cobaltstrike | dfa07a1e00b1cbf620cf5f14de35639f1c301050bd70762a1e08254d2e89aa50

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ea4b36575c07cf71fa2bde1697216b6e
SHA1

b1c6770dceea0412bcdddc8818880e844bc7b424
SHA256

dfa07a1e00b1cbf620cf5f14de35639f1c301050bd70762a1e08254d2e89aa50
SHA512

ea9bcfc80232947a1651e416fb8aea0f68d4c2ad600b94369d429d19ab068a411596404c9c9c251aa14a510edb8a63d78a2648d6611d38bd50fd1d0f964b5419
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234da-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e0-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234de-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e1-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e2-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e3-36.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234db-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e4-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e5-53.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e8-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-128.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-134.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-114.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3944-45-0x00007FF6F0E70000-0x00007FF6F11C1000-memory.dmp	xmrig
behavioral2/memory/1044-61-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	xmrig
behavioral2/memory/4156-80-0x00007FF756B40000-0x00007FF756E91000-memory.dmp	xmrig
behavioral2/memory/4128-79-0x00007FF75A630000-0x00007FF75A981000-memory.dmp	xmrig
behavioral2/memory/4244-76-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	xmrig
behavioral2/memory/2820-69-0x00007FF711CC0000-0x00007FF712011000-memory.dmp	xmrig
behavioral2/memory/3512-92-0x00007FF6165E0000-0x00007FF616931000-memory.dmp	xmrig
behavioral2/memory/4504-95-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp	xmrig
behavioral2/memory/4748-109-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp	xmrig
behavioral2/memory/2024-115-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp	xmrig
behavioral2/memory/4008-135-0x00007FF6B62F0000-0x00007FF6B6641000-memory.dmp	xmrig
behavioral2/memory/5048-133-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp	xmrig
behavioral2/memory/4028-132-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	xmrig
behavioral2/memory/3668-131-0x00007FF7C4CD0000-0x00007FF7C5021000-memory.dmp	xmrig
behavioral2/memory/4304-121-0x00007FF636DB0000-0x00007FF637101000-memory.dmp	xmrig
behavioral2/memory/1044-139-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	xmrig
behavioral2/memory/2572-141-0x00007FF731C30000-0x00007FF731F81000-memory.dmp	xmrig
behavioral2/memory/1192-138-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp	xmrig
behavioral2/memory/264-147-0x00007FF753CB0000-0x00007FF754001000-memory.dmp	xmrig
behavioral2/memory/5012-152-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp	xmrig
behavioral2/memory/1692-157-0x00007FF79E140000-0x00007FF79E491000-memory.dmp	xmrig
behavioral2/memory/1248-158-0x00007FF670330000-0x00007FF670681000-memory.dmp	xmrig
behavioral2/memory/2432-160-0x00007FF645760000-0x00007FF645AB1000-memory.dmp	xmrig
behavioral2/memory/1044-166-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	xmrig
behavioral2/memory/2820-215-0x00007FF711CC0000-0x00007FF712011000-memory.dmp	xmrig
behavioral2/memory/4244-220-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	xmrig
behavioral2/memory/4128-222-0x00007FF75A630000-0x00007FF75A981000-memory.dmp	xmrig
behavioral2/memory/4156-224-0x00007FF756B40000-0x00007FF756E91000-memory.dmp	xmrig
behavioral2/memory/3512-226-0x00007FF6165E0000-0x00007FF616931000-memory.dmp	xmrig
behavioral2/memory/4504-232-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp	xmrig
behavioral2/memory/3944-234-0x00007FF6F0E70000-0x00007FF6F11C1000-memory.dmp	xmrig
behavioral2/memory/4748-236-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp	xmrig
behavioral2/memory/2024-242-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp	xmrig
behavioral2/memory/4028-244-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	xmrig
behavioral2/memory/5048-246-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp	xmrig
behavioral2/memory/1192-249-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp	xmrig
behavioral2/memory/5012-251-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp	xmrig
behavioral2/memory/264-253-0x00007FF753CB0000-0x00007FF754001000-memory.dmp	xmrig
behavioral2/memory/1692-255-0x00007FF79E140000-0x00007FF79E491000-memory.dmp	xmrig
behavioral2/memory/1248-263-0x00007FF670330000-0x00007FF670681000-memory.dmp	xmrig
behavioral2/memory/4304-265-0x00007FF636DB0000-0x00007FF637101000-memory.dmp	xmrig
behavioral2/memory/2432-267-0x00007FF645760000-0x00007FF645AB1000-memory.dmp	xmrig
behavioral2/memory/4008-269-0x00007FF6B62F0000-0x00007FF6B6641000-memory.dmp	xmrig
behavioral2/memory/3668-271-0x00007FF7C4CD0000-0x00007FF7C5021000-memory.dmp	xmrig
behavioral2/memory/2572-273-0x00007FF731C30000-0x00007FF731F81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2820	MwcihGP.exe
4244	OliMEJN.exe
4128	GhFaBJq.exe
4156	VJAOKYa.exe
3512	YyKKvjo.exe
4504	UkBTSXw.exe
3944	MQPzYeW.exe
4748	gYEVndP.exe
2024	JrnAptW.exe
4028	fXtjSdC.exe
5048	cCLciCq.exe
1192	LfwpOIy.exe
264	bJnlwOc.exe
5012	ClwUcJR.exe
1692	dSectdj.exe
1248	SiPslkq.exe
2432	otKKfXy.exe
4304	ONYYFnR.exe
4008	CqlufqX.exe
3668	JsVUtwX.exe
2572	glsmEjC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1044-0-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	upx
