cobaltstrike | 46bc9ca3a7b4cea3ac58ef372e7da7f2062e42dae22f8d4e850362b0c78da548

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d087ce6c690b4644495acd71e4c7e1cf
SHA1

15c6971f232a209d7c55cdce06af74109e41ed7f
SHA256

46bc9ca3a7b4cea3ac58ef372e7da7f2062e42dae22f8d4e850362b0c78da548
SHA512

534c0d71e274e39a5f5e810b614d0f526ad9869ba4f729bcac67daf3c78b885be4f7cdf857f03472f6267c32aac8fac433f581188dbd5ea97fd2fad282832459
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lv:RWWBibf56utgpPFotBER/mQ32lUL

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233e3-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-23.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023436-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4284-68-0x00007FF7081A0000-0x00007FF7084F1000-memory.dmp	xmrig
behavioral2/memory/4920-81-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	xmrig
behavioral2/memory/964-73-0x00007FF6680E0000-0x00007FF668431000-memory.dmp	xmrig
behavioral2/memory/3928-87-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp	xmrig
behavioral2/memory/4588-125-0x00007FF745260000-0x00007FF7455B1000-memory.dmp	xmrig
behavioral2/memory/4984-129-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp	xmrig
behavioral2/memory/888-135-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp	xmrig
behavioral2/memory/1520-130-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp	xmrig
behavioral2/memory/4136-122-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp	xmrig
behavioral2/memory/1716-115-0x00007FF77EB80000-0x00007FF77EED1000-memory.dmp	xmrig
behavioral2/memory/1392-112-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp	xmrig
behavioral2/memory/2184-110-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp	xmrig
behavioral2/memory/3828-104-0x00007FF727B90000-0x00007FF727EE1000-memory.dmp	xmrig
behavioral2/memory/5036-103-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp	xmrig
behavioral2/memory/4836-92-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp	xmrig
behavioral2/memory/4920-138-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	xmrig
behavioral2/memory/1176-154-0x00007FF6205E0000-0x00007FF620931000-memory.dmp	xmrig
behavioral2/memory/2128-153-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp	xmrig
behavioral2/memory/2436-155-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp	xmrig
behavioral2/memory/4880-161-0x00007FF628900000-0x00007FF628C51000-memory.dmp	xmrig
behavioral2/memory/1448-163-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp	xmrig
behavioral2/memory/4332-160-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp	xmrig
behavioral2/memory/212-162-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp	xmrig
behavioral2/memory/4920-164-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	xmrig
behavioral2/memory/3928-212-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp	xmrig
behavioral2/memory/4836-215-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp	xmrig
behavioral2/memory/5036-228-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp	xmrig
behavioral2/memory/1392-231-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp	xmrig
behavioral2/memory/2184-232-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp	xmrig
behavioral2/memory/4588-237-0x00007FF745260000-0x00007FF7455B1000-memory.dmp	xmrig
behavioral2/memory/4984-240-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp	xmrig
behavioral2/memory/4136-236-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp	xmrig
behavioral2/memory/4284-239-0x00007FF7081A0000-0x00007FF7084F1000-memory.dmp	xmrig
behavioral2/memory/964-242-0x00007FF6680E0000-0x00007FF668431000-memory.dmp	xmrig
behavioral2/memory/888-249-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp	xmrig
behavioral2/memory/1520-250-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp	xmrig
behavioral2/memory/1176-247-0x00007FF6205E0000-0x00007FF620931000-memory.dmp	xmrig
behavioral2/memory/2128-245-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp	xmrig
behavioral2/memory/3828-259-0x00007FF727B90000-0x00007FF727EE1000-memory.dmp	xmrig
behavioral2/memory/2436-261-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp	xmrig
behavioral2/memory/1716-263-0x00007FF77EB80000-0x00007FF77EED1000-memory.dmp	xmrig
behavioral2/memory/4332-267-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp	xmrig
behavioral2/memory/1448-266-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp	xmrig
behavioral2/memory/212-269-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp	xmrig
behavioral2/memory/4880-272-0x00007FF628900000-0x00007FF628C51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3928	gnKjmMw.exe
4836	fSUIkCa.exe
5036	zigEpob.exe
2184	MQWjOJX.exe
1392	kxxpEmn.exe
4984	ibIpGOk.exe
4136	vUTjnpL.exe
4284	lYacmau.exe
4588	hZWKKSz.exe
964	jznfDhY.exe
1520	VbJexdy.exe
888	MFfosin.exe
1176	szWhphp.exe
2128	hpLncux.exe
2436	QeDRwwT.exe
3828	DCWDlje.exe
1716	RJeMjtB.exe
1448	YTskUPj.exe
4332	bEHHguD.exe
4880	jeyWOOk.exe
212	PEYciSa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	upx
behavioral2/files/0x00090000000233e3-5.dat	upx
behavioral2/memory/3928-7-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp	upx
behavioral2/files/0x0007000000023441-12.dat	upx
behavioral2/memory/4836-14-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp	upx
behavioral2/files/0x0007000000023442-11.dat	upx
behavioral2/files/0x0007000000023443-23.dat	upx
behavioral2/files/0x0009000000023436-24.dat	upx
