cobaltstrike | 65c54889fc6ea085b54c86631ed7d8e62bb0ccd091ce9e1122c4194e494ef11b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

feda05642305d195e9c9c07dba9dceda
SHA1

cf5b29a012d6be158838cb064c3db83ad9ba6c02
SHA256

65c54889fc6ea085b54c86631ed7d8e62bb0ccd091ce9e1122c4194e494ef11b
SHA512

c180f68608b59449dd93993c9f0acf106cd0cdc8c1998440ccbcf5a50a56204a9618c0898646f699973b88b7e606b3f6b62b193eee5140afaf3530bb8b8dca20
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUD

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023607-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360d-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360c-14.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360e-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023610-36.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002360f-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023618-96.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023617-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023616-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023615-87.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023608-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023613-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023612-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023614-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023611-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361c-128.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361e-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361b-141.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-140.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023619-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2088-86-0x00007FF7DC400000-0x00007FF7DC751000-memory.dmp	xmrig
behavioral2/memory/1992-109-0x00007FF658530000-0x00007FF658881000-memory.dmp	xmrig
behavioral2/memory/4712-136-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp	xmrig
behavioral2/memory/3664-132-0x00007FF61BEF0000-0x00007FF61C241000-memory.dmp	xmrig
behavioral2/memory/4228-115-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp	xmrig
behavioral2/memory/2728-114-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp	xmrig
behavioral2/memory/2672-113-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp	xmrig
behavioral2/memory/4524-106-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp	xmrig
behavioral2/memory/2992-105-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp	xmrig
behavioral2/memory/3656-104-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp	xmrig
behavioral2/memory/1208-103-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp	xmrig
behavioral2/memory/5004-102-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp	xmrig
behavioral2/memory/4640-101-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp	xmrig
behavioral2/memory/1608-100-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp	xmrig
behavioral2/memory/4488-99-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp	xmrig
behavioral2/memory/4508-98-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	xmrig
behavioral2/memory/4696-112-0x00007FF722740000-0x00007FF722A91000-memory.dmp	xmrig
behavioral2/memory/1924-110-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	xmrig
behavioral2/memory/1144-108-0x00007FF74D530000-0x00007FF74D881000-memory.dmp	xmrig
behavioral2/memory/4508-145-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	xmrig
behavioral2/memory/2252-163-0x00007FF696920000-0x00007FF696C71000-memory.dmp	xmrig
behavioral2/memory/4712-166-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp	xmrig
behavioral2/memory/4184-165-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp	xmrig
behavioral2/memory/3796-164-0x00007FF697EF0000-0x00007FF698241000-memory.dmp	xmrig
behavioral2/memory/4508-167-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	xmrig
behavioral2/memory/4488-197-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp	xmrig
behavioral2/memory/1608-199-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp	xmrig
behavioral2/memory/5004-201-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp	xmrig
behavioral2/memory/4640-214-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp	xmrig
behavioral2/memory/1208-217-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp	xmrig
behavioral2/memory/3656-219-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp	xmrig
behavioral2/memory/2992-221-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp	xmrig
behavioral2/memory/4524-223-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp	xmrig
behavioral2/memory/2088-225-0x00007FF7DC400000-0x00007FF7DC751000-memory.dmp	xmrig
behavioral2/memory/4228-231-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp	xmrig
behavioral2/memory/1992-238-0x00007FF658530000-0x00007FF658881000-memory.dmp	xmrig
behavioral2/memory/2672-240-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp	xmrig
behavioral2/memory/1144-242-0x00007FF74D530000-0x00007FF74D881000-memory.dmp	xmrig
behavioral2/memory/1924-237-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	xmrig
behavioral2/memory/4696-234-0x00007FF722740000-0x00007FF722A91000-memory.dmp	xmrig
behavioral2/memory/2728-233-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp	xmrig
behavioral2/memory/3664-250-0x00007FF61BEF0000-0x00007FF61C241000-memory.dmp	xmrig
behavioral2/memory/4712-252-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp	xmrig
behavioral2/memory/3796-256-0x00007FF697EF0000-0x00007FF698241000-memory.dmp	xmrig
behavioral2/memory/4184-255-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp	xmrig
behavioral2/memory/2252-258-0x00007FF696920000-0x00007FF696C71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4488	XdvGoqo.exe
1608	BjKlDLU.exe
4640	zklKilq.exe
5004	wjwwsRQ.exe
1208	CVEJFiG.exe
3656	GHuEDXu.exe
2992	anNMYlX.exe
4524	SdvzEBJ.exe
1144	dEoEApw.exe