behavioral2/files/0x00080000000234da-4.dat	upx
behavioral2/memory/2820-7-0x00007FF711CC0000-0x00007FF712011000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-10.dat	upx
behavioral2/files/0x00070000000234de-11.dat	upx
behavioral2/files/0x00070000000234e1-20.dat	upx
behavioral2/memory/4128-21-0x00007FF75A630000-0x00007FF75A981000-memory.dmp	upx
behavioral2/memory/4156-28-0x00007FF756B40000-0x00007FF756E91000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-29.dat	upx
behavioral2/memory/3512-30-0x00007FF6165E0000-0x00007FF616931000-memory.dmp	upx
behavioral2/memory/4244-12-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	upx
behavioral2/files/0x00070000000234e3-36.dat	upx
behavioral2/memory/4504-37-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp	upx
behavioral2/files/0x00080000000234db-40.dat	upx
behavioral2/files/0x00070000000234e4-48.dat	upx
behavioral2/memory/4748-50-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp	upx
behavioral2/memory/3944-45-0x00007FF6F0E70000-0x00007FF6F11C1000-memory.dmp	upx
behavioral2/files/0x00070000000234e5-53.dat	upx
behavioral2/memory/2024-54-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp	upx
behavioral2/memory/1044-61-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-59.dat	upx
behavioral2/memory/4028-64-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-73.dat	upx
behavioral2/files/0x00070000000234ea-83.dat	upx
behavioral2/memory/5012-85-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-90.dat	upx
behavioral2/memory/264-84-0x00007FF753CB0000-0x00007FF754001000-memory.dmp	upx
behavioral2/memory/4156-80-0x00007FF756B40000-0x00007FF756E91000-memory.dmp	upx
behavioral2/memory/4128-79-0x00007FF75A630000-0x00007FF75A981000-memory.dmp	upx
behavioral2/memory/1192-78-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp	upx
behavioral2/memory/4244-76-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	upx
behavioral2/memory/5048-75-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp	upx
behavioral2/files/0x00070000000234e7-72.dat	upx
behavioral2/memory/2820-69-0x00007FF711CC0000-0x00007FF712011000-memory.dmp	upx
behavioral2/memory/3512-92-0x00007FF6165E0000-0x00007FF616931000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-94.dat	upx
behavioral2/memory/4504-95-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp	upx
behavioral2/memory/1692-96-0x00007FF79E140000-0x00007FF79E491000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-102.dat	upx
behavioral2/memory/4748-109-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp	upx
behavioral2/memory/2024-115-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-123.dat	upx
behavioral2/files/0x00070000000234f1-128.dat	upx
behavioral2/memory/4008-135-0x00007FF6B62F0000-0x00007FF6B6641000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-134.dat	upx
behavioral2/memory/5048-133-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp	upx
behavioral2/memory/4028-132-0x00007FF6870C0000-0x00007FF687411000-memory.dmp	upx
behavioral2/memory/3668-131-0x00007FF7C4CD0000-0x00007FF7C5021000-memory.dmp	upx
behavioral2/memory/4304-121-0x00007FF636DB0000-0x00007FF637101000-memory.dmp	upx
behavioral2/files/0x00070000000234ef-116.dat	upx
behavioral2/memory/2432-112-0x00007FF645760000-0x00007FF645AB1000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-114.dat	upx
behavioral2/memory/1248-103-0x00007FF670330000-0x00007FF670681000-memory.dmp	upx
behavioral2/memory/1044-139-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	upx
behavioral2/memory/2572-141-0x00007FF731C30000-0x00007FF731F81000-memory.dmp	upx
behavioral2/memory/1192-138-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp	upx
behavioral2/memory/264-147-0x00007FF753CB0000-0x00007FF754001000-memory.dmp	upx
behavioral2/memory/5012-152-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp	upx
behavioral2/memory/1692-157-0x00007FF79E140000-0x00007FF79E491000-memory.dmp	upx
behavioral2/memory/1248-158-0x00007FF670330000-0x00007FF670681000-memory.dmp	upx
behavioral2/memory/2432-160-0x00007FF645760000-0x00007FF645AB1000-memory.dmp	upx
behavioral2/memory/1044-166-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp	upx
behavioral2/memory/2820-215-0x00007FF711CC0000-0x00007FF712011000-memory.dmp	upx
behavioral2/memory/4244-220-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YyKKvjo.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkBTSXw.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJAOKYa.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gYEVndP.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXtjSdC.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCLciCq.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ClwUcJR.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otKKfXy.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CqlufqX.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GhFaBJq.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQPzYeW.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LfwpOIy.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SiPslkq.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ONYYFnR.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsVUtwX.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OliMEJN.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JrnAptW.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJnlwOc.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dSectdj.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\glsmEjC.