cobaltstrike | ccba67d963a51395ebdf14219d79654dc29ef6fe3004ab88c25a14e8061f8afa

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e32e6111edbb32968583b1b59aa64fb2
SHA1

474e27971159b9b3db8e85b72c274bdb5bcb5e00
SHA256

ccba67d963a51395ebdf14219d79654dc29ef6fe3004ab88c25a14e8061f8afa
SHA512

dead3c392dac57ddc4a8e44093bc441a5c0a135778b32df9b3f1b5b73852a71207c7a6d18751b5411c3192fa2cce7cb484e95fecd58a10598639f159476b9e95
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023450-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b5-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b7-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ba-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b9-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-119.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234af-117.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-87.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bf-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b8-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b6-45.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1096-19-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	xmrig
behavioral2/memory/3536-122-0x00007FF6C8670000-0x00007FF6C89C1000-memory.dmp	xmrig
behavioral2/memory/2204-126-0x00007FF7C0D30000-0x00007FF7C1081000-memory.dmp	xmrig
behavioral2/memory/5096-125-0x00007FF637380000-0x00007FF6376D1000-memory.dmp	xmrig
behavioral2/memory/716-124-0x00007FF6602A0000-0x00007FF6605F1000-memory.dmp	xmrig
behavioral2/memory/3956-123-0x00007FF701E60000-0x00007FF7021B1000-memory.dmp	xmrig
behavioral2/memory/4128-121-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	xmrig
behavioral2/memory/3960-116-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp	xmrig
behavioral2/memory/2092-113-0x00007FF6329E0000-0x00007FF632D31000-memory.dmp	xmrig
behavioral2/memory/4556-112-0x00007FF7DFA90000-0x00007FF7DFDE1000-memory.dmp	xmrig
behavioral2/memory/1056-108-0x00007FF70D820000-0x00007FF70DB71000-memory.dmp	xmrig
behavioral2/memory/4564-41-0x00007FF759470000-0x00007FF7597C1000-memory.dmp	xmrig
behavioral2/memory/1544-129-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	xmrig
behavioral2/memory/1288-131-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp	xmrig
behavioral2/memory/1096-130-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	xmrig
behavioral2/memory/3720-128-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	xmrig
behavioral2/memory/1080-142-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp	xmrig
behavioral2/memory/5044-137-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp	xmrig
behavioral2/memory/4944-135-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp	xmrig
behavioral2/memory/4600-134-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp	xmrig
behavioral2/memory/3972-141-0x00007FF736D00000-0x00007FF737051000-memory.dmp	xmrig
behavioral2/memory/1232-139-0x00007FF660F40000-0x00007FF661291000-memory.dmp	xmrig
behavioral2/memory/2676-132-0x00007FF667200000-0x00007FF667551000-memory.dmp	xmrig
behavioral2/memory/3720-150-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	xmrig
behavioral2/memory/1544-210-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	xmrig
behavioral2/memory/1096-212-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	xmrig
behavioral2/memory/1288-214-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp	xmrig
behavioral2/memory/2676-218-0x00007FF667200000-0x00007FF667551000-memory.dmp	xmrig
behavioral2/memory/4564-217-0x00007FF759470000-0x00007FF7597C1000-memory.dmp	xmrig
behavioral2/memory/4600-228-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp	xmrig
behavioral2/memory/4944-229-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp	xmrig
behavioral2/memory/3960-233-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp	xmrig
behavioral2/memory/5044-231-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp	xmrig
behavioral2/memory/1080-247-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp	xmrig
behavioral2/memory/716-250-0x00007FF6602A0000-0x00007FF6605F1000-memory.dmp	xmrig
behavioral2/memory/4128-245-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	xmrig
behavioral2/memory/1056-243-0x00007FF70D820000-0x00007FF70DB71000-memory.dmp	xmrig
behavioral2/memory/3536-241-0x00007FF6C8670000-0x00007FF6C89C1000-memory.dmp	xmrig
behavioral2/memory/4556-237-0x00007FF7DFA90000-0x00007FF7DFDE1000-memory.dmp	xmrig
behavioral2/memory/3956-236-0x00007FF701E60000-0x00007FF7021B1000-memory.dmp	xmrig
behavioral2/memory/1232-239-0x00007FF660F40000-0x00007FF661291000-memory.dmp	xmrig
behavioral2/memory/2092-252-0x00007FF6329E0000-0x00007FF632D31000-memory.dmp	xmrig
behavioral2/memory/2204-254-0x00007FF7C0D30000-0x00007FF7C1081000-memory.dmp	xmrig
behavioral2/memory/5096-255-0x00007FF637380000-0x00007FF6376D1000-memory.dmp	xmrig
behavioral2/memory/3972-258-0x00007FF736D00000-0x00007FF737051000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1544	VcSoHsJ.exe
1096	zbIdBEr.exe
1288	AjMLBcz.exe
2676	yNkgDBh.exe
4600	bFEcenU.exe
4564	SBKDpnF.exe
4944	JAkuYJY.exe
3960	EMJnCES.exe
5044	QAwWkrE.exe
4128	QGEXRSG.exe
1232	YhhlpVm.exe
3536	ielTaHn.exe
3972	BNzjSWy.exe
1080	aJaokbB.exe
1056	AOxjSkT.exe
3956	nOajwqb.exe
4556	myswdAq.exe
2092	fTfLxcu.exe
716	obpxlpd.exe
5096	OYgqrsf.exe
2204	OrGnVsl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3720-0-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/files/0x0009000000023450-5.dat	upx
behavioral2/files/0x00070000000234b3-9.dat	upx
behavioral2/files/0x00070000000234b2-12.dat	upx
