cobaltstrike | 6a00e53e100e655065599860e712560d3398058bd10c306e2a0c3cb57dfbdc05

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

536ff31738e85fbd02e84535ab98df14
SHA1

ca4ce3d547e981e0c3b3256e16fa685da186c67e
SHA256

6a00e53e100e655065599860e712560d3398058bd10c306e2a0c3cb57dfbdc05
SHA512

fbb7ebf6281708a4fcc195990624a32203fc72ba9487c1f17964806122f096e8f42f4230d8b74fd2eff25f703d1e33e4935fb848f3df97976af43f7c46418e23
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002341f-6.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023479-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-117.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347a-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-103.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-44.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2488-96-0x00007FF7C1F30000-0x00007FF7C2281000-memory.dmp	xmrig
behavioral2/memory/4172-125-0x00007FF630C30000-0x00007FF630F81000-memory.dmp	xmrig
behavioral2/memory/4088-126-0x00007FF72B280000-0x00007FF72B5D1000-memory.dmp	xmrig
behavioral2/memory/4872-124-0x00007FF688230000-0x00007FF688581000-memory.dmp	xmrig
behavioral2/memory/4396-123-0x00007FF7E8200000-0x00007FF7E8551000-memory.dmp	xmrig
behavioral2/memory/2716-122-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp	xmrig
behavioral2/memory/4968-121-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp	xmrig
behavioral2/memory/2580-120-0x00007FF7892C0000-0x00007FF789611000-memory.dmp	xmrig
behavioral2/memory/3588-110-0x00007FF6F03F0000-0x00007FF6F0741000-memory.dmp	xmrig
behavioral2/memory/2088-81-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp	xmrig
behavioral2/memory/4908-80-0x00007FF709E70000-0x00007FF70A1C1000-memory.dmp	xmrig
behavioral2/memory/3568-134-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp	xmrig
behavioral2/memory/1776-135-0x00007FF7814B0000-0x00007FF781801000-memory.dmp	xmrig
behavioral2/memory/4972-133-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp	xmrig
behavioral2/memory/1932-130-0x00007FF655880000-0x00007FF655BD1000-memory.dmp	xmrig
behavioral2/memory/3864-129-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp	xmrig
behavioral2/memory/2012-128-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	xmrig
behavioral2/memory/2060-131-0x00007FF71C520000-0x00007FF71C871000-memory.dmp	xmrig
behavioral2/memory/4928-142-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	xmrig
behavioral2/memory/3304-143-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp	xmrig
behavioral2/memory/3424-148-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp	xmrig
behavioral2/memory/316-146-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp	xmrig
behavioral2/memory/2012-150-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	xmrig
behavioral2/memory/2012-151-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	xmrig
behavioral2/memory/3864-201-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp	xmrig
behavioral2/memory/1932-221-0x00007FF655880000-0x00007FF655BD1000-memory.dmp	xmrig
behavioral2/memory/4968-222-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp	xmrig
behavioral2/memory/2060-224-0x00007FF71C520000-0x00007FF71C871000-memory.dmp	xmrig
behavioral2/memory/4972-226-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp	xmrig
behavioral2/memory/1776-228-0x00007FF7814B0000-0x00007FF781801000-memory.dmp	xmrig
behavioral2/memory/3568-230-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp	xmrig
behavioral2/memory/2716-232-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp	xmrig
behavioral2/memory/4908-234-0x00007FF709E70000-0x00007FF70A1C1000-memory.dmp	xmrig
behavioral2/memory/2488-238-0x00007FF7C1F30000-0x00007FF7C2281000-memory.dmp	xmrig
behavioral2/memory/4396-240-0x00007FF7E8200000-0x00007FF7E8551000-memory.dmp	xmrig
behavioral2/memory/4872-242-0x00007FF688230000-0x00007FF688581000-memory.dmp	xmrig
behavioral2/memory/2088-237-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp	xmrig
behavioral2/memory/3304-246-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp	xmrig
behavioral2/memory/4172-244-0x00007FF630C30000-0x00007FF630F81000-memory.dmp	xmrig
behavioral2/memory/4928-248-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	xmrig
behavioral2/memory/3588-250-0x00007FF6F03F0000-0x00007FF6F0741000-memory.dmp	xmrig
behavioral2/memory/3424-255-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp	xmrig
behavioral2/memory/4088-256-0x00007FF72B280000-0x00007FF72B5D1000-memory.dmp	xmrig
behavioral2/memory/2580-253-0x00007FF7892C0000-0x00007FF789611000-memory.dmp	xmrig
behavioral2/memory/316-258-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3864	bVApCKG.exe
1932	zQTxgYV.exe
2060	rQLgChH.exe
4968	oeIJuHl.exe
4972	TvONKDj.exe
3568	VuPWEfU.exe
2716	kNzbEEO.exe
1776	WbHKtoS.exe
4908	CKQFSLB.exe
2088	WsCteVP.exe
4396	leZGZLB.exe
2488	tABLskU.exe
4872	GSRRRzL.exe
4928	DEKYPpC.exe
3304	pvAQvVw.exe
4172	sNZSCQz.exe
3588	PjiRQFH.exe
316	rIIHlZc.exe
4088	PcHGNWR.exe
3424	oAFjlJq.exe
2580	wIcdomn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	upx
behavioral2/files/0x000900000002341f-6.dat	upx
behavioral2/memory/3864-7-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp	upx
behavioral2/files/0x000700000002347e-10.dat	upx
behavioral2/files/0x0008000000023479-11.dat	upx
behavioral2/files/0x000700000002347f-22.dat	upx
behavioral2/memory/2060-32-0x00007FF71C520000-0x00007FF71C871000-memory.dmp	upx
behavioral2/files/0x0007000000023480-40.dat	upx
