cobaltstrike | 0c4b6b73ece5c338036a6e2c5993ae9da1bc38f464079e542220b4cf74a29f40

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

48040e054888637f6be1718d1716ffdc
SHA1

971fa10a90d1d2a547af6107a23f578dcb728004
SHA256

0c4b6b73ece5c338036a6e2c5993ae9da1bc38f464079e542220b4cf74a29f40
SHA512

81a6a686e9222634a8c259b40d26037027e3c2e7873ab6c83b4389758c01dba92c5ddd45b85725ceb12c7ead6f737b6fab76ff02c93010d52931a9fd611e698b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002349c-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023504-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023505-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023506-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023507-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023508-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023509-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350d-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350e-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350f-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023501-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350c-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350b-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350a-47.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2524-54-0x00007FF65B7A0000-0x00007FF65BAF1000-memory.dmp	xmrig
behavioral2/memory/212-62-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	xmrig
behavioral2/memory/1044-111-0x00007FF6EEB70000-0x00007FF6EEEC1000-memory.dmp	xmrig
behavioral2/memory/2732-123-0x00007FF612F00000-0x00007FF613251000-memory.dmp	xmrig
behavioral2/memory/3436-125-0x00007FF7951E0000-0x00007FF795531000-memory.dmp	xmrig
behavioral2/memory/2416-121-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp	xmrig
behavioral2/memory/3028-120-0x00007FF6CF0E0000-0x00007FF6CF431000-memory.dmp	xmrig
behavioral2/memory/1428-117-0x00007FF797B10000-0x00007FF797E61000-memory.dmp	xmrig
behavioral2/memory/2584-106-0x00007FF6B4310000-0x00007FF6B4661000-memory.dmp	xmrig
behavioral2/memory/348-103-0x00007FF67CAD0000-0x00007FF67CE21000-memory.dmp	xmrig
behavioral2/memory/2396-96-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp	xmrig
behavioral2/memory/3168-131-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp	xmrig
behavioral2/memory/1832-132-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp	xmrig
behavioral2/memory/212-133-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	xmrig
behavioral2/memory/4028-135-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp	xmrig
behavioral2/memory/2304-147-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp	xmrig
behavioral2/memory/2268-144-0x00007FF602D10000-0x00007FF603061000-memory.dmp	xmrig
behavioral2/memory/652-143-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp	xmrig
behavioral2/memory/2084-141-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp	xmrig
behavioral2/memory/1976-145-0x00007FF672540000-0x00007FF672891000-memory.dmp	xmrig
behavioral2/memory/4748-153-0x00007FF7533E0000-0x00007FF753731000-memory.dmp	xmrig
behavioral2/memory/3264-156-0x00007FF798D20000-0x00007FF799071000-memory.dmp	xmrig
behavioral2/memory/3128-155-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp	xmrig
behavioral2/memory/3436-154-0x00007FF7951E0000-0x00007FF795531000-memory.dmp	xmrig
behavioral2/memory/212-157-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	xmrig
behavioral2/memory/2396-208-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp	xmrig
behavioral2/memory/2416-210-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp	xmrig
behavioral2/memory/3168-212-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp	xmrig
behavioral2/memory/1832-224-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp	xmrig
behavioral2/memory/4028-226-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp	xmrig
behavioral2/memory/2084-230-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp	xmrig
behavioral2/memory/2524-231-0x00007FF65B7A0000-0x00007FF65BAF1000-memory.dmp	xmrig
behavioral2/memory/2304-232-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp	xmrig
behavioral2/memory/2268-234-0x00007FF602D10000-0x00007FF603061000-memory.dmp	xmrig
behavioral2/memory/3028-237-0x00007FF6CF0E0000-0x00007FF6CF431000-memory.dmp	xmrig
behavioral2/memory/652-238-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp	xmrig
behavioral2/memory/1976-240-0x00007FF672540000-0x00007FF672891000-memory.dmp	xmrig
behavioral2/memory/1044-249-0x00007FF6EEB70000-0x00007FF6EEEC1000-memory.dmp	xmrig
behavioral2/memory/348-252-0x00007FF67CAD0000-0x00007FF67CE21000-memory.dmp	xmrig
behavioral2/memory/2584-251-0x00007FF6B4310000-0x00007FF6B4661000-memory.dmp	xmrig
behavioral2/memory/1428-254-0x00007FF797B10000-0x00007FF797E61000-memory.dmp	xmrig
behavioral2/memory/2732-256-0x00007FF612F00000-0x00007FF613251000-memory.dmp	xmrig
behavioral2/memory/4748-258-0x00007FF7533E0000-0x00007FF753731000-memory.dmp	xmrig
behavioral2/memory/3436-260-0x00007FF7951E0000-0x00007FF795531000-memory.dmp	xmrig
behavioral2/memory/3264-262-0x00007FF798D20000-0x00007FF799071000-memory.dmp	xmrig
behavioral2/memory/3128-264-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2396	fFWYyrl.exe
2416	IRHcvVa.exe
3168	xGouGMC.exe
1832	wQZzdpu.exe
4028	AGGfnYP.exe
2304	svlVBWH.exe
2084	sIYJOVU.exe
2524	ZzXJvxv.exe
652	gRvFqeU.exe
2268	fybRzln.exe
1976	OZWWEWk.exe
3028	AyamSOj.exe
348	EWGGoLh.exe
2584	DCXsxWn.exe
1044	OiahikT.exe
1428	NlWkNyW.exe
2732	hPlfrBz.exe
4748	fSRMckT.exe
3436	yLXOtEy.exe
3128	vHllQGE.exe
3264	uheRvSs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/212-0-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	upx
