cobaltstrike | bf200d7974914ce2bf92f5cb0de600bd79b697512cb0d4bdc5b3dfa78bb6dad3

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a7628b0f3ebd0a8f8658d0645cd5b77f
SHA1

800397ca0f329277bcb529c00f25697798585ac1
SHA256

bf200d7974914ce2bf92f5cb0de600bd79b697512cb0d4bdc5b3dfa78bb6dad3
SHA512

cd5d5f424684f8476250525ee2b112220f60cade73ed269a2a58ed78aea9f6dc8b1bc1a82664b5c842bc3032604f2890be2e43a2b446833e2be3889d826a1c64
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUf

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234ae-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-13.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-29.dat	cobalt_reflective_dll
behavioral2/files/0x000c0000000234b8-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-111.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-68.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2408-39-0x00007FF7FDCB0000-0x00007FF7FE001000-memory.dmp	xmrig
behavioral2/memory/2536-63-0x00007FF6570A0000-0x00007FF6573F1000-memory.dmp	xmrig
behavioral2/memory/2868-62-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	xmrig
behavioral2/memory/1808-88-0x00007FF712820000-0x00007FF712B71000-memory.dmp	xmrig
behavioral2/memory/4832-86-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp	xmrig
behavioral2/memory/4616-80-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp	xmrig
behavioral2/memory/2164-109-0x00007FF7BB390000-0x00007FF7BB6E1000-memory.dmp	xmrig
behavioral2/memory/4588-76-0x00007FF626740000-0x00007FF626A91000-memory.dmp	xmrig
behavioral2/memory/2072-73-0x00007FF6220A0000-0x00007FF6223F1000-memory.dmp	xmrig
behavioral2/memory/4104-67-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp	xmrig
behavioral2/memory/3452-131-0x00007FF665E10000-0x00007FF666161000-memory.dmp	xmrig
behavioral2/memory/2448-130-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	xmrig
behavioral2/memory/3008-132-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp	xmrig
behavioral2/memory/2920-133-0x00007FF6B9AE0000-0x00007FF6B9E31000-memory.dmp	xmrig
behavioral2/memory/1248-134-0x00007FF7DAE80000-0x00007FF7DB1D1000-memory.dmp	xmrig
behavioral2/memory/2868-135-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	xmrig
behavioral2/memory/2752-138-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp	xmrig
behavioral2/memory/1236-141-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp	xmrig
behavioral2/memory/2056-151-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	xmrig
behavioral2/memory/1976-155-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp	xmrig
behavioral2/memory/2300-153-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp	xmrig
behavioral2/memory/4492-150-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp	xmrig
behavioral2/memory/696-149-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp	xmrig
behavioral2/memory/2868-159-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	xmrig
behavioral2/memory/4104-208-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp	xmrig
behavioral2/memory/4588-211-0x00007FF626740000-0x00007FF626A91000-memory.dmp	xmrig
behavioral2/memory/4616-213-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp	xmrig
behavioral2/memory/4832-220-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp	xmrig
behavioral2/memory/1808-222-0x00007FF712820000-0x00007FF712B71000-memory.dmp	xmrig
behavioral2/memory/2408-224-0x00007FF7FDCB0000-0x00007FF7FE001000-memory.dmp	xmrig
behavioral2/memory/3008-226-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp	xmrig
behavioral2/memory/2752-230-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp	xmrig
behavioral2/memory/1236-232-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp	xmrig
behavioral2/memory/2536-234-0x00007FF6570A0000-0x00007FF6573F1000-memory.dmp	xmrig
behavioral2/memory/2072-240-0x00007FF6220A0000-0x00007FF6223F1000-memory.dmp	xmrig
behavioral2/memory/696-242-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp	xmrig
behavioral2/memory/4492-250-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp	xmrig
behavioral2/memory/2164-252-0x00007FF7BB390000-0x00007FF7BB6E1000-memory.dmp	xmrig
behavioral2/memory/2056-254-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	xmrig
behavioral2/memory/2920-256-0x00007FF6B9AE0000-0x00007FF6B9E31000-memory.dmp	xmrig
behavioral2/memory/1976-260-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp	xmrig
behavioral2/memory/3452-262-0x00007FF665E10000-0x00007FF666161000-memory.dmp	xmrig
behavioral2/memory/2300-259-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp	xmrig
behavioral2/memory/2448-264-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	xmrig
behavioral2/memory/1248-266-0x00007FF7DAE80000-0x00007FF7DB1D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4104	qPuWfux.exe
4588	naJqANV.exe
4616	HHhkmUn.exe
4832	zeHoAIU.exe
1808	TvzSwcn.exe
2408	kmEABmO.exe
3008	JJVFgRD.exe
2752	eEMnQec.exe
1236	eZcspGJ.exe
2536	EUJJjsN.exe
2072	yAkSrfi.exe
696	rvAMnWJ.exe
4492	ojqQpLL.exe
2056	udboIiK.exe
2164	xTKGdcF.exe
2300	TDbuXLx.exe
2920	hYJXRIj.exe
1976	XfGlZBf.exe
1248	NhHzDaE.exe
2448	MrztzdU.exe
3452	vbeofKc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-0-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	upx
behavioral2/memory/4104-8-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp	upx
behavioral2/files/0x00090000000234ae-6.dat	upx
behavioral2/files/0x00070000000234c1-10.dat	upx
behavioral2/files/0x00070000000234c0-13.dat	upx