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MwcihGP.exe	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2820	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1044 wrote to memory of 2820	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1044 wrote to memory of 4244	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1044 wrote to memory of 4244	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1044 wrote to memory of 4128	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1044 wrote to memory of 4128	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1044 wrote to memory of 4156	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1044 wrote to memory of 4156	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1044 wrote to memory of 3512	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1044 wrote to memory of 3512	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1044 wrote to memory of 4504	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1044 wrote to memory of 4504	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1044 wrote to memory of 3944	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1044 wrote to memory of 3944	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1044 wrote to memory of 4748	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1044 wrote to memory of 4748	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1044 wrote to memory of 2024	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1044 wrote to memory of 2024	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1044 wrote to memory of 4028	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1044 wrote to memory of 4028	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1044 wrote to memory of 5048	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1044 wrote to memory of 5048	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1044 wrote to memory of 1192	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1044 wrote to memory of 1192	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1044 wrote to memory of 264	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1044 wrote to memory of 264	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1044 wrote to memory of 5012	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1044 wrote to memory of 5012	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1044 wrote to memory of 1692	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1044 wrote to memory of 1692	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1044 wrote to memory of 1248	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1044 wrote to memory of 1248	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1044 wrote to memory of 2432	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1044 wrote to memory of 2432	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1044 wrote to memory of 4304	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1044 wrote to memory of 4304	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1044 wrote to memory of 4008	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1044 wrote to memory of 4008	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1044 wrote to memory of 3668	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1044 wrote to memory of 3668	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1044 wrote to memory of 2572	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1044 wrote to memory of 2572	1044	2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_ea4b36575c07cf71fa2bde1697216b6e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System\MwcihGP.exe
  C:\Windows\System\MwcihGP.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\OliMEJN.exe
  C:\Windows\System\OliMEJN.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\GhFaBJq.exe
  C:\Windows\System\GhFaBJq.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\VJAOKYa.exe
  C:\Windows\System\VJAOKYa.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\YyKKvjo.exe
  C:\Windows\System\YyKKvjo.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\UkBTSXw.exe
  C:\Windows\System\UkBTSXw.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\MQPzYeW.exe
  C:\Windows\System\MQPzYeW.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\gYEVndP.exe
  C:\Windows\System\gYEVndP.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\JrnAptW.exe
  C:\Windows\System\JrnAptW.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\fXtjSdC.exe
  C:\Windows\System\fXtjSdC.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\cCLciCq.exe
  C:\Windows\System\cCLciCq.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\LfwpOIy.exe
  C:\Windows\System\LfwpOIy.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\bJnlwOc.exe
  C:\Windows\System\bJnlwOc.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\ClwUcJR.exe
  C:\Windows\System\ClwUcJR.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\dSectdj.exe
  C:\Windows\System\dSectdj.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\SiPslkq.exe
  C:\Windows\System\SiPslkq.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\otKKfXy.exe
  C:\Windows\System\otKKfXy.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\ONYYFnR.exe
  C:\Windows\System\ONYYFnR.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\CqlufqX.exe
  C:\Windows\System\CqlufqX.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\JsVUtwX.exe
  C:\Windows\System\JsVUtwX.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\glsmEjC.exe
  C:\Windows\System\glsmEjC.exe
  2⤵
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ClwUcJR.exe