1992	wMdnjUZ.exe
1924	eBXHHGm.exe
2088	yUEmkIz.exe
4696	ZVHofLc.exe
2672	smTZBwD.exe
2728	IwYyzLk.exe
4228	icQVvDf.exe
3664	QDJdhmi.exe
3796	BJNaRDF.exe
4184	pLBnPPs.exe
4712	NTtIbgq.exe
2252	nYUknvi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4508-0-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	upx
behavioral2/files/0x0008000000023607-5.dat	upx
behavioral2/memory/4488-8-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp	upx
behavioral2/files/0x000700000002360b-11.dat	upx
behavioral2/files/0x000700000002360d-16.dat	upx
behavioral2/files/0x000700000002360c-14.dat	upx
behavioral2/memory/1608-18-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp	upx
behavioral2/files/0x000700000002360e-29.dat	upx
behavioral2/memory/1208-33-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp	upx
behavioral2/files/0x0007000000023610-36.dat	upx
behavioral2/files/0x000700000002360f-30.dat	upx
behavioral2/memory/4640-28-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp	upx
behavioral2/memory/5004-22-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp	upx
behavioral2/memory/2992-55-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp	upx
behavioral2/memory/1924-66-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	upx
behavioral2/memory/2672-80-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp	upx
behavioral2/memory/2088-86-0x00007FF7DC400000-0x00007FF7DC751000-memory.dmp	upx
behavioral2/files/0x0007000000023618-96.dat	upx
behavioral2/memory/4228-95-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp	upx
behavioral2/files/0x0007000000023617-92.dat	upx
behavioral2/files/0x0007000000023616-90.dat	upx
behavioral2/files/0x0007000000023615-87.dat	upx
behavioral2/memory/2728-85-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp	upx
behavioral2/files/0x0008000000023608-83.dat	upx
behavioral2/files/0x0007000000023613-81.dat	upx
behavioral2/memory/4696-79-0x00007FF722740000-0x00007FF722A91000-memory.dmp	upx
behavioral2/memory/1992-78-0x00007FF658530000-0x00007FF658881000-memory.dmp	upx
behavioral2/files/0x0007000000023612-72.dat	upx
behavioral2/files/0x0007000000023614-70.dat	upx
behavioral2/memory/1144-65-0x00007FF74D530000-0x00007FF74D881000-memory.dmp	upx
behavioral2/files/0x0007000000023611-58.dat	upx
behavioral2/memory/4524-47-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp	upx
behavioral2/memory/3656-45-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp	upx
behavioral2/memory/1992-109-0x00007FF658530000-0x00007FF658881000-memory.dmp	upx
behavioral2/files/0x000700000002361c-128.dat	upx
behavioral2/files/0x000700000002361e-130.dat	upx
behavioral2/memory/4712-136-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp	upx
behavioral2/files/0x000700000002361b-141.dat	upx
behavioral2/memory/2252-143-0x00007FF696920000-0x00007FF696C71000-memory.dmp	upx
behavioral2/files/0x000700000002361d-140.dat	upx
behavioral2/memory/3796-137-0x00007FF697EF0000-0x00007FF698241000-memory.dmp	upx
behavioral2/memory/4184-133-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp	upx
behavioral2/memory/3664-132-0x00007FF61BEF0000-0x00007FF61C241000-memory.dmp	upx
behavioral2/files/0x0007000000023619-126.dat	upx
behavioral2/memory/4228-115-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp	upx
behavioral2/memory/2728-114-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp	upx
behavioral2/memory/2672-113-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp	upx
behavioral2/memory/4524-106-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp	upx
behavioral2/memory/2992-105-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp	upx
behavioral2/memory/3656-104-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp	upx
behavioral2/memory/1208-103-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp	upx
behavioral2/memory/5004-102-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp	upx
behavioral2/memory/4640-101-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp	upx
behavioral2/memory/1608-100-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp	upx
behavioral2/memory/4488-99-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp	upx
behavioral2/memory/4508-98-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	upx
behavioral2/memory/4696-112-0x00007FF722740000-0x00007FF722A91000-memory.dmp	upx
behavioral2/memory/1924-110-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp	upx
behavioral2/memory/1144-108-0x00007FF74D530000-0x00007FF74D881000-memory.dmp	upx
behavioral2/memory/4508-145-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp	upx
behavioral2/memory/2252-163-0x00007FF696920000-0x00007FF696C71000-memory.dmp	upx
behavioral2/memory/4712-166-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp	upx
behavioral2/memory/4184-165-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp	upx
behavioral2/memory/3796-164-0x00007FF697EF0000-0x00007FF698241000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZVHofLc.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDJdhmi.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NTtIbgq.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wjwwsRQ.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVEJFiG.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SdvzEBJ.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEoEApw.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eBXHHGm.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yUEmkIz.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IwYyzLk.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\icQVvDf.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zklKilq.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pLBnPPs.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BJNaRDF.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GHuEDXu.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\anNMYlX.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMdnjUZ.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYUknvi.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XdvGoqo.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\smTZBwD.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BjKlDLU.exe	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4488	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4508 wrote to memory of 4488	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4508 wrote to memory of 1608	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4508 wrote to memory of 1608	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4508 wrote to memory of 4640	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4508 wrote to memory of 4640	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4508 wrote to memory of 5004	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4508 wrote to memory of 5004	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4508 wrote to memory of 1208	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4508 wrote to memory of 1208	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4508 wrote to memory of 3656	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4508 wrote to memory of 3656	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4508 wrote to memory of 2992	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4508 wrote to memory of 2992	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4508 wrote to memory of 4524	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4508 wrote to memory of 4524	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4508 wrote to memory of 1144	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4508 wrote to memory of 1144	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4508 wrote to memory of 1992	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4508 wrote to memory of 1992	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4508 wrote to memory of 1924	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4508 wrote to memory of 1924	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4508 wrote to memory of 2088	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4508 wrote to memory of 2088	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4508 wrote to memory of 4696	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4508 wrote to memory of 4696	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4508 wrote to memory of 2672	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4508 wrote to memory of 2672	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4508 wrote to memory of 2728	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4508 wrote to memory of 2728	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4508 wrote to memory of 4228	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4508 wrote to memory of 4228	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4508 wrote to memory of 3664	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4508 wrote to memory of 3664	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4508 wrote to memory of 2252	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4508 wrote to memory of 2252	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4508 wrote to memory of 3796	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4508 wrote to memory of 3796	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4508 wrote to memory of 4184	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4508 wrote to memory of 4184	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4508 wrote to memory of 4712	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 4508 wrote to memory of 4712	4508	2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_feda05642305d195e9c9c07dba9dceda_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System\XdvGoqo.exe
  C:\Windows\System\XdvGoqo.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\BjKlDLU.exe
  C:\Windows\System\BjKlDLU.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\zklKilq.exe
  C:\Windows\System\zklKilq.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\wjwwsRQ.exe
  C:\Windows\System\wjwwsRQ.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\CVEJFiG.exe
  C:\Windows\System\CVEJFiG.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\GHuEDXu.exe
  C:\Windows\System\GHuEDXu.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\anNMYlX.exe
  C:\Windows\System\anNMYlX.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\SdvzEBJ.exe
  C:\Windows\System\SdvzEBJ.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\dEoEApw.exe
  C:\Windows\System\dEoEApw.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\wMdnjUZ.exe
  C:\Windows\System\wMdnjUZ.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\eBXHHGm.exe
  C:\Windows\System\eBXHHGm.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\yUEmkIz.exe
  C:\Windows\System\yUEmkIz.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\ZVHofLc.exe
  C:\Windows\System\ZVHofLc.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\smTZBwD.exe
  C:\Windows\System\smTZBwD.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\IwYyzLk.exe
  C:\Windows\System\IwYyzLk.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\icQVvDf.exe
  C:\Windows\System\icQVvDf.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\QDJdhmi.exe
  C:\Windows\System\QDJdhmi.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\nYUknvi.exe
  C:\Windows\System\nYUknvi.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\BJNaRDF.exe
  C:\Windows\System\BJNaRDF.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\pLBnPPs.exe
  C:\Windows\System\pLBnPPs.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\NTtIbgq.exe
  C:\Windows\System\NTtIbgq.exe
  2⤵
  - Executes dropped EXE
  PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:8
1⤵
PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BJNaRDF.exe