behavioral2/memory/4616-17-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp	upx
behavioral2/memory/4588-12-0x00007FF626740000-0x00007FF626A91000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-23.dat	upx
behavioral2/memory/4832-26-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-29.dat	upx
behavioral2/memory/1808-30-0x00007FF712820000-0x00007FF712B71000-memory.dmp	upx
behavioral2/files/0x000c0000000234b8-36.dat	upx
behavioral2/memory/2408-39-0x00007FF7FDCB0000-0x00007FF7FE001000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-41.dat	upx
behavioral2/memory/3008-45-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-47.dat	upx
behavioral2/memory/2752-48-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp	upx
behavioral2/memory/1236-54-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-60.dat	upx
behavioral2/memory/2536-63-0x00007FF6570A0000-0x00007FF6573F1000-memory.dmp	upx
behavioral2/memory/2868-62-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-57.dat	upx
behavioral2/files/0x00070000000234ca-72.dat	upx
behavioral2/files/0x00070000000234cc-85.dat	upx
behavioral2/memory/1808-88-0x00007FF712820000-0x00007FF712B71000-memory.dmp	upx
behavioral2/memory/2056-87-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	upx
behavioral2/memory/4832-86-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp	upx
behavioral2/memory/4492-84-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp	upx
behavioral2/memory/4616-80-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-79.dat	upx
behavioral2/memory/2164-109-0x00007FF7BB390000-0x00007FF7BB6E1000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-111.dat	upx
behavioral2/files/0x00070000000234d3-122.dat	upx
behavioral2/files/0x00070000000234d2-124.dat	upx
behavioral2/files/0x00070000000234d0-120.dat	upx
behavioral2/files/0x00070000000234cf-118.dat	upx
behavioral2/files/0x00070000000234ce-114.dat	upx
behavioral2/memory/2300-110-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-100.dat	upx
behavioral2/memory/696-77-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp	upx
behavioral2/memory/4588-76-0x00007FF626740000-0x00007FF626A91000-memory.dmp	upx
behavioral2/memory/2072-73-0x00007FF6220A0000-0x00007FF6223F1000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-68.dat	upx
behavioral2/memory/4104-67-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp	upx
behavioral2/memory/3452-131-0x00007FF665E10000-0x00007FF666161000-memory.dmp	upx
behavioral2/memory/2448-130-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp	upx
behavioral2/memory/3008-132-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp	upx
behavioral2/memory/2920-133-0x00007FF6B9AE0000-0x00007FF6B9E31000-memory.dmp	upx
behavioral2/memory/1248-134-0x00007FF7DAE80000-0x00007FF7DB1D1000-memory.dmp	upx
behavioral2/memory/1976-129-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp	upx
behavioral2/memory/2868-135-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	upx
behavioral2/memory/2752-138-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp	upx
behavioral2/memory/1236-141-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp	upx
behavioral2/memory/2056-151-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp	upx
behavioral2/memory/1976-155-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp	upx
behavioral2/memory/2300-153-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp	upx
behavioral2/memory/4492-150-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp	upx
behavioral2/memory/696-149-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp	upx
behavioral2/memory/2868-159-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp	upx
behavioral2/memory/4104-208-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp	upx
behavioral2/memory/4588-211-0x00007FF626740000-0x00007FF626A91000-memory.dmp	upx
behavioral2/memory/4616-213-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp	upx
behavioral2/memory/4832-220-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp	upx
behavioral2/memory/1808-222-0x00007FF712820000-0x00007FF712B71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HHhkmUn.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TvzSwcn.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZcspGJ.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yAkSrfi.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rvAMnWJ.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\udboIiK.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qPuWfux.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDbuXLx.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfGlZBf.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eEMnQec.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmEABmO.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EUJJjsN.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojqQpLL.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYJXRIj.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vbeofKc.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zeHoAIU.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JJVFgRD.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xTKGdcF.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhHzDaE.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrztzdU.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naJqANV.exe	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4104	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2868 wrote to memory of 4104	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2868 wrote to memory of 4588	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2868 wrote to memory of 4588	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2868 wrote to memory of 4616	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2868 wrote to memory of 4616	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2868 wrote to memory of 4832	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2868 wrote to memory of 4832	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2868 wrote to memory of 1808	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2868 wrote to memory of 1808	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2868 wrote to memory of 2408	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2868 wrote to memory of 2408	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2868 wrote to memory of 3008	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2868 wrote to memory of 3008	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2868 wrote to memory of 2752	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2868 wrote to memory of 2752	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2868 wrote to memory of 1236	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2868 wrote to memory of 1236	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2868 wrote to memory of 2536	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2868 wrote to memory of 2536	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2868 wrote to memory of 2072	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2868 wrote to memory of 2072	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2868 wrote to memory of 696	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2868 wrote to memory of 696	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2868 wrote to memory of 4492	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2868 wrote to memory of 4492	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2868 wrote to memory of 2056	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2868 wrote to memory of 2056	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2868 wrote to memory of 2164	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2868 wrote to memory of 2164	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2868 wrote to memory of 2300	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2868 wrote to memory of 2300	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2868 wrote to memory of 2920	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2868 wrote to memory of 2920	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2868 wrote to memory of 1976	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2868 wrote to memory of 1976	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2868 wrote to memory of 1248	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2868 wrote to memory of 1248	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2868 wrote to memory of 2448	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2868 wrote to memory of 2448	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2868 wrote to memory of 3452	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2868 wrote to memory of 3452	2868	2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_a7628b0f3ebd0a8f8658d0645cd5b77f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System\qPuWfux.exe
  C:\Windows\System\qPuWfux.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\naJqANV.exe
  C:\Windows\System\naJqANV.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\HHhkmUn.exe
  C:\Windows\System\HHhkmUn.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\zeHoAIU.exe
  C:\Windows\System\zeHoAIU.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\TvzSwcn.exe
  C:\Windows\System\TvzSwcn.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\kmEABmO.exe
  C:\Windows\System\kmEABmO.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\JJVFgRD.exe
  C:\Windows\System\JJVFgRD.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\eEMnQec.exe
  C:\Windows\System\eEMnQec.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\eZcspGJ.exe
  C:\Windows\System\eZcspGJ.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\EUJJjsN.exe
  C:\Windows\System\EUJJjsN.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\yAkSrfi.exe
  C:\Windows\System\yAkSrfi.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\rvAMnWJ.exe
  C:\Windows\System\rvAMnWJ.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\ojqQpLL.exe
  C:\Windows\System\ojqQpLL.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\udboIiK.exe
  C:\Windows\System\udboIiK.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\xTKGdcF.exe
  C:\Windows\System\xTKGdcF.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\TDbuXLx.exe
  C:\Windows\System\TDbuXLx.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\hYJXRIj.exe
  C:\Windows\System\hYJXRIj.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\XfGlZBf.exe
  C:\Windows\System\XfGlZBf.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\NhHzDaE.exe
  C:\Windows\System\NhHzDaE.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\MrztzdU.exe
  C:\Windows\System\MrztzdU.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\vbeofKc.exe
  C:\Windows\System\vbeofKc.exe
  2⤵
  - Executes dropped EXE
  PID:3452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EUJJjsN.exe