Filesize
5.2MB

MD5
e902921d82a6c1e83dd359090775a533

SHA1
66940e19a1eb6eeaafc9bfdb4656168c5456fbf8

SHA256
de6b0b7cf4a90fbd018cc65ef82da617ef85a28c4076aebb3d1479fcb57c32e1

SHA512
02d81c2a076fc501734ac1ed35a6783647319d369bd23608c276a094996dc231d2b5e074ec36d5d65785be40ac23bd5b8848cdd57edf9e3ed887f3459e3cadc6

Download Submit
C:\Windows\System\CqlufqX.exe

Filesize
5.2MB

MD5
79902688c16326fd73d6e1193ed11f5b

SHA1
dc822c16a1dffaede5fb6d32065eaa03fcb420c8

SHA256
f8f2637f2e0045fb3743f6d031ea5e4bbec2269c3a72956f812a2a2d6be42734

SHA512
56728d31c6a0d6a1eea39dfe82c2e5fe13c96940af33b3578bbf9bff2a523c064b9f7520179a49100e7f096dbc9485d8dd19a80a2d57877cfa49b73e6559c4cb

Download Submit
C:\Windows\System\GhFaBJq.exe

Filesize
5.2MB

MD5
065c874768a7cb14624fe8b69482f5b6

SHA1
e0d03eb1ebab80d3da0950ab8befa68a728e22c3

SHA256
cf368f5efa506ac561447f1e584d891b917a1348f78dd623cdae5df7c1c37756

SHA512
8ac6de2f3f9f0c2ed1ef0557481b6db2677939182ff10aecfdd4e3930371ffe537ae5badf04372ab72a799ff6d88569ca5cb5d894697b38ea4b636a39f8fc963

Download Submit
C:\Windows\System\JrnAptW.exe

Filesize
5.2MB

MD5
b9072ff28da34d65f8a1dc13a8e87c3a

SHA1
120b44be9ec7438fd5df6eb661dfdda006b1fd5e

SHA256
24ee46d2212b6232b71e293ecf8ffe858e6d5bcbd27e5027901a5c7386a45498

SHA512
428a30a873bf0c0ec76e30c76033289f45fb44a76d711956f3f9991b0cc03bcdf3fb5667e5a16a4c05edc8504289e6f395f936b0e5f3b4604e30409c854e4219