behavioral2/memory/1096-19-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	upx
behavioral2/memory/1288-24-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-32.dat	upx
behavioral2/files/0x00070000000234b7-40.dat	upx
behavioral2/files/0x00070000000234ba-56.dat	upx
behavioral2/files/0x00070000000234bb-57.dat	upx
behavioral2/files/0x00070000000234b9-69.dat	upx
behavioral2/files/0x00070000000234c2-94.dat	upx
behavioral2/files/0x00070000000234c0-104.dat	upx
behavioral2/files/0x00070000000234c3-114.dat	upx
behavioral2/memory/3536-122-0x00007FF6C8670000-0x00007FF6C89C1000-memory.dmp	upx
behavioral2/memory/2204-126-0x00007FF7C0D30000-0x00007FF7C1081000-memory.dmp	upx
behavioral2/memory/5096-125-0x00007FF637380000-0x00007FF6376D1000-memory.dmp	upx
behavioral2/memory/716-124-0x00007FF6602A0000-0x00007FF6605F1000-memory.dmp	upx
behavioral2/memory/3956-123-0x00007FF701E60000-0x00007FF7021B1000-memory.dmp	upx
behavioral2/memory/4128-121-0x00007FF7404B0000-0x00007FF740801000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-119.dat	upx
behavioral2/files/0x00080000000234af-117.dat	upx
behavioral2/memory/3960-116-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp	upx
behavioral2/memory/2092-113-0x00007FF6329E0000-0x00007FF632D31000-memory.dmp	upx
behavioral2/memory/4556-112-0x00007FF7DFA90000-0x00007FF7DFDE1000-memory.dmp	upx
behavioral2/memory/1056-108-0x00007FF70D820000-0x00007FF70DB71000-memory.dmp	upx
behavioral2/files/0x00070000000234be-106.dat	upx
behavioral2/memory/1080-102-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-100.dat	upx
behavioral2/memory/3972-97-0x00007FF736D00000-0x00007FF737051000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-92.dat	upx
behavioral2/files/0x00070000000234bc-87.dat	upx
behavioral2/memory/1232-78-0x00007FF660F40000-0x00007FF661291000-memory.dmp	upx
behavioral2/files/0x00070000000234bf-76.dat	upx
behavioral2/memory/5044-61-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp	upx
behavioral2/files/0x00070000000234b8-60.dat	upx
behavioral2/files/0x00070000000234b6-45.dat	upx
behavioral2/memory/4944-51-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp	upx
behavioral2/memory/4564-41-0x00007FF759470000-0x00007FF7597C1000-memory.dmp	upx
behavioral2/files/0x00070000000234b4-31.dat	upx
behavioral2/memory/4600-30-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp	upx
behavioral2/memory/2676-29-0x00007FF667200000-0x00007FF667551000-memory.dmp	upx
behavioral2/memory/1544-10-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	upx
behavioral2/memory/1544-129-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	upx
behavioral2/memory/1288-131-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp	upx
behavioral2/memory/1096-130-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	upx
behavioral2/memory/3720-128-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/memory/1080-142-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp	upx
behavioral2/memory/5044-137-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp	upx
behavioral2/memory/4944-135-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp	upx
behavioral2/memory/4600-134-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp	upx
behavioral2/memory/3972-141-0x00007FF736D00000-0x00007FF737051000-memory.dmp	upx
behavioral2/memory/1232-139-0x00007FF660F40000-0x00007FF661291000-memory.dmp	upx
behavioral2/memory/2676-132-0x00007FF667200000-0x00007FF667551000-memory.dmp	upx
behavioral2/memory/3720-150-0x00007FF6950B0000-0x00007FF695401000-memory.dmp	upx
behavioral2/memory/1544-210-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp	upx
behavioral2/memory/1096-212-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp	upx
behavioral2/memory/1288-214-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp	upx
behavioral2/memory/2676-218-0x00007FF667200000-0x00007FF667551000-memory.dmp	upx
behavioral2/memory/4564-217-0x00007FF759470000-0x00007FF7597C1000-memory.dmp	upx
behavioral2/memory/4600-228-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp	upx
behavioral2/memory/4944-229-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp	upx
behavioral2/memory/3960-233-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp	upx
behavioral2/memory/5044-231-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\obpxlpd.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OYgqrsf.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JAkuYJY.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aJaokbB.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SBKDpnF.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nOajwqb.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zbIdBEr.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNkgDBh.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QGEXRSG.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YhhlpVm.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BNzjSWy.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\myswdAq.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTfLxcu.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjMLBcz.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QAwWkrE.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMJnCES.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ielTaHn.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AOxjSkT.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrGnVsl.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VcSoHsJ.