behavioral2/files/0x000900000002349c-6.dat	upx
behavioral2/memory/2396-7-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp	upx
behavioral2/files/0x0007000000023504-10.dat	upx
behavioral2/memory/2416-14-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp	upx
behavioral2/files/0x0007000000023505-11.dat	upx
behavioral2/files/0x0007000000023506-24.dat	upx
behavioral2/files/0x0007000000023507-28.dat	upx
behavioral2/files/0x0007000000023508-34.dat	upx
behavioral2/memory/2304-38-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp	upx
behavioral2/files/0x0007000000023509-41.dat	upx
behavioral2/memory/2084-49-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp	upx
behavioral2/memory/2524-54-0x00007FF65B7A0000-0x00007FF65BAF1000-memory.dmp	upx
behavioral2/files/0x000700000002350d-61.dat	upx
behavioral2/memory/212-62-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	upx
behavioral2/memory/1976-74-0x00007FF672540000-0x00007FF672891000-memory.dmp	upx
behavioral2/files/0x000700000002350e-77.dat	upx
behavioral2/files/0x000700000002350f-88.dat	upx
behavioral2/files/0x0007000000023510-86.dat	upx
behavioral2/files/0x0008000000023501-72.dat	upx
behavioral2/files/0x000700000002350c-65.dat	upx
behavioral2/files/0x0007000000023511-92.dat	upx
behavioral2/files/0x0007000000023512-99.dat	upx
behavioral2/files/0x0007000000023514-108.dat	upx
behavioral2/memory/1044-111-0x00007FF6EEB70000-0x00007FF6EEEC1000-memory.dmp	upx
behavioral2/memory/3264-119-0x00007FF798D20000-0x00007FF799071000-memory.dmp	upx
behavioral2/memory/2732-123-0x00007FF612F00000-0x00007FF613251000-memory.dmp	upx
behavioral2/files/0x0007000000023515-128.dat	upx
behavioral2/files/0x0007000000023516-126.dat	upx
behavioral2/memory/3436-125-0x00007FF7951E0000-0x00007FF795531000-memory.dmp	upx
behavioral2/memory/2416-121-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp	upx
behavioral2/memory/3028-120-0x00007FF6CF0E0000-0x00007FF6CF431000-memory.dmp	upx
behavioral2/memory/4748-118-0x00007FF7533E0000-0x00007FF753731000-memory.dmp	upx
behavioral2/memory/1428-117-0x00007FF797B10000-0x00007FF797E61000-memory.dmp	upx
behavioral2/files/0x0007000000023513-115.dat	upx
behavioral2/memory/2584-106-0x00007FF6B4310000-0x00007FF6B4661000-memory.dmp	upx
behavioral2/memory/348-103-0x00007FF67CAD0000-0x00007FF67CE21000-memory.dmp	upx
behavioral2/memory/2396-96-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp	upx
behavioral2/memory/2268-63-0x00007FF602D10000-0x00007FF603061000-memory.dmp	upx
behavioral2/files/0x000700000002350b-60.dat	upx
behavioral2/memory/652-59-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp	upx
behavioral2/files/0x000700000002350a-47.dat	upx
behavioral2/memory/4028-32-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp	upx
behavioral2/memory/1832-26-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp	upx
behavioral2/memory/3128-130-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp	upx
behavioral2/memory/3168-20-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp	upx
behavioral2/memory/3168-131-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp	upx
behavioral2/memory/1832-132-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp	upx
behavioral2/memory/212-133-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	upx
behavioral2/memory/4028-135-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp	upx
behavioral2/memory/2304-147-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp	upx
behavioral2/memory/2268-144-0x00007FF602D10000-0x00007FF603061000-memory.dmp	upx
behavioral2/memory/652-143-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp	upx
behavioral2/memory/2084-141-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp	upx
behavioral2/memory/1976-145-0x00007FF672540000-0x00007FF672891000-memory.dmp	upx
behavioral2/memory/4748-153-0x00007FF7533E0000-0x00007FF753731000-memory.dmp	upx
behavioral2/memory/3264-156-0x00007FF798D20000-0x00007FF799071000-memory.dmp	upx
behavioral2/memory/3128-155-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp	upx
behavioral2/memory/3436-154-0x00007FF7951E0000-0x00007FF795531000-memory.dmp	upx
behavioral2/memory/212-157-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp	upx
behavioral2/memory/2396-208-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp	upx
behavioral2/memory/2416-210-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp	upx
behavioral2/memory/3168-212-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp	upx
behavioral2/memory/1832-224-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sIYJOVU.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fybRzln.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlWkNyW.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCXsxWn.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHllQGE.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uheRvSs.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IRHcvVa.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wQZzdpu.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGGfnYP.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AyamSOj.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPlfrBz.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yLXOtEy.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGouGMC.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\svlVBWH.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OZWWEWk.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OiahikT.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSRMckT.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fFWYyrl.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZzXJvxv.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRvFqeU.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWGGoLh.exe	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2396	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 212 wrote to memory of 2396	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 212 wrote to memory of 2416	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 212 wrote to memory of 2416	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 212 wrote to memory of 3168	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 212 wrote to memory of 3168	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 212 wrote to memory of 1832	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 212 wrote to memory of 1832	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 212 wrote to memory of 4028	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 212 wrote to memory of 4028	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 212 wrote to memory of 2304	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 212 wrote to memory of 2304	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 212 wrote to memory of 2084	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 212 wrote to memory of 2084	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 212 wrote to memory of 2524	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 212 wrote to memory of 2524	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 212 wrote to memory of 652	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 212 wrote to memory of 652	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 212 wrote to memory of 2268	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 212 wrote to memory of 2268	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 212 wrote to memory of 1976	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 212 wrote to memory of 1976	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 212 wrote to memory of 3028	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 212 wrote to memory of 3028	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 212 wrote to memory of 348	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 212 wrote to memory of 348	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 212 wrote to memory of 1044	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 212 wrote to memory of 1044	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 212 wrote to memory of 2584	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 212 wrote to memory of 2584	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 212 wrote to memory of 1428	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 212 wrote to memory of 1428	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 212 wrote to memory of 2732	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 212 wrote to memory of 2732	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 212 wrote to memory of 4748	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 212 wrote to memory of 4748	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 212 wrote to memory of 3436	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 212 wrote to memory of 3436	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 212 wrote to memory of 3128	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 212 wrote to memory of 3128	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 212 wrote to memory of 3264	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 212 wrote to memory of 3264	212	2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_48040e054888637f6be1718d1716ffdc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System\fFWYyrl.exe
  C:\Windows\System\fFWYyrl.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\IRHcvVa.exe
  C:\Windows\System\IRHcvVa.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\xGouGMC.exe
  C:\Windows\System\xGouGMC.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\wQZzdpu.exe
  C:\Windows\System\wQZzdpu.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\AGGfnYP.exe
  C:\Windows\System\AGGfnYP.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\svlVBWH.exe
  C:\Windows\System\svlVBWH.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\sIYJOVU.exe
  C:\Windows\System\sIYJOVU.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\ZzXJvxv.exe
  C:\Windows\System\ZzXJvxv.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\gRvFqeU.exe
  C:\Windows\System\gRvFqeU.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\fybRzln.exe
  C:\Windows\System\fybRzln.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\OZWWEWk.exe
  C:\Windows\System\OZWWEWk.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\AyamSOj.exe
  C:\Windows\System\AyamSOj.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\EWGGoLh.exe
  C:\Windows\System\EWGGoLh.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\OiahikT.exe
  C:\Windows\System\OiahikT.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\DCXsxWn.exe
  C:\Windows\System\DCXsxWn.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\NlWkNyW.exe
  C:\Windows\System\NlWkNyW.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\hPlfrBz.exe
  C:\Windows\System\hPlfrBz.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\fSRMckT.exe
  C:\Windows\System\fSRMckT.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\yLXOtEy.exe
  C:\Windows\System\yLXOtEy.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\vHllQGE.exe
  C:\Windows\System\vHllQGE.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\uheRvSs.exe
  C:\Windows\System\uheRvSs.exe
  2⤵
  - Executes dropped EXE
  PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGGfnYP.exe