Filesize
5.2MB

MD5
b4055bbc76a1c7a76b41f940f40bbd6b

SHA1
2ddeb28f141b6b1b98792090714548f82c983ef4

SHA256
4717c7e16c5a081c3d48b90771a17bfb5758aba707fb5b92765ad0d401b0776e

SHA512
9c960b09f5e969d006a5d2c7d7052ecb5e5de6e793ce8800af2f9a3b1780668aa2b7c2de1b0072247f95d4236653afcbc925309d4986de1d532420bbcc6b28d6

Download Submit
C:\Windows\System\HHhkmUn.exe

Filesize
5.2MB

MD5
93adbe0ceff18057edf4caa56d2d847c

SHA1
0a926eb88288e66efe6ab029110d3495b2a5212f

SHA256
240eb12dd4b270c4317c7118950daef940875a73a94acc9ca963147180900021

SHA512
8f1f7fbebf4b8a3d67fec9f8fb005a40056e1c990c67ede0dab459a7d9343ac6b309db25b0cadd472388ccc7f6f97eb9fa8c3edde271e6c6d6b246c7d0d5672f

Download Submit
C:\Windows\System\JJVFgRD.exe

Filesize
5.2MB

MD5
2ab419c8d37733e3e16379d8ba453536

SHA1
f606ea9e3c1d72b3d9dff2ad3ecf215cb2e43a2a

SHA256
c50d9c3103bedb179eeed6b4bd553f5f8922e9804fa084d653bf53ad85f55377

SHA512
9df851f4ce270654d74b6bb3e485179825cea2024fb5ab87a12540bbb4541368d05dc1db2a7481662ac5fab8e7ccbc9147cc16c814331d4419ce8aa7c82c30cc

Download Submit
C:\Windows\System\MrztzdU.exe

Filesize
5.2MB

MD5
3ece0f09a330faf13798b4ff31ff9a4f

SHA1
ce28cd228f4bbed08f93da70a20b313364bd0af6

SHA256
39a00f4d953c90ea4244369877d22eeb847fc60ee74c07d0c9638135acb4f26f

SHA512
9ccc2993cc8e41ffae0ead2865622f658620cd4ee52604f3568dd8c971320d71f98dc80d64183b2c0362feb338178117ed9e865504f756cabba79148d4d516d7

Download Submit
C:\Windows\System\NhHzDaE.exe

Filesize
5.2MB

MD5
85ed5201f500e38bd20a63a5fa1612ae

SHA1
8d1ff866596933c73f7331f965aefabdcac7808e

SHA256
a983ff042fdc950e67cb9980e9e0bd0cf1943b64f132c72ea775d191e3b5655b

SHA512
dd7b2c25aa4926d1a866ecec4865f274deb4012eb42dcd50ac11d5a025ed5c24d967846c5435190203694d64fb5e72db88df2f24084d678a14fb5387b6b97852

Download Submit
C:\Windows\System\TDbuXLx.exe

Filesize
5.2MB

MD5
85e35806f7d63c8d8244087628e691c3

SHA1
a6261a82f5a39fd192d94084915225b23dafdb08

SHA256
9e708d727a647b544b442956c20b04e32f51f00fdc79cf2e4116fce0e312e1b8

SHA512
06ad6c677f09616f3f85521134b5f218976cadad94199da44a76f6fb71b6e49bac4ebf824d10ddf00e1617827688e7a1a56e1026010b3ea443f66ce3caf6ea41

Download Submit
C:\Windows\System\TvzSwcn.exe

Filesize
5.2MB

MD5
05cbbb86bb2377550b79f5f27ef51f8a

SHA1
f12e601d31e93d8dd1340719e50408de6893b21e

SHA256
d36e2711dfc472ddafad7ff2427501e8e6416359d071380134b97060a330e9db

SHA512
344e62a371a8bc4d08633fca005d0c662e6d45d062cfa48736eacb4934be29d9bd66d3e568fb11356d44124ccc4b0b2d634dc7736441520157ce9d82b452d8a4