behavioral2/memory/1392-31-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp	upx
behavioral2/files/0x0007000000023444-42.dat	upx
behavioral2/files/0x0007000000023446-48.dat	upx
behavioral2/files/0x0007000000023448-53.dat	upx
behavioral2/files/0x0007000000023447-58.dat	upx
behavioral2/memory/4284-68-0x00007FF7081A0000-0x00007FF7084F1000-memory.dmp	upx
behavioral2/files/0x000700000002344a-76.dat	upx
behavioral2/memory/1176-80-0x00007FF6205E0000-0x00007FF620931000-memory.dmp	upx
behavioral2/files/0x000700000002344c-85.dat	upx
behavioral2/memory/2128-84-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp	upx
behavioral2/files/0x000700000002344b-82.dat	upx
behavioral2/memory/4920-81-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	upx
behavioral2/memory/888-78-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp	upx
behavioral2/memory/964-73-0x00007FF6680E0000-0x00007FF668431000-memory.dmp	upx
behavioral2/files/0x0007000000023449-71.dat	upx
behavioral2/memory/1520-64-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp	upx
behavioral2/memory/4588-56-0x00007FF745260000-0x00007FF7455B1000-memory.dmp	upx
behavioral2/files/0x0007000000023445-52.dat	upx
behavioral2/memory/4136-50-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp	upx
behavioral2/memory/4984-41-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp	upx
behavioral2/memory/2184-30-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp	upx
behavioral2/memory/5036-21-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp	upx
behavioral2/memory/3928-87-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp	upx
behavioral2/files/0x000700000002344d-91.dat	upx
behavioral2/memory/2436-93-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp	upx
behavioral2/files/0x000700000002344f-98.dat	upx
behavioral2/files/0x0007000000023450-105.dat	upx
behavioral2/files/0x0007000000023451-111.dat	upx
behavioral2/files/0x0007000000023452-118.dat	upx
behavioral2/memory/4588-125-0x00007FF745260000-0x00007FF7455B1000-memory.dmp	upx
behavioral2/memory/4984-129-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp	upx
behavioral2/files/0x0007000000023454-132.dat	upx
behavioral2/memory/888-135-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp	upx
behavioral2/files/0x0007000000023453-134.dat	upx
behavioral2/memory/212-133-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp	upx
behavioral2/memory/4880-131-0x00007FF628900000-0x00007FF628C51000-memory.dmp	upx
behavioral2/memory/1520-130-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp	upx
behavioral2/memory/4332-126-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp	upx
behavioral2/memory/4136-122-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp	upx
behavioral2/memory/1448-120-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp	upx
behavioral2/memory/1716-115-0x00007FF77EB80000-0x00007FF77EED1000-memory.dmp	upx
behavioral2/memory/1392-112-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp	upx
behavioral2/memory/2184-110-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp	upx
behavioral2/memory/3828-104-0x00007FF727B90000-0x00007FF727EE1000-memory.dmp	upx
behavioral2/memory/5036-103-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp	upx
behavioral2/memory/4836-92-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp	upx
behavioral2/memory/4920-138-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	upx
behavioral2/memory/1176-154-0x00007FF6205E0000-0x00007FF620931000-memory.dmp	upx
behavioral2/memory/2128-153-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp	upx
behavioral2/memory/2436-155-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp	upx
behavioral2/memory/4880-161-0x00007FF628900000-0x00007FF628C51000-memory.dmp	upx
behavioral2/memory/1448-163-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp	upx
behavioral2/memory/4332-160-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp	upx
behavioral2/memory/212-162-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp	upx
behavioral2/memory/4920-164-0x00007FF647170000-0x00007FF6474C1000-memory.dmp	upx
behavioral2/memory/3928-212-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RJeMjtB.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZWKKSz.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jznfDhY.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\szWhphp.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QeDRwwT.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCWDlje.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTskUPj.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnKjmMw.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zigEpob.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQWjOJX.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PEYciSa.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxxpEmn.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibIpGOk.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFfosin.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VbJexdy.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpLncux.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEHHguD.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jeyWOOk.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSUIkCa.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vUTjnpL.