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bFEcenU.exe	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1544	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3720 wrote to memory of 1544	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3720 wrote to memory of 1096	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3720 wrote to memory of 1096	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3720 wrote to memory of 1288	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3720 wrote to memory of 1288	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3720 wrote to memory of 2676	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3720 wrote to memory of 2676	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3720 wrote to memory of 4564	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3720 wrote to memory of 4564	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3720 wrote to memory of 4600	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3720 wrote to memory of 4600	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3720 wrote to memory of 4944	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3720 wrote to memory of 4944	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3720 wrote to memory of 3960	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3720 wrote to memory of 3960	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3720 wrote to memory of 5044	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3720 wrote to memory of 5044	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3720 wrote to memory of 4128	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3720 wrote to memory of 4128	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3720 wrote to memory of 1232	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3720 wrote to memory of 1232	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3720 wrote to memory of 3536	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3720 wrote to memory of 3536	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3720 wrote to memory of 3972	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3720 wrote to memory of 3972	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3720 wrote to memory of 1080	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3720 wrote to memory of 1080	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3720 wrote to memory of 1056	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3720 wrote to memory of 1056	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3720 wrote to memory of 3956	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3720 wrote to memory of 3956	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3720 wrote to memory of 4556	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3720 wrote to memory of 4556	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3720 wrote to memory of 2092	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3720 wrote to memory of 2092	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3720 wrote to memory of 716	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3720 wrote to memory of 716	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3720 wrote to memory of 2204	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3720 wrote to memory of 2204	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3720 wrote to memory of 5096	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3720 wrote to memory of 5096	3720	2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_e32e6111edbb32968583b1b59aa64fb2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System\VcSoHsJ.exe
  C:\Windows\System\VcSoHsJ.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\zbIdBEr.exe
  C:\Windows\System\zbIdBEr.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\AjMLBcz.exe
  C:\Windows\System\AjMLBcz.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\yNkgDBh.exe
  C:\Windows\System\yNkgDBh.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\SBKDpnF.exe
  C:\Windows\System\SBKDpnF.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\bFEcenU.exe
  C:\Windows\System\bFEcenU.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\JAkuYJY.exe
  C:\Windows\System\JAkuYJY.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\EMJnCES.exe
  C:\Windows\System\EMJnCES.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\QAwWkrE.exe
  C:\Windows\System\QAwWkrE.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\QGEXRSG.exe
  C:\Windows\System\QGEXRSG.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\YhhlpVm.exe
  C:\Windows\System\YhhlpVm.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\ielTaHn.exe
  C:\Windows\System\ielTaHn.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\BNzjSWy.exe
  C:\Windows\System\BNzjSWy.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\aJaokbB.exe
  C:\Windows\System\aJaokbB.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\AOxjSkT.exe
  C:\Windows\System\AOxjSkT.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\nOajwqb.exe
  C:\Windows\System\nOajwqb.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\myswdAq.exe
  C:\Windows\System\myswdAq.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\fTfLxcu.exe
  C:\Windows\System\fTfLxcu.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\obpxlpd.exe
  C:\Windows\System\obpxlpd.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\OrGnVsl.exe
  C:\Windows\System\OrGnVsl.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\OYgqrsf.exe
  C:\Windows\System\OYgqrsf.exe
  2⤵
  - Executes dropped EXE
  PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOxjSkT.exe