Download Submit
C:\Windows\System\XfGlZBf.exe

Filesize
5.2MB

MD5
49cddfcf0c33f38d00fa517506b922ec

SHA1
a579792992b9fcab1bb4b731f5d04055ce69fd3c

SHA256
ca1158192ae7eee6331d888a2468a9a15cdd350a2ac16e45ae8b5954c1e21325

SHA512
c1f3d8f180ce745605ec80bccf0915083c1bf97128103c939d59ea783998f794b9636142e6605c75f3bb9cc77b5a3c41c75ec77f72e9dacbe938f726cd14403a

Download Submit
C:\Windows\System\eEMnQec.exe

Filesize
5.2MB

MD5
493ac12381d1ebbde46b2916050860d1

SHA1
204701e81404b7844275376ea79e4e60e931ac5e

SHA256
2cabb13c05c15f83618d4ff41af335113c1c57f6196da146441b440bf8205713

SHA512
697809c559196fbdd95f36bc0959f5b3e5dde35bbd1dc492229c97a5fe94a6617248759efe45fe8910afee8fd5a606b6384780f6736a7d348d9624b07cf82ea4

Download Submit
C:\Windows\System\eZcspGJ.exe

Filesize
5.2MB

MD5
1c58d3c0ded9d89817537bebeee4d507

SHA1
0bed05874549d95e89cdd937b39b0f6aa2b924e1

SHA256
ef4d0291c1baffbaae1745da734aab0181815a2bbcf8676927fddffeb7203733

SHA512
3143db18f43caa305a703997bedd5322a13b145281f2d42b4754cc4dfa13f8fac4c972bb88b3bae3bf3c1b47358d979b7521ee4b8fdf69e91204cf197636833f

Download Submit
C:\Windows\System\hYJXRIj.exe

Filesize
5.2MB

MD5
d770d841938021170225b77df1be0dbc

SHA1
d8c60894fc9246268bbe036a7e50b5d9e03ef44a

SHA256
95d2185f0ebbc5066600e1b2d9ea271b47ac8b408fdd2cc01fffcd333ad8998e

SHA512
186da5c339d113d12116b471f01068c755453367b5843a6053a952bb36247f8949536b94987940dc856454f607d2916755e4e018440dbb175ee423b21605c02f

Download Submit
C:\Windows\System\kmEABmO.exe

Filesize
5.2MB

MD5
3d16c036bda713c090af51087276f060

SHA1
a791762ec2b38f03a639b4c539c61f1796b5926a

SHA256
350b7fa6a61b477adfeb85b54ef80f740d238c9698bb54954326be72a78b2d42

SHA512
7bdb55445458cc19fd294e96752d80ccc5dbe73d9ab35425bec7f13ba65b31ce70f06c70d5a0b9b8a38a21e1e7df05d3be3e14f18b640c465ae0f17a13d06731

Download Submit
C:\Windows\System\naJqANV.exe

Filesize
5.2MB

MD5
7d15a6272e428d832ac7348652d1e73d

SHA1
a1e891158d4167210913528f716b5bcfcd97e251

SHA256
674766d9dd15c2ab1a1b4284bd5a745b07db860a7b586b27f68b0604b3480cf4

SHA512
be8e5875d6f5a8a7d5dd34989c0619b1b3789c1cc1f756fbe2f5b8ffc685ab023dcabc1f71c4c1a02d2a51f33d9ca0cc78bb29fb44e29b7fb418729d257d0636

Download Submit
C:\Windows\System\ojqQpLL.exe

Filesize
5.2MB

MD5
b1de39cf128032cd13c9b37181590025

SHA1
b1b5586ed4fedf69fcd25823e110c411f4a1a1ac

SHA256
7ffb4a6b17d0515e3b8b4e026965bbe88f3aa4dde1fb92fb0e4d89cd0b0baa02

SHA512
15ebb88d33c008bb6af1348e074c42de7b703f08684b9e0115ac90908905903c9987de44ae7163166be113f160ab66a46a8731a94ab77a744bf12925c99909b9