Download Submit
C:\Windows\System\JsVUtwX.exe

Filesize
5.2MB

MD5
bd4651f5e45478c152245d6295bfa290

SHA1
27d877f00617efec0b87ebe528efbb14c0980df4

SHA256
1e8d4fd98aa34f78244063bc748cb4fccd0ca30c6becbc11be84003d35b3bf04

SHA512
913a7767d9322dcc04cfadfe12a25a654cbb0b3e70ecb941da39ed524d28f8b42fc4955199f8a713158a76e84ef915b5741328646ab1084ecbee3e0cd644c6ff

Download Submit
C:\Windows\System\LfwpOIy.exe

Filesize
5.2MB

MD5
6a085ae4a0d84293330fbc2e5df3eb50

SHA1
6ab86a280834c1b65ad27ac5709b0ef0333c1247

SHA256
10019855ab056aa3195f872fe0a29b880d22d47a79cf8c256338f3549ccf797e

SHA512
5ef655133194a3c81b7213382e0ee1f9ff250c626da710903ea2d30c4ba1179f380834dc445842cf66309a2c3233486d8ee62b371f1b8e51944d19c715a0da05

Download Submit
C:\Windows\System\MQPzYeW.exe

Filesize
5.2MB

MD5
767cb3014526dda6db7ae12b3b3e9f0a

SHA1
dcad97e3e906c3345395ed48c896a508ee3862bd

SHA256
04bb941aa5ce71909897649182b8c3e10a6275a7b8eead2eb63aeffc5694ad72

SHA512
364d46222c4af2f919655a8d31cc9b2ad0565de9256a016d349b6d6f4d59dab030ff2ad428af9ae71002d5f9954a581f2dfcb07f7e67a0ea21f34122e2fac6ac

Download Submit
C:\Windows\System\MwcihGP.exe

Filesize
5.2MB

MD5
b53935eb109919c34f70a74875ce0613

SHA1
7dd6e7ac8421eecbe98a3f96be1d1e955ffd4592

SHA256
516f31313ab6e2bf8ec42ff8eed52e3b4558b98179869f3dba15ea35f46f2816

SHA512
dbccf17149ecf7e712dea50ab19024a3a0fbcb9a68ae76e82edfeb04e7a9af8334c4006926de1ea7899f692d32ac5cb89ba72c423c4d4e56578b8454283adc13

Download Submit
C:\Windows\System\ONYYFnR.exe

Filesize
5.2MB

MD5
d430c1fa5bce21c28f10888ec7b5e180

SHA1
e1a0335bb079e332da8d85170ee539a00845bd79

SHA256
375c819383526ad5ca576a6f00d4850abfcd09aac20269437af8d688299e6557

SHA512
8d1c727046fb3f9ac848ab406bf1eebd9fad7fed9f2baed8f8516194f200ebaf1c5f021b64f13653c4de5075df86476e7bab4ce7825c8f7aec0996697b37169e

Download Submit
C:\Windows\System\OliMEJN.exe

Filesize
5.2MB

MD5
e5087c50dfd76f9b001104cfdb99b725

SHA1
ac74ed643c3eca2a28e156a4534e3d2ca418e60f

SHA256
31fdab3dd2b89780398be666b032f17601e0de79b44807678f3ad6c8a14c5821

SHA512
57b1584255d662653d7c1bde7fdc9ac06a60b60b5988b41b25c765485c0988fdd4e4e1f986f3a8f2a1178228f807ff65689096584fe4deba2857bebfe8ad7f2e

Download Submit
C:\Windows\System\SiPslkq.exe

Filesize
5.2MB

MD5
6967580ba04f66d5953fb6c5e27df567

SHA1
bd29e1317096bfab6ac2bacda31105f823d1f331

SHA256
dc06af063b4c20eb82224ebcff17bd3a2a737e7ec24a06b4a907787320ad50b9

SHA512
175a6ab95face855b5ebf1cc4ade601bb25f8626563f2cd8f37502c5504be82c778ac93edf48636d69d29c5dca7beaf521e472ad10a10a0b0c71bfe61f032118