behavioral2/files/0x0007000000023484-47.dat	upx
behavioral2/files/0x0007000000023482-51.dat	upx
behavioral2/files/0x0007000000023485-61.dat	upx
behavioral2/files/0x0007000000023489-74.dat	upx
behavioral2/memory/2488-96-0x00007FF7C1F30000-0x00007FF7C2281000-memory.dmp	upx
behavioral2/files/0x000700000002348c-107.dat	upx
behavioral2/files/0x000700000002348e-112.dat	upx
behavioral2/memory/3424-119-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp	upx
behavioral2/memory/4172-125-0x00007FF630C30000-0x00007FF630F81000-memory.dmp	upx
behavioral2/memory/4088-126-0x00007FF72B280000-0x00007FF72B5D1000-memory.dmp	upx
behavioral2/memory/4872-124-0x00007FF688230000-0x00007FF688581000-memory.dmp	upx
behavioral2/memory/4396-123-0x00007FF7E8200000-0x00007FF7E8551000-memory.dmp	upx
behavioral2/memory/2716-122-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp	upx
behavioral2/memory/4968-121-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp	upx
behavioral2/memory/2580-120-0x00007FF7892C0000-0x00007FF789611000-memory.dmp	upx
behavioral2/files/0x000700000002348f-117.dat	upx
behavioral2/files/0x000800000002347a-114.dat	upx
behavioral2/memory/316-113-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp	upx
behavioral2/files/0x000700000002348d-111.dat	upx
behavioral2/memory/3588-110-0x00007FF6F03F0000-0x00007FF6F0741000-memory.dmp	upx
behavioral2/memory/3304-109-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp	upx
behavioral2/files/0x000700000002348a-103.dat	upx
behavioral2/memory/4928-97-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	upx
behavioral2/files/0x000700000002348b-90.dat	upx
behavioral2/files/0x0007000000023488-87.dat	upx
behavioral2/files/0x0007000000023486-84.dat	upx
behavioral2/memory/2088-81-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp	upx
behavioral2/memory/4908-80-0x00007FF709E70000-0x00007FF70A1C1000-memory.dmp	upx
behavioral2/memory/1776-67-0x00007FF7814B0000-0x00007FF781801000-memory.dmp	upx
behavioral2/files/0x0007000000023487-65.dat	upx
behavioral2/memory/3568-52-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp	upx
behavioral2/files/0x0007000000023483-50.dat	upx
behavioral2/files/0x0007000000023481-44.dat	upx
behavioral2/memory/4972-36-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp	upx
behavioral2/memory/1932-14-0x00007FF655880000-0x00007FF655BD1000-memory.dmp	upx
behavioral2/memory/3568-134-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp	upx
behavioral2/memory/1776-135-0x00007FF7814B0000-0x00007FF781801000-memory.dmp	upx
behavioral2/memory/4972-133-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp	upx
behavioral2/memory/1932-130-0x00007FF655880000-0x00007FF655BD1000-memory.dmp	upx
behavioral2/memory/3864-129-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp	upx
behavioral2/memory/2012-128-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	upx
behavioral2/memory/2060-131-0x00007FF71C520000-0x00007FF71C871000-memory.dmp	upx
behavioral2/memory/4928-142-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp	upx
behavioral2/memory/3304-143-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp	upx
behavioral2/memory/3424-148-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp	upx
behavioral2/memory/316-146-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp	upx
behavioral2/memory/2012-150-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	upx
behavioral2/memory/2012-151-0x00007FF605FF0000-0x00007FF606341000-memory.dmp	upx
behavioral2/memory/3864-201-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp	upx
behavioral2/memory/1932-221-0x00007FF655880000-0x00007FF655BD1000-memory.dmp	upx
behavioral2/memory/4968-222-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp	upx
behavioral2/memory/2060-224-0x00007FF71C520000-0x00007FF71C871000-memory.dmp	upx
behavioral2/memory/4972-226-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp	upx
behavioral2/memory/1776-228-0x00007FF7814B0000-0x00007FF781801000-memory.dmp	upx
behavioral2/memory/3568-230-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp	upx
behavioral2/memory/2716-232-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bVApCKG.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DEKYPpC.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvAQvVw.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rIIHlZc.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PcHGNWR.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oAFjlJq.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wIcdomn.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TvONKDj.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsCteVP.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oeIJuHl.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKQFSLB.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leZGZLB.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tABLskU.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNZSCQz.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjiRQFH.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zQTxgYV.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rQLgChH.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNzbEEO.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSRRRzL.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VuPWEfU.