Filesize
5.2MB

MD5
612ec05a4c2704d78a924cac5f789a12

SHA1
59cc3a5a756e9adcc3c11a82f15a02d269923949

SHA256
387b849c72fc4544bb49b49f4315e9106a545a47904ddd6a7e2c1d4b16c069ac

SHA512
237cc74fef368842da854b287df3c2a6cea6ebda6de7dc8305b7e7ee12b7fc1912b27e595ce2729161665245ea38859c17694b154ce3ee2c6219d10d89ff12bb

Download Submit
C:\Windows\System\AyamSOj.exe

Filesize
5.2MB

MD5
1c476367fa282cdfaf4d24cd5f7cdf19

SHA1
e0cbcdd8ffb81e256a1144fc55ea78e153fa9a8f

SHA256
0aeaa15821c49163aa89b280e9faf1b8076657ce082631b48f30dd83916ca176

SHA512
a665849ae89c2893a2ae8151730591c7a2f928ff1abe545202fcb885ba6f5f23ccbf1a41dba8c0da969d2a911f81d8beb184311b653756fe1a43f4549978433d

Download Submit
C:\Windows\System\DCXsxWn.exe

Filesize
5.2MB

MD5
9d883d3a22f0c749c00e93da97f09a3c

SHA1
77f3c4dd2f9852e8c19968069db5c30ba2ed7974

SHA256
d7358ef647ad1e4af609b156bb8b29f1abc9243e39d07637dcdd0235bb849e2e

SHA512
f8dc193c64030d76288f785f1ab8471fa2ccd01c421803fcd3363def16b8e3a23e128fa315706316d1c57affd9939b722bdc926293e264b410d46a75ef2f07b3

Download Submit
C:\Windows\System\EWGGoLh.exe

Filesize
5.2MB

MD5
5b7c7cd55cdbfd746ffb5af6c991a81d

SHA1
43867748ef8157a39f733068592d6d891d4b301b

SHA256
960453508a6d6c343b1f2d6434c13ae42b4399d6fd2b36304112479816a9b8a3

SHA512
950d2ba9422c581b3edeb5a4f8f6279393740616d0e15dee96bc4d9ae6241d33f95a7c05e5df08022e4eaf2fbbaeab2951af934bef38d39ed4412924fcf9d2f0