Download Submit
C:\Windows\System\UkBTSXw.exe

Filesize
5.2MB

MD5
0df958308c4bc5efda1dc740f6db8106

SHA1
f6d5af65d4e91009acc3d396897b35cab46d0a03

SHA256
f82304cd2da4b9e73c52388166809c81172f9bcdb59c6264a93c8dbffe66f5f2

SHA512
699a5e2946e71feb30c443df2fea9b1cb92d476c51416bd291817c84cb27a6ffa5f70ca632edc0857166c75db1b27c15154d76e85c0baaf8e0bd5d395e770d7a

Download Submit
C:\Windows\System\VJAOKYa.exe

Filesize
5.2MB

MD5
8ba74ec4df6d387c540049689291fa64

SHA1
810af91b1a8521a4ffb3a6bca4aea6249423ebe4

SHA256
8bd66e73a9a4d31cd439cb80c24c107651159d4970f455707839bb6fa0cfb97e

SHA512
c95b308cbdd1c597c5b466e87bcc3ed493beed48e6118887ece095ff41cab3c09feb8d80c3805adf130dc21c07d69dd244bd2c5ccd93f13c0cb4f4078a5cec6a

Download Submit
C:\Windows\System\YyKKvjo.exe

Filesize
5.2MB

MD5
527fb7cfa5beeb768b3d975459e93ab4

SHA1
31ecd533113051af8a486d1091058ce9f42ed8d0

SHA256
c31cd7ee1bdf3d48ebb59ed11898d565b349c7dd24e41723877c175e156c4722

SHA512
9ba11c3a291ad1d6aabf9c14ed2517fe67774c92f556745c3751e2caab786f79fb4594446770f61f84388f50112e580332145ca2bc29db71396cb595d82a24bf

Download Submit
C:\Windows\System\bJnlwOc.exe

Filesize
5.2MB

MD5
f1d7e0a68a8854e2e78e750bd63f26dd

SHA1
e9b650f31acd31bfdabaae3ac0b1ef60114df182

SHA256
297989f4329d87af8dfc8bd04ce9edfb822712c70ee186220936b9c6bba1cc03

SHA512
2ffe14cb54832b785dcae8136f88dc7a0216dd91c45f2d6fccabb6eb1e45f2b8f95c94ab10d38444e3592214cdb6c876e7fc66c7d5dd0ab11b3427cafb222b61

Download Submit
C:\Windows\System\cCLciCq.exe

Filesize
5.2MB

MD5
d8ecbe242173e1a228227b978c04a92d

SHA1
0b06f5f3e5a4fd16829bc87f2b8e1118009765e0

SHA256
32a690b89365c3a125f8dd019108d2c68e088f4e4ac271afca2c0a2bed554aad

SHA512
45a26670d772367d52fc56a9b4b296bb5ba2ba46244d135d09af9e1d1fb77e5133e28746698399df6c800d22818e55529d381e2c884b415c41e75fb1103d296a

Download Submit
C:\Windows\System\dSectdj.exe

Filesize
5.2MB

MD5
4d3e165ee5e53d43461ff4a357ece505

SHA1
3075d3365e2749a7b83961c0a7b4fccf2c148e89

SHA256
b822b80dc3a23792fdd234dede9713163816959f70ad329cb6a431934db33cac

SHA512
337e791f3d04945a189c32f25e861ea3349641a4cd1d8380b435a5dc97bb6c0e45f2f59a309e697f8dbdb62e2bc24e8bf1f53928349717012741eb0ed0ec14e8

Download Submit
C:\Windows\System\fXtjSdC.exe

Filesize
5.2MB

MD5
ae8eb9bd78ba404ebf1ecd07de6af495

SHA1
9bf9e37da98b6ed6a9fefa36c336b9c95325a4a3

SHA256
e8638a427ec69e48ddc547981cf5cf5c3f42e3e9b5ca8555b4976050fcbc87f0

SHA512
20539131b78310ab150bf3eba1ecf7b475bcb17fae598f1cf82a4d6980e1c37a4f06ac56b651992ae9b6ba61433656584160b970feb95e14a249c0e9153a11ff