Filesize
5.2MB

MD5
10b14638a8899b643a201fa1959d15c6

SHA1
cadfd66f0273d25ed32a6cc8d2185a9843b1a9fe

SHA256
daab582853630c8ec55b87c0171e1f31ec80cd8d1e9490886e0e2ac63e778807

SHA512
8afab6f274197fe6fd9112fe2f30ffe05cd9016c0d71433a284942ec2a38a67574020e01288eb4e55080ad5462820cd97deac9607454e197342cfbafcc382e05

Download Submit
C:\Windows\System\AjMLBcz.exe

Filesize
5.2MB

MD5
7131e6a41323a0a473230d4ea5d05dd5

SHA1
fdcc63e7e257aa00f8c4820b16dd5fd96ed37aa1

SHA256
5a74c69cd362d234396e89c9ebe9a0e764c004688bbf0b8b9af2bf46591380fd

SHA512
8e61e02291293e3d8ec0fe2368a5e0273c5b3657720f659286835ad963f956110c69e062d266d09ba10ddc7e7e48e1129f01fe4b590be27e2f943fbe976145f0

Download Submit
C:\Windows\System\BNzjSWy.exe

Filesize
5.2MB

MD5
f20453f760ca124134f1d9c07966bf05

SHA1
45062caa83b76e8a530eb4ea0c7f00bc185444a5

SHA256
078634b4bba0fefd778f6c874edb1484fe89bdfd78bd53e7e2b43e979c935b3e

SHA512
7681b6c37674f2ce09dce5d58a98be0e2717f6e97831533b90cb2f1b64cd98159a7b13bf9763697a8b151fe6de9473db7b25b60371e704fa82115627b9584a56

Download Submit
C:\Windows\System\EMJnCES.exe

Filesize
5.2MB

MD5
46f6f76aa34529a2dabf2134ca68fcf6

SHA1
e7b2e6130200ea37a45b342fcc999c8297be78bd

SHA256
85e6af13d8a11713412b85e82a1af3425d00dec770c2ff829f2ebc0da625b4e7

SHA512
a0dca458efce79e6bd2a692e83bba00fb8d722598438391d4acb0140e8875bf21284447667b01241c28d3d0a119a4301aee5007136e7008bd208724e9979888e

Download Submit
C:\Windows\System\JAkuYJY.exe

Filesize
5.2MB

MD5
68e906da667ae0fc229a559a5971632a

SHA1
eb8f8295567e502cd411cf2167d2e03ef271e458

SHA256
7c085793a5f4ccb972e230d5b8406e3f2cb034ede14f18ba486c160dae828c48

SHA512
37db3c768a7081aa4148fda21bed1b25be8c7d897e5957c361627a92629d061df719657017896fbf441ebaee9e2378065c2068f1357119fd2710a4bef60c6c33

Download Submit
C:\Windows\System\OYgqrsf.exe

Filesize
5.2MB

MD5
9aad69412a6b5c3199fe65f17108e73e

SHA1
83bd58612824ace30bb10dbceb1b7ebd48d29108

SHA256
303b8b4f9d0441f88d6313f30ab026f2b1367735202e818afb52d58a0320c7fc

SHA512
cbb29222543734e492d4e71bc60eefc8500dbd0cc6b0a766047c9f9e96f5e2990370e6241680f9bb56cdd4e3ef16fbd73811a5a05ad844de09f4adba22744e1b

Download Submit
C:\Windows\System\OrGnVsl.exe

Filesize
5.2MB

MD5
b335d764ea7ffba0b85457ba21dc292f

SHA1
a1c5055c09b53138ba7478c27430261bdef536c8

SHA256
252dd2e7b273346407d83d92c5cd7c9d7dc4a77a6496130357f10962bd5c95bc

SHA512
5e28634246223da75afdf1587e4690ad0ff2cbb62b3f51cac050dbecf85d8ef897dd180ecb8f00a486acbb549959d76c0fa241c8ae3148df1d52f8df5d4756a6