Filesize
5.2MB

MD5
bf27277dd263e79ac94a11f2c4b5cdfa

SHA1
1a54c5760d88103695f7eb891e7b94da899180af

SHA256
f9840b02dfd2d1265aaeb51786721cd7320f3ef2f9544e7dcd10bf13ca2b2080

SHA512
44719b8d6585f8b3bd4f5316baa4b9d19d7ea4e52835ae96140d48ef6a4dd53d1196b407b4744e6f8312b3fd583d36b7e3b7bb668fd3a416976f417f95bc8577

Download Submit
C:\Windows\System\BjKlDLU.exe

Filesize
5.2MB

MD5
1eae9b1423333e29ec04c5551d6a65e1

SHA1
f03a40129813ac3583d17b1fa8da6b7a177cf836

SHA256
5a7f7b96fa9cfa3eb587dd8a9a9788245bc2191005a06da499b06afd5f31be4a

SHA512
06dbf028d3526d128e73b9e9bae2799bdb5e5df9f942c353f0a35d21980b94f8613bdc502ec7334f3442c8ab4e51d1e5cfdaa063e1930539abad1abe33377d77

Download Submit
C:\Windows\System\CVEJFiG.exe

Filesize
5.2MB

MD5
c2e2cd157467900219284f6901d1e3ce

SHA1
42fc9a7b2099238aec51908bedb02fa1ff5e8514

SHA256
e562a188b7b07eacfbd1db35907f0096d48082186d01864c32d39d9cf46e49b5

SHA512
2a6ddc88f6c383c0939ab7b7ddfd6c9587662c6a3b56610a3f7fa4108af0f2d97de24655f8146899e3fc2b53cfb599cf4448227f7eccaf0b39fe5b1290929095

Download Submit
C:\Windows\System\GHuEDXu.exe

Filesize
5.2MB

MD5
46104e54cedd849ea794943c04daafff

SHA1
052fb87b10120284be7820645c8cfe6e424ad92b

SHA256
54564c12e1b70fb472ec64518ff78f20e57488690975a8e0cbf01486df0f2ee6

SHA512
25ff62cfa999ff90b9b80f197c5a4777c5dd195a6e289f7c5e25b5a92c5e63a39717164f25f4bf5cd62574bcab722ab26b9f54b1811836fd6e02869146099ba5

Download Submit
C:\Windows\System\IwYyzLk.exe

Filesize
5.2MB

MD5
3c153dd531f7c9c1021ca7eba8117481

SHA1
ab9b4df1ca95cd5a1b226c29e8ca0ed25f3887e6

SHA256
f28aba0a826297f327c3eff92c71a3a014311e6df28c7085029b61f0f80c0bdc

SHA512
0c840074f6a4b30add97a985f8003348d50e05a29653aeac6b2e69a5673b7aec093bc430a3d842567526860e69d3c5a896446efc0bb7ba7ec207bc4605280828

Download Submit
C:\Windows\System\NTtIbgq.exe

Filesize
5.2MB

MD5
53356c45969459deed4d4605b54d5a23

SHA1
173e706ebb026569374c113f306504ab5fcb7b2a

SHA256
298be9e2c7947e36612814a64621b0981f7c6dd43d9984e7b125c3e8850991ff

SHA512
0e86fc46703a960096b63f9c8b04e22c07350fe6338845ab291602cc71838890a239eabddb2b2fa4b605bb98788193f80816cdb6becf61892f1784b892675df9

Download Submit
C:\Windows\System\QDJdhmi.exe

Filesize
5.2MB

MD5
c53ee432408b3578d522c08c6c8500d8

SHA1
b5bc605738d60d40f8da72623043a8fd5099d7f7

SHA256
79d0bbe51392199b5bad9dcb577e166f5fc42a23f5c0c6ae57941fb287254496

SHA512
2607da1c839a01864a9b615f28db38f3db49c834364fe8e4cb75f88aac7c80591a577df51690ae83bae0be807fa6332459e41994d047d0fc326452d35e0c6b46

Download Submit
C:\Windows\System\SdvzEBJ.exe

Filesize
5.2MB

MD5
c005b42ce33709647469f345d65b0b08

SHA1
0c8ad56ada6ca9aee1dadb226832196e858aed39

SHA256
82ea14560cd189ca1e19a283c9c89844b8bac332ec29bb6848a8a351084bd603

SHA512
056d1625409ce59bf33bb5dd01288847b5ec49617ad3cd388959e840d1b74544b8e6921d9eade36778b6d6b1d2bd33d166c099709d5a8f503393741356202b01