Download Submit
C:\Windows\System\gYEVndP.exe

Filesize
5.2MB

MD5
e6f6e18e6b733c6897a67e4b9bedd9d3

SHA1
968cd748e817c3aca5d6e9d8ae40c56c06c880ca

SHA256
3bdb897f31c3bd5b85aed3bb191c907ebef15014a2efa0c1c959b8afaca84058

SHA512
eb2bf896090e27549e77523e8912db3c8243653e28e06b089084192a83267bdada389b90551e33a7d8d3a499cc136d6ff22a37b40ada8c2364938a32df6c0e04

Download Submit
C:\Windows\System\glsmEjC.exe

Filesize
5.2MB

MD5
151dd94f5422b78ba8e4b3a08be25c60

SHA1
d5c98dde6fe979f2e62a9948cbd2b8ad420265a9

SHA256
3064940d2e6f1b80eb4424cec41e56375312dc9f53b350d52adfe91ea9e05d14

SHA512
e8818520633d2b1eec077861d27b16edfb98bd88d28d5decb5d4b47d6ba8427804fe99acadb470b149a76b2d7ed997b5d906a5f6a0ce30c0d3dec8c7a5fef391

Download Submit
C:\Windows\System\otKKfXy.exe

Filesize
5.2MB

MD5
122d0ac337f801733daff4cb8291a16f

SHA1
799122e16fbd36449d516f6d2bfc5af1bed6afa2

SHA256
a8b4dc3067b44c1949ef9c0f01300e95126ef9b36212662c9397f135cd821554

SHA512
a2cce934d9066084c8686730a36873f234eb0dcba9c8797fc9a945ef5b86475faa6b70128ed53316613151be8a659820874c2db4021e03d2fed8fee61453b127

Download Submit
memory/264-147-0x00007FF753CB0000-0x00007FF754001000-memory.dmp

Filesize
3.3MB

Download
memory/264-84-0x00007FF753CB0000-0x00007FF754001000-memory.dmp

Filesize
3.3MB

Download
memory/264-253-0x00007FF753CB0000-0x00007FF754001000-memory.dmp

Filesize
3.3MB

Download
memory/1044-61-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-139-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-166-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-0-0x00007FF60E870000-0x00007FF60EBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1044-1-0x000001CEE4F80000-0x000001CEE4F90000-memory.dmp

Filesize
64KB

Download
memory/1192-249-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp

Filesize
3.3MB

Download
memory/1192-78-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp

Filesize
3.3MB

Download
memory/1192-138-0x00007FF7D3340000-0x00007FF7D3691000-memory.dmp

Filesize
3.3MB

Download
memory/1248-103-0x00007FF670330000-0x00007FF670681000-memory.dmp

Filesize
3.3MB

Download
memory/1248-158-0x00007FF670330000-0x00007FF670681000-memory.dmp

Filesize
3.3MB

Download
memory/1248-263-0x00007FF670330000-0x00007FF670681000-memory.dmp

Filesize
3.3MB

Download
memory/1692-255-0x00007FF79E140000-0x00007FF79E491000-memory.dmp

Filesize
3.3MB

Download
memory/1692-96-0x00007FF79E140000-0x00007FF79E491000-memory.dmp

Filesize
3.3MB

Download
memory/1692-157-0x00007FF79E140000-0x00007FF79E491000-memory.dmp

Filesize
3.3MB

Download
memory/2024-54-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-242-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp

Filesize
3.3MB

Download
memory/2024-115-0x00007FF7F33A0000-0x00007FF7F36F1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-267-0x00007FF645760000-0x00007FF645AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-160-0x00007FF645760000-0x00007FF645AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-112-0x00007FF645760000-0x00007FF645AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-141-0x00007FF731C30000-0x00007FF731F81000-memory.dmp