Download Submit
C:\Windows\System\QAwWkrE.exe

Filesize
5.2MB

MD5
610ac86356c4f7fa17f9590cd90e5d51

SHA1
1f175ae5385a56301d6e554eab845e5727d068e3

SHA256
de970dc0ae5df5a9656c5540edea4dabd255f6b99368944b1b31fb52c8bef0f8

SHA512
d8e703d00b25abe1456b8ac780cd0b13468a93877d7c296358248a852f30202aefde7a9c9522744eaf907eb7092f9fef8b97003f4f67fea4211e31243bb52f8a

Download Submit
C:\Windows\System\QGEXRSG.exe

Filesize
5.2MB

MD5
3cc9e4634821080921b5a10adc826c7e

SHA1
b3f57c42ea0d0e157229facd8ffa0b5ccb46f93e

SHA256
906b83bd005968bca89fead0209251d330c263d1a4815689b45fdf3e4318e5f4

SHA512
413a6cff54366815bb209a02e7cd7b07ccdb40b4fa27b79ff4908688a8dd1fcc02cb38332144c9c89be7cd35f769e1f887573748792fc2178301a7d17e68d19f

Download Submit
C:\Windows\System\SBKDpnF.exe

Filesize
5.2MB

MD5
4dd089209e36fffa887a65df95de7699

SHA1
1ac5a92a81f1e220c05675d811bc0464ad1680e4

SHA256
f032aaf7d63b1f17071d91df876a8d587aab5bff2c2af31a84689399ac4222ff

SHA512
2d0a1cbef0ad63aa94fef79c84074bd19bebba3c575e435a12e0c15a56c5c7a4cb86e26dd7d01848d751d7ebd0ab0da8bdb0ff17a54f19dcf71b68a9ddd95a41

Download Submit
C:\Windows\System\VcSoHsJ.exe

Filesize
5.2MB

MD5
0475f4dcf19a57fb89ad3eddac8e95c4

SHA1
c0714ed81730d9c3ebcab66a0f43b0bf5bc1b1d3

SHA256
7b4df38f205e9f86c13256d705ef764de954eed17df69e9c0d79b50f054ab6a2

SHA512
0955840e1fc4e9803f27dd018de72c66652e51616709781fb9d159e9ecfc8fb2e2836fdbaedbd51f875192ded534d3d9b56a1491ee6bac86545da89df35672f2

Download Submit
C:\Windows\System\YhhlpVm.exe

Filesize
5.2MB

MD5
d0ee416ea28532b6e96c8a48c1a1bc16

SHA1
de8051160ec842d7d4405d2b9ce4fa0f7208a413

SHA256
4c101dff48ea6f73495a1e1acdad6d09a9e8e38f8b4d43915443331b19624c6e

SHA512
939b16b702cb82fbc037d5f908d232de0e81bdde4b609ea9d9a0de682e93fb3fbc83a0774aac3852c71608b77a6c32bbfda4eec474a3c71c678bfd4a591c936d

Download Submit
C:\Windows\System\aJaokbB.exe

Filesize
5.2MB

MD5
746340314a7f2a5bd0cca3f9f668b77b

SHA1
91a84897a9f96a6cf395bf94412e013f26c71bfd

SHA256
20e6fffad33f06ed788b717fa25c634052e0480c48ae56cda62a477f704414cd

SHA512
dab584fc05afa5984ea660249846fde683e5d3667118aaf1d07bf58807abdc3319a4dcbf4c1e9f63216fe9ce94da3baea1e5f0ff8b59041d69492b5593c9833b

Download Submit
C:\Windows\System\bFEcenU.exe

Filesize
5.2MB

MD5
d093c43dbb130fded2154b5632f6d923

SHA1
732e99ba9b902b5e0f8de0767a4a35a45de593fa

SHA256
9e7b08e8f5c461583ec79ac885ef65bfeff4a6fb8e54d5becfd7c925611807eb

SHA512
a8731174fee420313fffc0878ef9e754a90f98e24f80d0738daf710fa9965172fbcf744d9ba3a81876c92e0d366a2cf95e3d33c443becc0bf2ba3063bafde4fb