Download Submit
C:\Windows\System\XdvGoqo.exe

Filesize
5.2MB

MD5
0365492e561ff018538d6f16d491cddf

SHA1
f38f4d56eb6fbd0fe05ca839c38ee1ed959764a2

SHA256
f3dc35bc1a2a83d66398fee5fcfe35f3e63fbb61b2d192be01b75481a484590e

SHA512
cc78c04cf5284b0e60e3f528648a0581f76c2af04c45a874b029470c66e0d5479eaad3fc85cf17a30d3917df8b8ef4153b1072cc0a79dfeb2887c9dfb6748061

Download Submit
C:\Windows\System\ZVHofLc.exe

Filesize
5.2MB

MD5
32e448b4862a9348d49b067fb152d1e7

SHA1
fcf7b40b27bed5d816ba355bb3f84fa0a9455023

SHA256
2a5f50765230593cf7e181e6416637888b54cf25bd8f18c454fc3327c1b83c06

SHA512
ede44d418864732018e797752098ce3dcfc363e1608e65682a91a8c7bc8a1e1deb1491155ecdd725f3b0fa00fb7041b4a4b4bc1f1ed8e0cad070eb9ac6b36b49

Download Submit
C:\Windows\System\anNMYlX.exe

Filesize
5.2MB

MD5
68f1bb0077000f9b656ff7c834c136aa

SHA1
60f93d68f972f7f0c5e257595cd4b0a17d095695

SHA256
5dfa6ca76a3653e1408311fb8c5d9e346504c1dd97fcc5d6a19f44a6f40bf368

SHA512
40f5d26cb613bdf452e76fc399ce7d781c84ef3d18c0573e23320a03eaf4a6742f7b2d1a46243119eb7c09a676437bf129ddd3f2792b2731480855bfa87b480b

Download Submit
C:\Windows\System\dEoEApw.exe

Filesize
5.2MB

MD5
e21c5c22aad2203f198650120867de61

SHA1
c8538161bf86bbf2ebc1880967e76b2f73dcb6da

SHA256
e2ae6103d53c99a1604e91ad1dfba10b9a64c37094b888bb177bb9c55dd0aaff

SHA512
3c7f9c49a18db486a1555b8f99bac3cc433f60fb394d253babe4d483b12157709ec3f3d3e30617ce55e1baad60b974303cf26a935c74da539d7f14db6d5f86b1

Download Submit
C:\Windows\System\eBXHHGm.exe

Filesize
5.2MB

MD5
aeaab5c97915fbc55914cf20639d5fef

SHA1
23256b5f26696a3ba030a3e25a4a07b7069cac7f

SHA256
280e7534b6a6052c0c0ad2f275d9a80554b42027970eeac2638c2e988883e8ea

SHA512
b001d35b0c366bbf69c5a01ce1a84cc1418bcd23035093965451783051428298b03797b706c7cbe3edd349ea08a25a89cd586e9f55ba9e6595a830f05d01c9bd

Download Submit
C:\Windows\System\icQVvDf.exe

Filesize
5.2MB

MD5
44fe2c482d22f3047f37959c1dd08e66

SHA1
00bff4fb51e9b900c80c447933100a9db7a07729

SHA256
2173f1fa57bee49dce6780c72eff8e1b26607aa9f61fdc06f677080a873a832b

SHA512
730a505223d8420d9881bed4eae45f6deeed4599988fda7fc1155711547e835242e1921890998684b64e5244291acd0c7d8a368b54c6280b59a91c5a4681d4b3

Download Submit
C:\Windows\System\nYUknvi.exe

Filesize
5.2MB

MD5
5bd9ff5d05aedb764e3b7a5c424e99a7

SHA1
f54efd8e4f5e0d1f4b7b70ab2042dd4b33b2f67a

SHA256
d6097feaa9bd905fcadafc39b6f3af97a6bd4cb7bf096f517e712c3db4e1a1af

SHA512
bc3499bfcdcb9ca23c9aa2bbf5608440f83dacf40d0bb409894ea5cb31b36c74e457e9ef73824092b1f002168f47a6aac205484f1b231e8b5a365669f4bfd0ff