Download Submit
C:\Windows\System\qPuWfux.exe

Filesize
5.2MB

MD5
1ed068507f65ca1951680390055bfb50

SHA1
175702fcfe6717f06004735f8fb0f359b25afe8b

SHA256
6e264100ab4c412970b149108d3cb08e815e74be9771e7eb7475e0bd76252ffe

SHA512
fa413ade3a42bb91dea4646c74000b0f7c75f6bca46b7d88dcce44867198c10a5e08bc85c130e3d817e085799c92bdb60c7747d870313de977f2e048788729ae

Download Submit
C:\Windows\System\rvAMnWJ.exe

Filesize
5.2MB

MD5
0bd0788c07e776ea2404324fe516d4fe

SHA1
3c19b00cb90762f45857840224e7242151151e05

SHA256
9343e636b959d5be25681a6f5267d405c27554a48597edd6dbdb97c6b5689137

SHA512
24595a351f644c96f82a689fa05e9de299e994287a1cd09037c9dbac7dda63f4468a21866175cccdb535c0441cced85d67a643d75ebae3987ea83ce192c01a8a

Download Submit
C:\Windows\System\udboIiK.exe

Filesize
5.2MB

MD5
3a03a396b5369cbd4ff14d1c0c0c0370

SHA1
ddc7ab48dea54f128f3c16cf861d35da013c3ffb

SHA256
fc04dd3d0ca18ae781c0d698995dca1017ba67ec3affb5ac04eceb3815dec2d4

SHA512
667ea5833fb171c52e9f1cfcda3e7302f945644b9f431c2bb73827361a65bd04326fe8134510ba19c094dc58383afa475d078a971edef768f429d5e2a16251f7

Download Submit
C:\Windows\System\vbeofKc.exe

Filesize
5.2MB

MD5
9821f341db9ee4051fdaf2c8ece3bcfc

SHA1
c9bd1fdd14660b15bbc830b8307a1b5cd6795bfb

SHA256
7daf942f684fb054b0ee299df85863a5437119a07a4d7f9852e502abf0ea4566

SHA512
e70443342c7c309020fa030c87f2ae687472531a19d982208d28c2dc9ef19aaa7d74612ca29d4cce8d25c914cc1c3bce355b192d5aeb1ba4e0c403c407b0bc79

Download Submit
C:\Windows\System\xTKGdcF.exe

Filesize
5.2MB

MD5
c17e77ce1f47daa52cd21fc9d4d3ab51

SHA1
1186a0e6dc1259c82ef57c048746e813d5d01aa8

SHA256
8da6321bc45c8473215a181e15d7111c511153fa4dbb7d3a9f8833dc8fb2d36f

SHA512
18ce05b3bc90459ac1dd15c1910d9dd007fcf4781f007c854653b052c890055a2ed26af836a829d66bb7d684d8076bcb2267a45fed7653b8b6304c9e22025fee

Download Submit
C:\Windows\System\yAkSrfi.exe

Filesize
5.2MB

MD5
7f865a6f7a84ffa51fe544defd740d4d

SHA1
e9e64e40d9c3c3730f2271938caf6759de87593e

SHA256
13f12404fcfa46ea6155d4d97da4ac4c2bdf2c81d0bec6afb96d0924bca47d3f

SHA512
0e7896a2cb74e724942476d2efb9bf71b08e2af5b7463df401ebdc6a95866e4dc84cfe75dcc865a39ac46334969b3e740602f716d1282541f7f9751ea213905a

Download Submit
C:\Windows\System\zeHoAIU.exe

Filesize
5.2MB

MD5
d8835803757ed2a77781df813c40b9f3

SHA1
e3f1edff8b7b981ec6cae6bac319edea1a015e05

SHA256
9f43e869938716e4a704789da72d4d81afc860983aa4e3262ed673f0c33551cf

SHA512
0e432fce14ed42602760c6878cba61737e19408fbd0bfe3f364d03ed88c91f903aa405fd01316ccfcd24ed93fac2a3ad3aa2f222fd991653b72ceaa009bce798

Download Submit
memory/696-242-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp

Filesize
3.3MB

Download
memory/696-77-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp

Filesize
3.3MB

Download
memory/696-149-0x00007FF6330A0000-0x00007FF6333F1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-54-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp

Filesize
3.3MB

Download
memory/1236-141-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp

Filesize
3.3MB

Download
memory/1236-232-0x00007FF61DFB0000-0x00007FF61E301000-memory.dmp

Filesize
3.3MB

Download
memory/1248-266-0x00007FF7DAE80000-0x00007FF7DB1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1248-134-0x00007FF7DAE80000-0x00007FF7DB1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-88-0x00007FF712820000-0x00007FF712B71000-memory.dmp

Filesize
3.3MB

Download
memory/1808-222-0x00007FF712820000-0x00007FF712B71000-memory.dmp

Filesize
3.3MB

Download
memory/1808-30-0x00007FF712820000-0x00007FF712B71000-memory.dmp

Filesize
3.3MB

Download
memory/1976-260-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1976-155-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1976-129-0x00007FF79F700000-0x00007FF79FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2056-87-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2056-254-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2056-151-0x00007FF79DA30000-0x00007FF79DD81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-73-0x00007FF6220A0000-0x00007FF6223F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-240-0x00007FF6220A0000-0x00007FF6223F1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-252-0x00007FF7BB390000-0x00007FF7BB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-109-0x00007FF7BB390000-0x00007FF7BB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-259-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-153-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-110-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-39-0x00007FF7FDCB0000-0x00007FF7FE001000-memory.dmp

Filesize
3.3MB

Download
memory/2408-224-0x00007FF7FDCB0000-0x00007FF7FE001000-memory.dmp

Filesize
3.3MB

Download
memory/2448-264-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp

Filesize
3.3MB

Download
memory/2448-130-0x00007FF7DECF0000-0x00007FF7DF041000-memory.dmp

Filesize
3.3MB

Download
memory/2536-63-0x00007FF6570A0000-0x00007FF6573F1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-234-0x00007FF6570A0000-0x00007FF6573F1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-48-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp

Filesize
3.3MB

Download
memory/2752-138-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp

Filesize
3.3MB

Download
memory/2752-230-0x00007FF7C89F0000-0x00007FF7C8D41000-memory.dmp

Filesize
3.3MB

Download
memory/2868-159-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-62-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-1-0x000001F73D470000-0x000001F73D480000-memory.dmp

Filesize
64KB

Download
memory/2868-135-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-0-0x00007FF6CD860000-0x00007FF6CDBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-133-0x00007FF6B9AE0000-0x00007FF6B9E31000-memory.dmp

Filesize
3.3MB

Download
memory/2920-256-0x00007FF6B9AE0000-0x00007FF6B9E31000-memory.dmp

Filesize
3.3MB

Download
memory/3008-132-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp

Filesize
3.3MB

Download
memory/3008-226-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp

Filesize
3.3MB

Download
memory/3008-45-0x00007FF7CCD10000-0x00007FF7CD061000-memory.dmp

Filesize
3.3MB

Download
memory/3452-131-0x00007FF665E10000-0x00007FF666161000-memory.dmp

Filesize
3.3MB

Download
memory/3452-262-0x00007FF665E10000-0x00007FF666161000-memory.dmp

Filesize
3.3MB

Download
memory/4104-208-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp

Filesize
3.3MB

Download
memory/4104-8-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp

Filesize
3.3MB

Download
memory/4104-67-0x00007FF7FAE00000-0x00007FF7FB151000-memory.dmp

Filesize
3.3MB

Download
memory/4492-150-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-84-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-250-0x00007FF6E4180000-0x00007FF6E44D1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-12-0x00007FF626740000-0x00007FF626A91000-memory.dmp

Filesize
3.3MB

Download
memory/4588-211-0x00007FF626740000-0x00007FF626A91000-memory.dmp

Filesize
3.3MB

Download
memory/4588-76-0x00007FF626740000-0x00007FF626A91000-memory.dmp

Filesize
3.3MB

Download
memory/4616-213-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-17-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp

Filesize
3.3MB

Download
memory/4616-80-0x00007FF7D0F80000-0x00007FF7D12D1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-86-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp

Filesize
3.3MB

Download
memory/4832-220-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp

Filesize
3.3MB

Download
memory/4832-26-0x00007FF6BCCF0000-0x00007FF6BD041000-memory.dmp

Filesize
3.3MB

Download