Download Submit
C:\Windows\System\fTfLxcu.exe

Filesize
5.2MB

MD5
25f69e23727edc45deed877f7c335c9d

SHA1
e52a5138b849d7f592b1c28929c50234d5ce66d7

SHA256
7b4b2d3d91d14a0aa7652a0471aabce21b45628cdd96c4ddad1aecf9bde01bec

SHA512
4d874489bffa94006be90ce7b5ecc9e371be523cce81ecb129db49c6a3881587ac852f8418408584d062b27d6bea7851fba0c5e04b6b29ab48b618d39bb085ab

Download Submit
C:\Windows\System\ielTaHn.exe

Filesize
5.2MB

MD5
f3ac822651556c2b37616b22cc6bbcee

SHA1
10cf72ccebcf82e9d8f29cec5e9f019348cc455a

SHA256
ed191b4ff68eb2a59c86cad813a84cb60a35d398d7dd43b972885ecd96bc1589

SHA512
de47f1444d940dacde410849bab04317b559fb2781a5555d90fba5a9557fda5470935cfe652d638f2c811f810c3bef7667e590559b0082b037f7f4c02c8b75fd

Download Submit
C:\Windows\System\myswdAq.exe

Filesize
5.2MB

MD5
72c72f7b59e616996654dc5b9a5d0f14

SHA1
20af8e13518d262bb8a348868c42ae42dc7afaf8

SHA256
ebdd087ddde6a9f06f893165a9e2c48b680be3459be10f1836b7652c665b99a8

SHA512
fe2f7dcbb56be522595f184f3410070e98e0ead39b2ff36e191175fd62c9848c91c566f269133c6e46a96f58311b2fb5c2f1bd74aeaf5ccb544fc2f8728c477f

Download Submit
C:\Windows\System\nOajwqb.exe

Filesize
5.2MB

MD5
a1c43b2d36544b97ce6c8852f7a95b41

SHA1
e8bcced5880860a0c92947246f3dea814f22ab2c

SHA256
5687b117d32234eb3e2fa6ef10621119bb094ee4b753f8180bfed20aa79ff905

SHA512
8ee05bb5c396fe730af7d30e9638786ee85c3d1cde3b6a17ce7d8402da3526d377719ccf672c6bdcf5dffb114c05b7133a02edb151027678b5afbbc012573c0c

Download Submit
C:\Windows\System\obpxlpd.exe

Filesize
5.2MB

MD5
1e2a4ec7a5387e185f079fecb2567cb9

SHA1
7e5c7782b3cfb396606055b576079fc11a998b89

SHA256
04739db78d6b63af6234a42f83b3abacc0eeb6adcebc0be41372a98821a092d0

SHA512
eee7594349dbabf7c2d00d26a8f9c6553acf4a3a26f51b1c1befc014d0b5b379ea26543687b731b45bf83a2335b45f7fc6dc98c8c0dc58165c843d1bc04e55e5

Download Submit
C:\Windows\System\yNkgDBh.exe

Filesize
5.2MB

MD5
e9394b63dad7c3a94b19f0950e7ebd86

SHA1
076b9629129507b395e480e7067520fb84ae9b9a

SHA256
ad39ee5a4f503c823676414d579c803b22a7900b02c42b82a5cb525ce5a8234d

SHA512
8c2fa0d7e70a72eee3e8dd83c4a367c2e2e5e0695470001544739e77a70274682848fda9a4948ea2c573d4ecadee4bf46ffe78f23fa47d2ab1fa62e0301c43a3

Download Submit
C:\Windows\System\zbIdBEr.exe

Filesize
5.2MB

MD5
59fc965bc7d498c6139324e373efdcce

SHA1
8deef2caaccb05977c14f77cc3f3d89a94b54653

SHA256
63a32f8161a0dc9a07343dde058cf94738a7bdbb7f3c11146d82b5531e7544c8

SHA512
d23b292de720fee0224b4740b4c7af3eee7229a6bf8ec924948bc7c032ef3815aaae98af8b4cbb47ec4b5edfc3d1bd2867550310c4d6680e8807f6b89a2a0215

Download Submit
memory/716-250-0x00007FF6602A0000-0x00007FF6605F1000-memory.dmp

Filesize
3.3MB

Download
memory/716-124-0x00007FF6602A0000-0x00007FF6605F1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-108-0x00007FF70D820000-0x00007FF70DB71000-memory.dmp

Filesize
3.3MB

Download
memory/1056-243-0x00007FF70D820000-0x00007FF70DB71000-memory.dmp

Filesize
3.3MB

Download
memory/1080-102-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1080-142-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1080-247-0x00007FF78F260000-0x00007FF78F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1096-19-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp

Filesize
3.3MB

Download
memory/1096-212-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp

Filesize
3.3MB

Download
memory/1096-130-0x00007FF68CE00000-0x00007FF68D151000-memory.dmp

Filesize
3.3MB

Download
memory/1232-139-0x00007FF660F40000-0x00007FF661291000-memory.dmp

Filesize
3.3MB

Download
memory/1232-239-0x00007FF660F40000-0x00007FF661291000-memory.dmp

Filesize
3.3MB

Download
memory/1232-78-0x00007FF660F40000-0x00007FF661291000-memory.dmp

Filesize
3.3MB

Download
memory/1288-131-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp

Filesize
3.3MB

Download
memory/1288-24-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp

Filesize
3.3MB

Download
memory/1288-214-0x00007FF63B8B0000-0x00007FF63BC01000-memory.dmp

Filesize
3.3MB

Download
memory/1544-129-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1544-210-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1544-10-0x00007FF7A2950000-0x00007FF7A2CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2092-252-0x00007FF6329E0000-0x00007FF632D31000-memory.dmp

Filesize
3.3MB

Download
memory/2092-113-0x00007FF6329E0000-0x00007FF632D31000-memory.dmp

Filesize
3.3MB

Download
memory/2204-126-0x00007FF7C0D30000-0x00007FF7C1081000-memory.dmp

Filesize
3.3MB

Download
memory/2204-254-0x00007FF7C0D30000-0x00007FF7C1081000-memory.dmp

Filesize
3.3MB

Download
memory/2676-218-0x00007FF667200000-0x00007FF667551000-memory.dmp

Filesize
3.3MB

Download
memory/2676-29-0x00007FF667200000-0x00007FF667551000-memory.dmp

Filesize
3.3MB

Download
memory/2676-132-0x00007FF667200000-0x00007FF667551000-memory.dmp

Filesize
3.3MB

Download
memory/3536-241-0x00007FF6C8670000-0x00007FF6C89C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-122-0x00007FF6C8670000-0x00007FF6C89C1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-0-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3720-128-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3720-1-0x00000213B8820000-0x00000213B8830000-memory.dmp

Filesize
64KB

Download
memory/3720-150-0x00007FF6950B0000-0x00007FF695401000-memory.dmp

Filesize
3.3MB

Download
memory/3956-123-0x00007FF701E60000-0x00007FF7021B1000-memory.dmp

Filesize
3.3MB

Download
memory/3956-236-0x00007FF701E60000-0x00007FF7021B1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-116-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp

Filesize
3.3MB

Download
memory/3960-233-0x00007FF7A6B40000-0x00007FF7A6E91000-memory.dmp

Filesize
3.3MB

Download
memory/3972-258-0x00007FF736D00000-0x00007FF737051000-memory.dmp

Filesize
3.3MB

Download
memory/3972-141-0x00007FF736D00000-0x00007FF737051000-memory.dmp

Filesize
3.3MB

Download
memory/3972-97-0x00007FF736D00000-0x00007FF737051000-memory.dmp

Filesize
3.3MB

Download
memory/4128-245-0x00007FF7404B0000-0x00007FF740801000-memory.dmp

Filesize
3.3MB

Download
memory/4128-121-0x00007FF7404B0000-0x00007FF740801000-memory.dmp

Filesize
3.3MB

Download
memory/4556-237-0x00007FF7DFA90000-0x00007FF7DFDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-112-0x00007FF7DFA90000-0x00007FF7DFDE1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-41-0x00007FF759470000-0x00007FF7597C1000-memory.dmp

Filesize
3.3MB

Download
memory/4564-217-0x00007FF759470000-0x00007FF7597C1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-228-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-30-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-134-0x00007FF75D680000-0x00007FF75D9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4944-51-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp

Filesize
3.3MB

Download
memory/4944-229-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp

Filesize
3.3MB

Download
memory/4944-135-0x00007FF6898E0000-0x00007FF689C31000-memory.dmp

Filesize
3.3MB

Download
memory/5044-61-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp

Filesize
3.3MB

Download
memory/5044-231-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp

Filesize
3.3MB

Download
memory/5044-137-0x00007FF67B930000-0x00007FF67BC81000-memory.dmp

Filesize
3.3MB

Download
memory/5096-125-0x00007FF637380000-0x00007FF6376D1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-255-0x00007FF637380000-0x00007FF6376D1000-memory.dmp

Filesize
3.3MB

Download