Download Submit
C:\Windows\System\pLBnPPs.exe

Filesize
5.2MB

MD5
31791c3e7855b266883d18222f9b3e99

SHA1
c2972482f7f75248c9e532feea66f4315b8e5c7c

SHA256
b7f55878a495e677db96f7d91d2df6c94c9597dca242c9b23966fe901ab750c5

SHA512
e3894ee63de49423471e41dbaf0ca72c51831f0bb528f2f5d70ab927cd2902c408d7c8e5a374c2728a5bb7f9b64b293c72f24d2cdcf64949ddf397d42d4d4a43

Download Submit
C:\Windows\System\smTZBwD.exe

Filesize
5.2MB

MD5
f7bda1d157921fbafefd0aed6991738f

SHA1
150024a4bd72057f7b75e6cfb5fd2aa5bbe40d0d

SHA256
768af6213f0a474710fbc86d5172b325fc2d794096a89a1d7439eccf57ce8293

SHA512
9e57b58734cbe3b56622b6df168020355f1f9d1824c146f7021d6762edd44653f8d449312220fc2ea44ac7e389eb9b4201a587c69f7e9557b7c914f7fdea6891

Download Submit
C:\Windows\System\wMdnjUZ.exe

Filesize
5.2MB

MD5
e16b910f3dfbd79b2bdcffe7f73c808a

SHA1
559458e7ab8eac115ca0689579b85bd06448f8f4

SHA256
362dcc96a841e1f02f4fdfdeb6330a7c24ee6e75d4efa631877c96c86cf671fc

SHA512
b714a5754c1555ffaa3b05e09e827e500d0664acda73bbd34f96c0c260df007884f0747b6d4024e0bb9c74d41159f38e55afe3a6248e691a91d2fd66039fbc3c

Download Submit
C:\Windows\System\wjwwsRQ.exe

Filesize
5.2MB

MD5
b2a8784360606834cf51adf8640c4027

SHA1
2eb6135e6c75538399eb1cb94a40f3fcc7e3f225

SHA256
514680fe1aa6badc22ee13181d499e5c644e7041167e9f988f3706e5f01203d6

SHA512
4bbc377c50587c7a7c7d7fd9c936f51cc6719b835ed936c81582854695d24e0fafb60ebf482de43ec37077a4028ec9bce3d9f5f691de38d44fdd71788965b248

Download Submit
C:\Windows\System\yUEmkIz.exe

Filesize
5.2MB

MD5
ef08eeaee3aa3279069821f489183959

SHA1
cc38b099308de125a1242c6f55439bf280633be8

SHA256
2db1ef64f6ea9ee2c1ef3d7b8300b8ce6cfc86772725f0b30877a26ed1158657

SHA512
c50abba472aa55b607e2384ab84a3f59c18715d9ea3444ea3751863030ed6d0c75b755529aa72af1a7814817a57c56410a219477e91a1765b3cb30970935c19c

Download Submit
C:\Windows\System\zklKilq.exe

Filesize
5.2MB

MD5
a2d95797e6af83b09f5cc8c038852ca6

SHA1
9e51b0d4735a7f6f6575411b647ef52b514f6d35

SHA256
0d3be9883edd6e4e488e601694cb59b1871bc311292fea4205070bc0208f3034

SHA512
bbc3749376a4fe020e12edc7ee2173d3e2ebefc0a0e7d8f4de46880d67057beb7376073a4ad2cefbe55440d7939b4205990262b9039d391be84c742582b98ed2

Download Submit
memory/1144-242-0x00007FF74D530000-0x00007FF74D881000-memory.dmp

Filesize
3.3MB

Download
memory/1144-65-0x00007FF74D530000-0x00007FF74D881000-memory.dmp

Filesize
3.3MB

Download
memory/1144-108-0x00007FF74D530000-0x00007FF74D881000-memory.dmp

Filesize
3.3MB

Download
memory/1208-33-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1208-217-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1208-103-0x00007FF73BD60000-0x00007FF73C0B1000-memory.dmp

Filesize
3.3MB

Download
memory/1608-18-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp

Filesize
3.3MB

Download
memory/1608-199-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp

Filesize
3.3MB

Download
memory/1608-100-0x00007FF6B7130000-0x00007FF6B7481000-memory.dmp

Filesize
3.3MB

Download
memory/1924-237-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/1924-110-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/1924-66-0x00007FF7599E0000-0x00007FF759D31000-memory.dmp