Download Submit
C:\Windows\System\IRHcvVa.exe

Filesize
5.2MB

MD5
c09afcaa875ca593bb107ca27bf9e77e

SHA1
de53ca65cc0823fecb104cf3461295057dddbf1d

SHA256
04aa0b50b0695d1431a26ae6f85938c75c3043a890c287b1ee9c91e66a9a71a8

SHA512
c26306820b710318e38429ae43e66fd0634254702bde6cf2a814df3b69f5e96d6eccc0656cc6b0b75b2463df9b19068af0d88fcbb8a45aca2e83c418290cf692

Download Submit
C:\Windows\System\NlWkNyW.exe

Filesize
5.2MB

MD5
bad0df45114f086670f4c7e31a26e3b9

SHA1
3a067a1e2b4428dde7efe9f00217714525eda1ad

SHA256
f96eda392f41827a7d8a757640a246e40cb4c3245f1d6d5e22f270dfef2b76c4

SHA512
fa4aec1b43a7560d5825e6d48623dfaf25d7956e63942e16a0bdec7fe135eddd6af70adfaa566feaa3c6759df7a8903644f4eb8fe7ed792686776bcc1c16fbbe

Download Submit
C:\Windows\System\OZWWEWk.exe

Filesize
5.2MB

MD5
b8ba52ba37d76cc39cd8732a55f0db79

SHA1
9b0a366640843a6e1bc557b0cc63880c0ee9500d

SHA256
70d79cea2255de666598d8063f1af427dac95976c7f066c84e77b29e3f1dcc6a

SHA512
a355497e0f88049905d96f15c3f056829f77d251e99f79703645a9d5df14cc1c5984401d58f210b550ab49c1f587c8b20e2af7c98aa35dabbcde806a7920cfe9

Download Submit
C:\Windows\System\OiahikT.exe

Filesize
5.2MB

MD5
a1de3f6e156b2d25c60121be716a81ba

SHA1
da7221b53c9d1e215395400df6533df9caa33030

SHA256
8330b725d353381783630e6163a8c8f75486736da3e8d465f530c71618c30f86

SHA512
2cdb7fb1ad57531c3d83a3d5105ff980eb3ba6fa291126f1308481b9b391b0533bb5dc9a9a9fa93d89e9b97c9dc54830e32408e9b2ee612c16daa66704e656f9

Download Submit
C:\Windows\System\ZzXJvxv.exe

Filesize
5.2MB

MD5
362bcce5dcf4935c7aac665cf25b3d5f

SHA1
58b2ce77f1207b018672c94a79b78bc689817516

SHA256
e1b22695a29840542a5502fe1daa692f918777b7fbdb56dd7298dab8a4430ae2

SHA512
0d44184472457300d217ed3b853c650abaa65b10f49d692642b256bca83e645ae965196712823c86bfbad25943fa8aa338ac9b023c84907ae17aa7641c91cf44

Download Submit
C:\Windows\System\fFWYyrl.exe

Filesize
5.2MB

MD5
e180370add886fc258364446b0a7a8d5

SHA1
7d79bf6cbd51b24167690d82c71b5636856f4d06

SHA256
750c3edfcd84e5a8a9f4d434cbb26aefd68e792be3955be28ee2f1ba5fcf08d7

SHA512
0aa196896e5e2836657d59f8e9675558c0266607338850a73853b8aa3c36a7bd8a1166870b9c9c2a25e5768a4f48cd1a681a2149b6aad2077b82e2d75ab5008d

Download Submit
C:\Windows\System\fSRMckT.exe

Filesize
5.2MB

MD5
8b473c836b4137494c5b660e6e618d10

SHA1
4bdeb4791cb523bba13e40a41f9acc08e56850f9

SHA256
eab9622dae2458a24e8651beed5ea6321e9e42601b44d9ffc5c8a9530ef16262

SHA512
be3c215d4b82d0ff05e8fb81622624db5224c36b343d55a7e9e6e2f7109256107c2dda91fc0a39c4bc42faaa1e5fc91c2a0ae9cb513f6c9dc6b3988a65930d0d