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lYacmau.exe	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3928	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4920 wrote to memory of 3928	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4920 wrote to memory of 4836	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4920 wrote to memory of 4836	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4920 wrote to memory of 5036	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4920 wrote to memory of 5036	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4920 wrote to memory of 2184	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4920 wrote to memory of 2184	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4920 wrote to memory of 1392	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4920 wrote to memory of 1392	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4920 wrote to memory of 4984	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4920 wrote to memory of 4984	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4920 wrote to memory of 4136	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4920 wrote to memory of 4136	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4920 wrote to memory of 4284	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4920 wrote to memory of 4284	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4920 wrote to memory of 4588	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4920 wrote to memory of 4588	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4920 wrote to memory of 964	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4920 wrote to memory of 964	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4920 wrote to memory of 1520	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4920 wrote to memory of 1520	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4920 wrote to memory of 888	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4920 wrote to memory of 888	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4920 wrote to memory of 1176	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4920 wrote to memory of 1176	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4920 wrote to memory of 2128	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4920 wrote to memory of 2128	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4920 wrote to memory of 2436	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4920 wrote to memory of 2436	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4920 wrote to memory of 3828	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4920 wrote to memory of 3828	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4920 wrote to memory of 1716	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4920 wrote to memory of 1716	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4920 wrote to memory of 1448	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4920 wrote to memory of 1448	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4920 wrote to memory of 4332	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4920 wrote to memory of 4332	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4920 wrote to memory of 4880	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4920 wrote to memory of 4880	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4920 wrote to memory of 212	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4920 wrote to memory of 212	4920	2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_d087ce6c690b4644495acd71e4c7e1cf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\System\gnKjmMw.exe
  C:\Windows\System\gnKjmMw.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\fSUIkCa.exe
  C:\Windows\System\fSUIkCa.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\zigEpob.exe
  C:\Windows\System\zigEpob.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\MQWjOJX.exe
  C:\Windows\System\MQWjOJX.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\kxxpEmn.exe
  C:\Windows\System\kxxpEmn.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\ibIpGOk.exe
  C:\Windows\System\ibIpGOk.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\vUTjnpL.exe
  C:\Windows\System\vUTjnpL.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\lYacmau.exe
  C:\Windows\System\lYacmau.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\hZWKKSz.exe
  C:\Windows\System\hZWKKSz.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\jznfDhY.exe
  C:\Windows\System\jznfDhY.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\VbJexdy.exe
  C:\Windows\System\VbJexdy.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\MFfosin.exe
  C:\Windows\System\MFfosin.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System\szWhphp.exe
  C:\Windows\System\szWhphp.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\hpLncux.exe
  C:\Windows\System\hpLncux.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\QeDRwwT.exe
  C:\Windows\System\QeDRwwT.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\DCWDlje.exe
  C:\Windows\System\DCWDlje.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\RJeMjtB.exe
  C:\Windows\System\RJeMjtB.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\YTskUPj.exe
  C:\Windows\System\YTskUPj.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\bEHHguD.exe
  C:\Windows\System\bEHHguD.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\jeyWOOk.exe
  C:\Windows\System\jeyWOOk.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\PEYciSa.exe
  C:\Windows\System\PEYciSa.exe
  2⤵
  - Executes dropped EXE
  PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DCWDlje.exe