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbHKtoS.exe	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3864	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2012 wrote to memory of 3864	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2012 wrote to memory of 1932	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2012 wrote to memory of 1932	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2012 wrote to memory of 2060	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2012 wrote to memory of 2060	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2012 wrote to memory of 4968	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2012 wrote to memory of 4968	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2012 wrote to memory of 4972	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2012 wrote to memory of 4972	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2012 wrote to memory of 3568	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2012 wrote to memory of 3568	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2012 wrote to memory of 1776	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2012 wrote to memory of 1776	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2012 wrote to memory of 2716	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2012 wrote to memory of 2716	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2012 wrote to memory of 2088	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2012 wrote to memory of 2088	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2012 wrote to memory of 4908	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2012 wrote to memory of 4908	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2012 wrote to memory of 4396	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2012 wrote to memory of 4396	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2012 wrote to memory of 2488	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2012 wrote to memory of 2488	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2012 wrote to memory of 4872	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2012 wrote to memory of 4872	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2012 wrote to memory of 4928	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2012 wrote to memory of 4928	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2012 wrote to memory of 3304	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2012 wrote to memory of 3304	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2012 wrote to memory of 4172	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2012 wrote to memory of 4172	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2012 wrote to memory of 3588	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2012 wrote to memory of 3588	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2012 wrote to memory of 316	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2012 wrote to memory of 316	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2012 wrote to memory of 4088	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2012 wrote to memory of 4088	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2012 wrote to memory of 3424	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2012 wrote to memory of 3424	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2012 wrote to memory of 2580	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2012 wrote to memory of 2580	2012	2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_536ff31738e85fbd02e84535ab98df14_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System\bVApCKG.exe
  C:\Windows\System\bVApCKG.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\zQTxgYV.exe
  C:\Windows\System\zQTxgYV.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\rQLgChH.exe
  C:\Windows\System\rQLgChH.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\oeIJuHl.exe
  C:\Windows\System\oeIJuHl.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\TvONKDj.exe
  C:\Windows\System\TvONKDj.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\VuPWEfU.exe
  C:\Windows\System\VuPWEfU.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\WbHKtoS.exe
  C:\Windows\System\WbHKtoS.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\kNzbEEO.exe
  C:\Windows\System\kNzbEEO.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\WsCteVP.exe
  C:\Windows\System\WsCteVP.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\CKQFSLB.exe
  C:\Windows\System\CKQFSLB.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\leZGZLB.exe
  C:\Windows\System\leZGZLB.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\tABLskU.exe
  C:\Windows\System\tABLskU.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\GSRRRzL.exe
  C:\Windows\System\GSRRRzL.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\DEKYPpC.exe
  C:\Windows\System\DEKYPpC.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\pvAQvVw.exe
  C:\Windows\System\pvAQvVw.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\sNZSCQz.exe
  C:\Windows\System\sNZSCQz.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\PjiRQFH.exe
  C:\Windows\System\PjiRQFH.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\rIIHlZc.exe
  C:\Windows\System\rIIHlZc.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\PcHGNWR.exe
  C:\Windows\System\PcHGNWR.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\oAFjlJq.exe
  C:\Windows\System\oAFjlJq.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\wIcdomn.exe
  C:\Windows\System\wIcdomn.exe
  2⤵
  - Executes dropped EXE
  PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CKQFSLB.exe