Download Submit
C:\Windows\System\fybRzln.exe

Filesize
5.2MB

MD5
64719e18178fe377fd22a2641bca02aa

SHA1
86241d126fb89f7c58411d69ba4f88c5922bffff

SHA256
0ec4f2135e7b6774ef4a0b7238634312d12c6292380a9b0e39cf2214552404cb

SHA512
5622ddfd80e35ebaf1b981660d72b90c12eb019565dbaa86dbeaa0d64714769d51c36e2eb0f99be0905e3cccfee76a1d6377d3cbb1c8e463629f23ad32c0f6e5

Download Submit
C:\Windows\System\gRvFqeU.exe

Filesize
5.2MB

MD5
b7f1bedbee112b02e34ac696df8115b6

SHA1
4284505f28333d04985f390c8ac0191334e4beba

SHA256
7ab429970f9773a5a8a092442dcf6277322b3ec0bb90518ef5a170793d2c4ba8

SHA512
f01a42782f0d4b19ba320778cc45e5e2e2b6988503f8e910e3c9a49e8a9568aa08caeb2c6b8e4d81dcdb12f344f9d9aca0eb5b6f1ed1d21f4430d11e3d1d5295

Download Submit
C:\Windows\System\hPlfrBz.exe

Filesize
5.2MB

MD5
c5f11d509b6123ed446f32787b7dd5f3

SHA1
746893a6893d8bc937a5aed68a3d72ea17eabad7

SHA256
c74048631779417bc07df0a5f8442dda2186b6f18ab0468522d932df4a9a159b

SHA512
9802f1a52cff0220592c6c8490c242e8f3a1c8498b1b8acc8ffc82ddf631f0be83c0535724d7666f7cf1a93464cb280dbb77b93ceeff8879e15fb0c3c19c2fd3

Download Submit
C:\Windows\System\sIYJOVU.exe

Filesize
5.2MB

MD5
c4f3592cad7903c45edc5dc718e6b94d

SHA1
13288cb11b2eeb439ad3bd859509b1416ee09c96

SHA256
175c4b9996a93428a6215ea9746ccabc42f9f330a3dd7ebe2ac8353f6d8f6295

SHA512
26ef0e21b22f4c075b4e7ea3378d8bcda448988e5ffeefa07bfd615f007147d8916cf8b51cd3d1715af18e0b5136462c5614b1e887a88d93070d59bfe99e44a1

Download Submit
C:\Windows\System\svlVBWH.exe

Filesize
5.2MB

MD5
e68ab6b43b0bddf33f8ac0b4afafc8db

SHA1
e48b39850ebc3d69a3dbb826bbee7068e0110eb4

SHA256
2141ba821e7d41f5ca7a7c9bb0aa40ae9c53ec23028c5951e18bd1f86f0959f2

SHA512
def1879a9933d7f0e560d2fed03b3be3b927ea09f17f41bab67afaf3ee50b258f46c5109b1ba75b85074024ba29f35068d114f61ce43e681492cc74920df94c1

Download Submit
C:\Windows\System\uheRvSs.exe

Filesize
5.2MB

MD5
13ed886ec5ff918b2b3039d34cfdcb77

SHA1
946a0c93f91ff0cec7f7de579a9560691385b882

SHA256
0e585260263933e5c280eff6656b26db419e6463f27e2b39650caeff7db6d2eb

SHA512
1ce33adaeedd743f30f8247fc4cfd8cfe3701065fc6704e923fb94a9b33dbcc698a3968d0b6bbbf83c6f76e2a6e7ea31bd7e2944b5abc25c03625be9a783ffea