Filesize
5.2MB

MD5
c50ae495b93fe7a4ba354e330872c919

SHA1
55e8b69ac8dc48f3eac783b0a3905de50ad330f6

SHA256
5e82e778c5578dc6b71634d6d29fe8e120f170e0ccc02c456c43dd81b3664a60

SHA512
927c614646f2c8c9c49d6d3c745ea44fb9092bdeb523b6a273cdfb3c7f7b5ce2cc0a499e09c328dc705197c9886099a2b15cc26fe481ad1812b48379e155e82d

Download Submit
C:\Windows\System\MFfosin.exe

Filesize
5.2MB

MD5
d72f4cb7c2f3316c8438618b1d7e3faf

SHA1
904056a5b0b8478da553fdf55a56a2156695928c

SHA256
87be5c06b2c4dbc4c84e54db0857abbf455aa7e5751d1a71a70b662bd379c3ca

SHA512
aa476c35d2b1d530b848f3cc67df952794b76b83593b40e4e09c56d756cdd778d4b2cff4a70c8b9a3b764b11576b11d48db3005c6df3e42685e8bd99739f5ff7

Download Submit
C:\Windows\System\MQWjOJX.exe

Filesize
5.2MB

MD5
97767abefe35b46406e9e3373cf54ce7

SHA1
c5721320f3a06eefee3b57901d9729cf847c865b

SHA256
9b0c42a8ee487277f35e80938e4e56cf1ad39ffb1a1cb71ae3b7c3263ce30955

SHA512
6e2256de43b0cfdfba8cf34ecc5d6835a1f51e01fa174c69108061474f5a51b598aa55c686c2dafe97b1eb053e99b0d0fe7eb3fe01feaf1cf9b76508b23e5496

Download Submit
C:\Windows\System\PEYciSa.exe

Filesize
5.2MB

MD5
f02a599388ddf07d019075337d04dd41

SHA1
c3f9fddb18bee93c1df216698bf3c09dcbafd807

SHA256
dcdcf373b2d559fcfee8ce1b1f319e88a19a9f0e2742f76d60b7926cb08505de

SHA512
012ff6ea7a74454630740f167f6103872b68c8fd9dce26a515ca6707ac5fe917ca8b06b3c824e762c9e3941d832e61caca242af1247cb208d9a2a3666b11ec7a

Download Submit
C:\Windows\System\QeDRwwT.exe

Filesize
5.2MB

MD5
21fb6e91e28c95f0ec3cb52169acc599

SHA1
bd6a93dfda839282fc004d7ab87e639c5a9358e8

SHA256
2fe96d31bd5bdee893bb176a3f61048d1bf14d9a81adf6ec1bd58382136aff82

SHA512
64b35cf971f8dce8b972ec9becb6e8552ae4dfc7fe0a8a5b341525fafbbc6edfa4058340924478dc36366c3362832ff84d093f12958ff35831df56087d97337e

Download Submit
C:\Windows\System\RJeMjtB.exe

Filesize
5.2MB

MD5
2b1a3a57dbde219ba2ea55bb26922d94

SHA1
f795aa4e2906311847404e56d1d465379aad8d88

SHA256
556bea3263c7b8653472183f52e819627e90de51da3d31b8be5f92ad598bf513

SHA512
2c5a310058af1d545f0eeefa5a47861565990c5b76fb5abce57fb2364438809e72a99b10a60d4b73887e5ad1e0ef2a49f2e05f3afe6abd0e0a29fb87ee262935

Download Submit
C:\Windows\System\VbJexdy.exe

Filesize
5.2MB

MD5
cf6036de13942c2ed57f2a961987520f

SHA1
24b04029e67ea5852895b67fba075b505ec869a2

SHA256
bac7a057ab8719b47cd0db97cf4062884962f1c3f10911fb438d3b61e761cf12

SHA512
924810a8a5829e0431795611678fa0296fe359246f3d3f12074d1001c6528b27358bd84f4f8608e78719b62a93448e26d5302ebcea07a3650815708df2dfdcce