Filesize
3.3MB

Download
memory/1992-78-0x00007FF658530000-0x00007FF658881000-memory.dmp

Filesize
3.3MB

Download
memory/1992-109-0x00007FF658530000-0x00007FF658881000-memory.dmp

Filesize
3.3MB

Download
memory/1992-238-0x00007FF658530000-0x00007FF658881000-memory.dmp

Filesize
3.3MB

Download
memory/2088-86-0x00007FF7DC400000-0x00007FF7DC751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-225-0x00007FF7DC400000-0x00007FF7DC751000-memory.dmp

Filesize
3.3MB

Download
memory/2252-143-0x00007FF696920000-0x00007FF696C71000-memory.dmp

Filesize
3.3MB

Download
memory/2252-258-0x00007FF696920000-0x00007FF696C71000-memory.dmp

Filesize
3.3MB

Download
memory/2252-163-0x00007FF696920000-0x00007FF696C71000-memory.dmp

Filesize
3.3MB

Download
memory/2672-80-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp

Filesize
3.3MB

Download
memory/2672-240-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp

Filesize
3.3MB

Download
memory/2672-113-0x00007FF7C2E10000-0x00007FF7C3161000-memory.dmp

Filesize
3.3MB

Download
memory/2728-233-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp

Filesize
3.3MB

Download
memory/2728-114-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp

Filesize
3.3MB

Download
memory/2728-85-0x00007FF7FBFB0000-0x00007FF7FC301000-memory.dmp

Filesize
3.3MB

Download
memory/2992-55-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-105-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-221-0x00007FF731E60000-0x00007FF7321B1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-45-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-104-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3656-219-0x00007FF71EE60000-0x00007FF71F1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-132-0x00007FF61BEF0000-0x00007FF61C241000-memory.dmp

Filesize
3.3MB

Download
memory/3664-250-0x00007FF61BEF0000-0x00007FF61C241000-memory.dmp

Filesize
3.3MB

Download
memory/3796-137-0x00007FF697EF0000-0x00007FF698241000-memory.dmp

Filesize
3.3MB

Download
memory/3796-256-0x00007FF697EF0000-0x00007FF698241000-memory.dmp

Filesize
3.3MB

Download
memory/3796-164-0x00007FF697EF0000-0x00007FF698241000-memory.dmp

Filesize
3.3MB

Download
memory/4184-165-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4184-255-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4184-133-0x00007FF6E5C30000-0x00007FF6E5F81000-memory.dmp

Filesize
3.3MB

Download
memory/4228-115-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp

Filesize
3.3MB

Download
memory/4228-231-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp

Filesize
3.3MB

Download
memory/4228-95-0x00007FF7B1B00000-0x00007FF7B1E51000-memory.dmp

Filesize
3.3MB

Download
memory/4488-99-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp

Filesize
3.3MB

Download
memory/4488-197-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp

Filesize
3.3MB

Download
memory/4488-8-0x00007FF7CE3F0000-0x00007FF7CE741000-memory.dmp

Filesize
3.3MB

Download
memory/4508-145-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-167-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-98-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-1-0x0000024ED8320000-0x0000024ED8330000-memory.dmp

Filesize
64KB

Download
memory/4508-0-0x00007FF74FA50000-0x00007FF74FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/4524-106-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp

Filesize
3.3MB

Download
memory/4524-223-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp

Filesize
3.3MB

Download
memory/4524-47-0x00007FF7C25F0000-0x00007FF7C2941000-memory.dmp

Filesize
3.3MB

Download
memory/4640-214-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-28-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-101-0x00007FF72A260000-0x00007FF72A5B1000-memory.dmp

Filesize
3.3MB

Download
memory/4696-79-0x00007FF722740000-0x00007FF722A91000-memory.dmp

Filesize
3.3MB

Download
memory/4696-112-0x00007FF722740000-0x00007FF722A91000-memory.dmp

Filesize
3.3MB

Download
memory/4696-234-0x00007FF722740000-0x00007FF722A91000-memory.dmp

Filesize
3.3MB

Download
memory/4712-136-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp

Filesize
3.3MB

Download
memory/4712-252-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp

Filesize
3.3MB

Download
memory/4712-166-0x00007FF6DD430000-0x00007FF6DD781000-memory.dmp

Filesize
3.3MB

Download
memory/5004-22-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp

Filesize
3.3MB

Download
memory/5004-201-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp

Filesize
3.3MB

Download
memory/5004-102-0x00007FF70FAD0000-0x00007FF70FE21000-memory.dmp

Filesize
3.3MB

Download