Download Submit
C:\Windows\System\vHllQGE.exe

Filesize
5.2MB

MD5
d039d8e83ffa7c3dde19d1d12a5b9c3e

SHA1
071d33e002982e242cfb271393c0c66ba92f5605

SHA256
1726e4efd3eb0ea90d45cb4374a5c94c35f9206194cb864d8fb4268c29b071a3

SHA512
2faa35dadc3cb876086863bd7bda5f216a5449e951b558be4e3837c235da087182d9d2c4c6dbd67c8f6fc8a83de15e9af874a3d32dd9b19d34eaa9c600bbee08

Download Submit
C:\Windows\System\wQZzdpu.exe

Filesize
5.2MB

MD5
ca7dd742b52e6ee4c0226041829ab333

SHA1
f88416b72266d2815e6a6352c79112dc9fcc0712

SHA256
726c796e051aa90e54cddf8bbfe1b92b98c21d5b08ae23bb6804582a1711de36

SHA512
a50348b52ab7293f83d828fdde01f62046bcc52529a17ba6c2b70965421b86b8a9c1c4c66ddba164564ef85e9d39e419ca1aef0800609502a3981b6815f552e2

Download Submit
C:\Windows\System\xGouGMC.exe

Filesize
5.2MB

MD5
6aeecc139c9484abe12a5651c2ccfaee

SHA1
8cd5d58cc3ee64210f5799fe4488a1d329fd4b8e

SHA256
33514370453be8ed27ce620b25dc289bf84794b0da0aa2fea28cd524b56dc945

SHA512
46888f3dd3884235eb66abd0cded1b69e9576d5977c32c1e8a0c53a87e199358d0516f3a7b05dc92e7795f6d20f7a78f6020dc5203e8feea7374bc93ee9514b5

Download Submit
C:\Windows\System\yLXOtEy.exe

Filesize
5.2MB

MD5
c48838c0bd879bc33d562818e673036d

SHA1
75c52fb0407e22af12765bfb6ba6c03c59a34dd6

SHA256
89f50f84d27d65395636c70657041320b1b374469ba5da192d51dfac19df45b9

SHA512
53e6263b74ce645ff832dc4efc03f864a2d4338b5297db077c0ecd7e68764014847622d590bd3a47cda15142ee21a9b97ebfafd8ef2631b3de3d4827760e7b95

Download Submit
memory/212-157-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp

Filesize
3.3MB

Download
memory/212-62-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp

Filesize
3.3MB

Download
memory/212-133-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp

Filesize
3.3MB

Download
memory/212-1-0x000001D1B9840000-0x000001D1B9850000-memory.dmp

Filesize
64KB

Download
memory/212-0-0x00007FF60BC90000-0x00007FF60BFE1000-memory.dmp

Filesize
3.3MB

Download
memory/348-252-0x00007FF67CAD0000-0x00007FF67CE21000-memory.dmp

Filesize
3.3MB

Download
memory/348-103-0x00007FF67CAD0000-0x00007FF67CE21000-memory.dmp

Filesize
3.3MB

Download
memory/652-59-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp

Filesize
3.3MB

Download
memory/652-238-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp

Filesize
3.3MB

Download
memory/652-143-0x00007FF7F8260000-0x00007FF7F85B1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-111-0x00007FF6EEB70000-0x00007FF6EEEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-249-0x00007FF6EEB70000-0x00007FF6EEEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-117-0x00007FF797B10000-0x00007FF797E61000-memory.dmp

