0x00007FF60F961000-memory.dmp

Filesize
3.3MB

Download
memory/3032-243-0x00007FF60F610000-0x00007FF60F961000-memory.dmp

Filesize
3.3MB

Download
memory/3040-78-0x00007FF6D6F20000-0x00007FF6D7271000-memory.dmp

Filesize
3.3MB

Download
memory/3040-240-0x00007FF6D6F20000-0x00007FF6D7271000-memory.dmp

Filesize
3.3MB

Download
memory/3220-231-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp

Filesize
3.3MB

Download
memory/3220-103-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp

Filesize
3.3MB

Download
memory/3220-44-0x00007FF74E0D0000-0x00007FF74E421000-memory.dmp

Filesize
3.3MB

Download
memory/3248-156-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-260-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3248-115-0x00007FF78E490000-0x00007FF78E7E1000-memory.dmp

Filesize
3.3MB

Download
memory/3284-262-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp

Filesize
3.3MB

Download
memory/3284-157-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp

Filesize
3.3MB

Download
memory/3284-132-0x00007FF7E7410000-0x00007FF7E7761000-memory.dmp

Filesize
3.3MB

Download
memory/3328-268-0x00007FF7C0AD0000-0x00007FF7C0E21000-memory.dmp

Filesize
3.3MB

Download
memory/3328-137-0x00007FF7C0AD0000-0x00007FF7C0E21000-memory.dmp

Filesize
3.3MB

Download
memory/3352-216-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp

Filesize
3.3MB

Download
memory/3352-16-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp

Filesize
3.3MB

Download
memory/3352-81-0x00007FF64C730000-0x00007FF64CA81000-memory.dmp

Filesize
3.3MB

Download
memory/3488-266-0x00007FF6FB540000-0x00007FF6FB891000-memory.dmp

Filesize
3.3MB

Download
memory/3488-139-0x00007FF6FB540000-0x00007FF6FB891000-memory.dmp

Filesize
3.3MB

Download
memory/3560-104-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-255-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-155-0x00007FF710F90000-0x00007FF7112E1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-49-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp

Filesize
3.3MB

Download
memory/3660-122-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp

Filesize
3.3MB

Download
memory/3660-233-0x00007FF689CE0000-0x00007FF68A031000-memory.dmp

Filesize
3.3MB

Download
memory/4284-229-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp

Filesize
3.3MB

Download
memory/4284-102-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp

Filesize
3.3MB

Download
memory/4284-32-0x00007FF68D5C0000-0x00007FF68D911000-memory.dmp

Filesize
3.3MB

Download
memory/4908-59-0x00007FF765650000-0x00007FF7659A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-242-0x00007FF765650000-0x00007FF7659A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-134-0x00007FF765650000-0x00007FF7659A1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-136-0x00007FF762920000-0x00007FF762C71000-memory.dmp

Filesize
3.3MB

Download
memory/5020-238-0x00007FF762920000-0x00007FF762C71000-memory.dmp

Filesize
3.3MB

Download
memory/5020-62-0x00007FF762920000-0x00007FF762C71000-memory.dmp

Filesize
3.3MB

Download