Download Submit
C:\Windows\System\YTskUPj.exe

Filesize
5.2MB

MD5
e250aecd2aed1a181422e204437bc539

SHA1
a851150b38efa676675c44a6a58a5288edbb484e

SHA256
f663b54218bbbf5b61d17ba5a69090fd67e3ed9415925d99fabd8e3bc0d50f24

SHA512
34b159196b8b4bf10ef85cc6f2ff6755f16cadb63cc04079be52267f0dc49435f75d8c800d44b8a2b21480f1d451553ee998055084a7db9608dd378f17da092b

Download Submit
C:\Windows\System\bEHHguD.exe

Filesize
5.2MB

MD5
ce9d3c3a9268784dedebe1b93116a77c

SHA1
c16c57cf57cbc6873163c6ad672dad38f010ab4a

SHA256
5b31ad056117d44e9d30c4ddb34a27cff80abc38e66b4770670d6c772d2f99a4

SHA512
4857f02083dd0d7ac27aa48aab235ce2341f7a422fd3ae258943886fca4239fea7fb60cbc599045dea07a0f509c87b61734cad5020f19ab50c1fb8252b3f0a7c

Download Submit
C:\Windows\System\fSUIkCa.exe

Filesize
5.2MB

MD5
d5eeff71fac47e77cdd90e9ab558b49b

SHA1
d1ac2268315c6b6f8d2cd908cdc17de1417324c7

SHA256
43223746bfed643ebf1b5ca6bbda2aff88f3547feda9fcf2cacd8458fa030123

SHA512
11c16ea9b1bf3e4f15bb216443516601f3ce0789111208fd9e82148eba48473a5910247dd503f19ca29b207ddbd24494e9a985e65c7c03ee0721b1fc18cb7aae

Download Submit
C:\Windows\System\gnKjmMw.exe

Filesize
5.2MB

MD5
773db505c29a0f8d62c91a9143995e46

SHA1
d32a3f4231dc0d3b7631199859e1fcd8df572b91

SHA256
a2e25ed67ce5c1ee4841906c11edfd19bde921696c4782eae0341ed5b72232eb

SHA512
84921d91ccfd47f90e2b074fe40bb3dd9f7b745657c2906d6c5eea7f14bcc007b3da96adf04004d1fd16518e77c1ea184c578fb88adb81c21f0a4f3bc4ec289b

Download Submit
C:\Windows\System\hZWKKSz.exe

Filesize
5.2MB

MD5
64fd1d00600796488c41451739c2ed4d

SHA1
69862b878c8ce325772191c3e7c60ec7b7a2e450

SHA256
9c678dc7a95383154c827b13caeccabf07b04f91be5e553ec09962a5ead0144f

SHA512
56ac4fc80445b7f592ab5f21cdca8eefdc42ebe6183234e26ea2adc140f3323dcb5b9574f0effb7ddc60ca2a4d72dbffb4ac4c9e835ea189ccc03d5921a106f2

Download Submit
C:\Windows\System\hpLncux.exe

Filesize
5.2MB

MD5
384c450770f0e08e79b9ef514046b80c

SHA1
e9b0d8f7b88a24a0414a96db1c3ef550eea0ae15

SHA256
b40b142e4c1352ecf2448fe70dc5e0bab9cf2ab21d3cf105e9ed35eeb7d9f648

SHA512
a5de7184f07379dc8052a7811069d8f6a17bb33f3ccc18c885ae5b32fb475a8f9365e249a99af00fb04bb835080187d23051754fbe5d411018e427318e33a84d

Download Submit
C:\Windows\System\ibIpGOk.exe

Filesize
5.2MB

MD5
5fe7ceb8b53a2f32085700e7cff911d1

SHA1
b71ced7c92235e53f127ed52f61409508a9490cb

SHA256
35b8030cf2d0e9752aa199fd091a306b315b01a75fd85f7a0827b528e218854c

SHA512
97c5d8348860c7bc9b8cacc26135e41e4c81432167deeb3147cd7450717a7e349fba98f72902b634cf28b975031c19a165ed3c0f3a7b39ddb74a4d71dadf082a