Filesize
3.3MB

Download
memory/1428-254-0x00007FF797B10000-0x00007FF797E61000-memory.dmp

Filesize
3.3MB

Download
memory/1832-224-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp

Filesize
3.3MB

Download
memory/1832-26-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp

Filesize
3.3MB

Download
memory/1832-132-0x00007FF6F5810000-0x00007FF6F5B61000-memory.dmp

Filesize
3.3MB

Download
memory/1976-145-0x00007FF672540000-0x00007FF672891000-memory.dmp

Filesize
3.3MB

Download
memory/1976-74-0x00007FF672540000-0x00007FF672891000-memory.dmp

Filesize
3.3MB

Download
memory/1976-240-0x00007FF672540000-0x00007FF672891000-memory.dmp

Filesize
3.3MB

Download
memory/2084-49-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp

Filesize
3.3MB

Download
memory/2084-141-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp

Filesize
3.3MB

Download
memory/2084-230-0x00007FF68E4F0000-0x00007FF68E841000-memory.dmp

Filesize
3.3MB

Download
memory/2268-63-0x00007FF602D10000-0x00007FF603061000-memory.dmp

Filesize
3.3MB

Download
memory/2268-234-0x00007FF602D10000-0x00007FF603061000-memory.dmp

Filesize
3.3MB

Download
memory/2268-144-0x00007FF602D10000-0x00007FF603061000-memory.dmp

Filesize
3.3MB

Download
memory/2304-232-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-38-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp

Filesize
3.3MB

Download
memory/2304-147-0x00007FF6D2D60000-0x00007FF6D30B1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-7-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp

Filesize
3.3MB

Download
memory/2396-208-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp

Filesize
3.3MB

Download
memory/2396-96-0x00007FF7DD830000-0x00007FF7DDB81000-memory.dmp

Filesize
3.3MB

Download
memory/2416-121-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp

Filesize
3.3MB

Download
memory/2416-210-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp

Filesize
3.3MB

Download
memory/2416-14-0x00007FF7F7E00000-0x00007FF7F8151000-memory.dmp

Filesize
3.3MB

Download
memory/2524-54-0x00007FF65B7A0000-0x00007FF65BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-231-0x00007FF65B7A0000-0x00007FF65BAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-106-0x00007FF6B4310000-0x00007FF6B4661000-memory.dmp

Filesize
3.3MB

Download
memory/2584-251-0x00007FF6B4310000-0x00007FF6B4661000-memory.dmp

Filesize
3.3MB

Download
memory/2732-123-0x00007FF612F00000-0x00007FF613251000-memory.dmp

Filesize
3.3MB

Download
memory/2732-256-0x00007FF612F00000-0x00007FF613251000-memory.dmp

Filesize
3.3MB

Download
memory/3028-120-0x00007FF6CF0E0000-0x00007FF6CF431000-memory.dmp

Filesize
3.3MB

Download
memory/3028-237-0x00007FF6CF0E0000-0x00007FF6CF431000-memory.dmp

Filesize
3.3MB

Download
memory/3128-264-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp

Filesize
3.3MB

Download
memory/3128-155-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp

Filesize
3.3MB

Download
memory/3128-130-0x00007FF7AB430000-0x00007FF7AB781000-memory.dmp

Filesize
3.3MB

Download
memory/3168-20-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-212-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-131-0x00007FF6AFC60000-0x00007FF6AFFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-156-0x00007FF798D20000-0x00007FF799071000-memory.dmp

Filesize
3.3MB

Download
memory/3264-119-0x00007FF798D20000-0x00007FF799071000-memory.dmp

Filesize
3.3MB

Download
memory/3264-262-0x00007FF798D20000-0x00007FF799071000-memory.dmp

Filesize
3.3MB

Download
memory/3436-125-0x00007FF7951E0000-0x00007FF795531000-memory.dmp

Filesize
3.3MB

Download
memory/3436-260-0x00007FF7951E0000-0x00007FF795531000-memory.dmp

Filesize
3.3MB

Download
memory/3436-154-0x00007FF7951E0000-0x00007FF795531000-memory.dmp

Filesize
3.3MB

Download
memory/4028-32-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp

Filesize
3.3MB

Download
memory/4028-226-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp

Filesize
3.3MB

Download
memory/4028-135-0x00007FF6F4530000-0x00007FF6F4881000-memory.dmp

Filesize
3.3MB

Download
memory/4748-118-0x00007FF7533E0000-0x00007FF753731000-memory.dmp

Filesize
3.3MB

Download
memory/4748-153-0x00007FF7533E0000-0x00007FF753731000-memory.dmp

Filesize
3.3MB

Download
memory/4748-258-0x00007FF7533E0000-0x00007FF753731000-memory.dmp

Filesize
3.3MB

Download