Filesize
3.3MB

Download
memory/2572-273-0x00007FF731C30000-0x00007FF731F81000-memory.dmp

Filesize
3.3MB

Download
memory/2820-69-0x00007FF711CC0000-0x00007FF712011000-memory.dmp

Filesize
3.3MB

Download
memory/2820-7-0x00007FF711CC0000-0x00007FF712011000-memory.dmp

Filesize
3.3MB

Download
memory/2820-215-0x00007FF711CC0000-0x00007FF712011000-memory.dmp

Filesize
3.3MB

Download
memory/3512-92-0x00007FF6165E0000-0x00007FF616931000-memory.dmp

Filesize
3.3MB

Download
memory/3512-226-0x00007FF6165E0000-0x00007FF616931000-memory.dmp

Filesize
3.3MB

Download
memory/3512-30-0x00007FF6165E0000-0x00007FF616931000-memory.dmp

Filesize
3.3MB

Download
memory/3668-131-0x00007FF7C4CD0000-0x00007FF7C5021000-memory.dmp

Filesize
3.3MB

Download
memory/3668-271-0x00007FF7C4CD0000-0x00007FF7C5021000-memory.dmp

Filesize
3.3MB

Download
memory/3944-45-0x00007FF6F0E70000-0x00007FF6F11C1000-memory.dmp

Filesize
3.3MB

Download
memory/3944-234-0x00007FF6F0E70000-0x00007FF6F11C1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-269-0x00007FF6B62F0000-0x00007FF6B6641000-memory.dmp

Filesize
3.3MB

Download
memory/4008-135-0x00007FF6B62F0000-0x00007FF6B6641000-memory.dmp

Filesize
3.3MB

Download
memory/4028-244-0x00007FF6870C0000-0x00007FF687411000-memory.dmp

Filesize
3.3MB

Download
memory/4028-132-0x00007FF6870C0000-0x00007FF687411000-memory.dmp

Filesize
3.3MB

Download
memory/4028-64-0x00007FF6870C0000-0x00007FF687411000-memory.dmp

Filesize
3.3MB

Download
memory/4128-222-0x00007FF75A630000-0x00007FF75A981000-memory.dmp

Filesize
3.3MB

Download
memory/4128-79-0x00007FF75A630000-0x00007FF75A981000-memory.dmp

Filesize
3.3MB

Download
memory/4128-21-0x00007FF75A630000-0x00007FF75A981000-memory.dmp

Filesize
3.3MB

Download
memory/4156-224-0x00007FF756B40000-0x00007FF756E91000-memory.dmp

Filesize
3.3MB

Download
memory/4156-80-0x00007FF756B40000-0x00007FF756E91000-memory.dmp

Filesize
3.3MB

Download
memory/4156-28-0x00007FF756B40000-0x00007FF756E91000-memory.dmp

Filesize
3.3MB

Download
memory/4244-76-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp

Filesize
3.3MB

Download
memory/4244-220-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp

Filesize
3.3MB

Download
memory/4244-12-0x00007FF68D6F0000-0x00007FF68DA41000-memory.dmp

Filesize
3.3MB

Download
memory/4304-121-0x00007FF636DB0000-0x00007FF637101000-memory.dmp

Filesize
3.3MB

Download
memory/4304-265-0x00007FF636DB0000-0x00007FF637101000-memory.dmp

Filesize
3.3MB

Download
memory/4504-37-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp

Filesize
3.3MB

Download
memory/4504-232-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp

Filesize
3.3MB

Download
memory/4504-95-0x00007FF6CAB00000-0x00007FF6CAE51000-memory.dmp

Filesize
3.3MB

Download
memory/4748-109-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp

Filesize
3.3MB

Download
memory/4748-50-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp

Filesize
3.3MB

Download
memory/4748-236-0x00007FF63CD20000-0x00007FF63D071000-memory.dmp

Filesize
3.3MB

Download
memory/5012-251-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp

Filesize
3.3MB

Download
memory/5012-152-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp

Filesize
3.3MB

Download
memory/5012-85-0x00007FF6A95E0000-0x00007FF6A9931000-memory.dmp

Filesize
3.3MB

Download
memory/5048-246-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-133-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp

Filesize
3.3MB

Download
memory/5048-75-0x00007FF7C2750000-0x00007FF7C2AA1000-memory.dmp

Filesize
3.3MB

Download