Download Submit
C:\Windows\System\jeyWOOk.exe

Filesize
5.2MB

MD5
bbb9868dccc5fef19296657aafd7d016

SHA1
263c30dcfb61977c396b52c6d802081b4a6bf0ae

SHA256
5ad00859e9f5f7abf18fcfa79769b579308efaff193e0cb7e4ddb8ffa0885526

SHA512
f481e4a0b0245486ad3a38795a32143e1f5188d36cb61e4fa92d37c97f33f1e35468472ddbba0f7add6e6d91fc6437b688c559919f4163ad188d35dac423434d

Download Submit
C:\Windows\System\jznfDhY.exe

Filesize
5.2MB

MD5
3242092744a2c81371df1b8b04ac6aa5

SHA1
c07c7442de04b1296dd3522004b79fea5cb16d48

SHA256
85edc8fdceff761467c4892668a1ffa7cafb23f500f6700bab46cab323f13c8d

SHA512
c0b3b23bd7d70b1255b4e01aad800d83da218a2ba93ee427c9c23dc5b042f4497be33d5c4ad5ffd2aa45da9ca7a1f3adca61a6d6f8c65b302ce0ac3d65dca1a3

Download Submit
C:\Windows\System\kxxpEmn.exe

Filesize
5.2MB

MD5
d394f0d9edfe5e97c4039f2cd8ede5f6

SHA1
ab64d34b29241718aff7b0f53c66e0cae735948e

SHA256
d47e3c9874ff9bf7d563d5f52fffb25d87071f9966190802da7c27d7fd07bfbf

SHA512
f6e052f37965239bf6238b12a1affee6350016cf109ebb8935e64a1d1f40d14f202c4e7d14f23b828cf4dcbb8d6f517cfa01c8a368d9fe9240189ae8b9d5e236

Download Submit
C:\Windows\System\lYacmau.exe

Filesize
5.2MB

MD5
c6acdee463248d40dfbd666217132fc2

SHA1
ddb3633d8ff1bb51f83f65fdedc8aea5b38e2b12

SHA256
cf0665914c9a78ff01810150d0f6e38c7b2b4a879cdca61a005b894b132f6c1b

SHA512
e421932d6170f7d17b776b8660833503195d682dd6a9d560617ae09a63ef8fe4e9930b45e3ba38f968cbd7de3f0650c545423f4859f853f7641e6b8e0b2abbe6

Download Submit
C:\Windows\System\szWhphp.exe

Filesize
5.2MB

MD5
a09391ad02e783e8d6a214a891b615de

SHA1
2a8f98e0e55e838cc6787ed35c998752ff9afe9e

SHA256
cbbb3ada5f3a3ca1d071966d01d046b0b4611e381c5c300a13360504dcc61a7c

SHA512
f112800f07aaa0db9e81db6097b5c754c3dc066eab68283371ec43aea17b2d48a4393a60a017f60a8481761bbc86b55f51ade7c1eac7283a452016f8af118be4

Download Submit
C:\Windows\System\vUTjnpL.exe

Filesize
5.2MB

MD5
690c179ce1ec9c78c2b360ec4312a2dc

SHA1
cef6342cebd2cbf83292e7c4b43800591e47ea34

SHA256
8564c2953a1959ad3e140fe862b82f85b7f61225fa076a059c609605a2c287dd

SHA512
d2584546e4bc9f16cb6d3dd81df549f7d206f0b137d444d4ae8d8850294ddf9967334f40a957366ed487100af26763d399e7ed63cb8b60ede0b27fa152bb49d4

Download Submit
C:\Windows\System\zigEpob.exe

Filesize
5.2MB

MD5
fa1c50e916a7ed32b62a4e7f9c3921b4

SHA1
cd57ae7a80b72e453e580886582b1dba649629f5

SHA256
59bc0413d41da389f977a3d201952d9eef0f1e519b8bbd943216ac703e554164

SHA512
bc68567ea921eea2b20368aecf605963e3a2fd6ee5c4a6c03c6cb74d1209b50d9031c18d750fc5a8dd981e5b2d7cd8f403934fc4c06fe7b3fcf1eab1bec5fccd

Download Submit
memory/212-133-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp

Filesize
3.3MB

Download
memory/212-162-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp

Filesize
3.3MB

Download
memory/212-269-0x00007FF77EB00000-0x00007FF77EE51000-memory.dmp

Filesize
3.3MB

Download
memory/888-135-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp

Filesize
3.3MB

Download
memory/888-78-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp

Filesize
3.3MB

Download
memory/888-249-0x00007FF67DDD0000-0x00007FF67E121000-memory.dmp

Filesize
3.3MB

Download
memory/964-73-0x00007FF6680E0000-0x00007FF668431000-memory.dmp

Filesize
3.3MB

Download
memory/964-242-0x00007FF6680E0000-0x00007FF668431000-memory.dmp

Filesize
3.3MB

Download
memory/1176-154-0x00007FF6205E0000-0x00007FF620931000-memory.dmp

Filesize
3.3MB

Download
memory/1176-247-0x00007FF6205E0000-0x00007FF620931000-memory.dmp

Filesize
3.3MB

Download
memory/1176-80-0x00007FF6205E0000-0x00007FF620931000-memory.dmp

Filesize
3.3MB

Download
memory/1392-31-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp

Filesize
3.3MB

Download
memory/1392-112-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp

Filesize
3.3MB

Download
memory/1392-231-0x00007FF7F51F0000-0x00007FF7F5541000-memory.dmp

Filesize
3.3MB

Download
memory/1448-163-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-266-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-120-0x00007FF7E7F80000-0x00007FF7E82D1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-64-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-250-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-130-0x00007FF6F8270000-0x00007FF6F85C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-263-0x00007FF77EB80000-0x00007FF77EED1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-115-0x00007FF77EB80000-0x00007FF77EED1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-153-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-84-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-245-0x00007FF6A0A90000-0x00007FF6A0DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-30-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-110-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-232-0x00007FF783B80000-0x00007FF783ED1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-155-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-261-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-93-0x00007FF71A990000-0x00007FF71ACE1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-259-0x00007FF727B90000-0x00007FF727EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-104-0x00007FF727B90000-0x00007FF727EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-7-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp

Filesize
3.3MB

Download
memory/3928-87-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp

Filesize
3.3MB

Download
memory/3928-212-0x00007FF7B8840000-0x00007FF7B8B91000-memory.dmp

Filesize
3.3MB

Download
memory/4136-236-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp

Filesize
3.3MB

Download
memory/4136-122-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp

Filesize
3.3MB

Download
memory/4136-50-0x00007FF6A78D0000-0x00007FF6A7C21000-memory.dmp

Filesize
3.3MB

Download
memory/4284-68-0x00007FF7081A0000-0x00007FF7084F1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-239-0x00007FF7081A0000-0x00007FF7084F1000-memory.dmp

Filesize
3.3MB

Download
memory/4332-267-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp

Filesize
3.3MB

Download
memory/4332-126-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp

Filesize
3.3MB

Download
memory/4332-160-0x00007FF655AE0000-0x00007FF655E31000-memory.dmp

Filesize
3.3MB

Download
memory/4588-237-0x00007FF745260000-0x00007FF7455B1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-56-0x00007FF745260000-0x00007FF7455B1000-memory.dmp

Filesize
3.3MB

Download
memory/4588-125-0x00007FF745260000-0x00007FF7455B1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-215-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp

Filesize
3.3MB

Download
memory/4836-92-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp

Filesize
3.3MB

Download
memory/4836-14-0x00007FF7A3F10000-0x00007FF7A4261000-memory.dmp

Filesize
3.3MB

Download
memory/4880-161-0x00007FF628900000-0x00007FF628C51000-memory.dmp

Filesize
3.3MB

Download
memory/4880-272-0x00007FF628900000-0x00007FF628C51000-memory.dmp

Filesize
3.3MB

Download
memory/4880-131-0x00007FF628900000-0x00007FF628C51000-memory.dmp

Filesize
3.3MB

Download
memory/4920-164-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-138-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-0-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-1-0x000001571B400000-0x000001571B410000-memory.dmp

Filesize
64KB

Download
memory/4920-81-0x00007FF647170000-0x00007FF6474C1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-41-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-129-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-240-0x00007FF7EA950000-0x00007FF7EACA1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-21-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-103-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-228-0x00007FF79FE70000-0x00007FF7A01C1000-memory.dmp

Filesize
3.3MB

Download