Filesize
5.2MB

MD5
21a10744641fce96c1bb839c1bb68914

SHA1
e0de15f635a432bd4078ae73cad2a0256a514df9

SHA256
f64806fe5a9ddf174097362cfc4c4446e2ce331df39c6aa731113255edddff4d

SHA512
598a42ea452ac3393cbbc9c5609fe03e50106a80848380a9648e0b601a3d44aca5343751cab48c5558b7936623e9a4f5a9cb83d70b29cb3d24e3aaf3bd6fe282

Download Submit
C:\Windows\System\DEKYPpC.exe

Filesize
5.2MB

MD5
e166343765c2c5a4690e4eb4bf9ae5b1

SHA1
997a7378709a7d273a13707c76f6d07432b57fda

SHA256
3dcdfe45b0ade0324502325bac5f1d465d6e2dba16e426bfde01bcef55fcfaf7

SHA512
100f27b3dc4beaf32faad46a2ead06cdd4d3490756604fce34b915f81e68781e8de134bfc7ec9a790b7655c79b2e4a389a9d41dd9d00381a67ba8a645a1f646a

Download Submit
C:\Windows\System\GSRRRzL.exe

Filesize
5.2MB

MD5
2e8d2d5a42c5a52673b5e400593d3f2b

SHA1
e7c9f0a6b80f834180dde989f2bf990c8e866b6f

SHA256
34a93b4f193d57cf069f939e95352f1e3091647b2b5f5b801214dc1abf35f968

SHA512
c395c38149080fca9c39de2a6c0f7692a5dc244469460684697e8c7196de5ddbf8fc5c57b0956e0ccc166f83f98723d0bac4ce7621cad54150a25a2b097273b0

Download Submit
C:\Windows\System\PcHGNWR.exe

Filesize
5.2MB

MD5
b383ef21c0fddebbe91c866ef9a87597

SHA1
c560609658ccfcbd2311a0ba1789a58e20e9029d

SHA256
2ad0fb19a52d3287c54c3e177600fbc51ff3897edfbd40984bd5603ec3241b69

SHA512
f4c72c9cdb05d3a6044097f01d488e4123126efb8cd55120cb2faed06f47751d344adc8e1dd6f3281bc3c6eb89a93c8c541fcc2b3c731b6b0f1c0f1d71e947ec

Download Submit
C:\Windows\System\PjiRQFH.exe

Filesize
5.2MB

MD5
9c8833e222db6e32a7fe6be7f38db472

SHA1
ec244fc66c041be845437e395be8898e8ff5cc1e

SHA256
06e264266416c82cecc1cd15097b28565d56ff8fd91015e063939280bd28efe9

SHA512
471a3cfb7a5a58f8c4624f58d2106f6f8e4d2e3f34017fe00517c3984a5a88f05792c92556a243e2d859373b30b939a5e19cd318d248abc57896b22cf4edfd28

Download Submit
C:\Windows\System\TvONKDj.exe

Filesize
5.2MB

MD5
ccd6fe31a1b4099602c6ed5a76362f7a

SHA1
ce1eb82453c112a5543e930ec8b1265ad89e389a

SHA256
d2a3b42c8a534fe253b10625c51488d653cf4d4ad8a47b736da2cc092f6d7931

SHA512
aa60a2c10042cd89d163a4f006894a752db1f4d67e2b977733f5852279400d50f947e2d267ce9d2fe073d6e12ed32705275e70d75090d678db573d00366dc847

Download Submit
C:\Windows\System\VuPWEfU.exe

Filesize
5.2MB

MD5
0b4e92e4956e512ac0844ab5edb98d06

SHA1
743f285916578ae75b5ce81f1264700b62e79d33

SHA256
5fb071e8593cea94aa12e081492b44faf3e6584df4ac9bc7f8e0001cc915f349

SHA512
0b68b3e906b242dca029801709410b100a8f28c07db49507e1157781e8f90bfe87133daf0a52273fbb261953d330032ce140f2b53c5437ab57b4fda2fcb3b516

Download Submit
C:\Windows\System\WbHKtoS.exe

Filesize
5.2MB

MD5
99a584ec68888e8b273eed94ae0e89d1

SHA1
65deb4a611e881669ced3ade7e9366944664eada

SHA256
3fe3e4469f476ee5cd060101aba692095e7d5284789759a2d7f67b989ba17f0a

SHA512
a1ddb336a06f4e30c7c45dc595b718265feb3085dfbe09bda755da6e62f22e336eb4a3d023af5d87b7735650f7ecafc2a27c46ee9dc30e10e632bf910888e8ab

Download Submit
C:\Windows\System\WsCteVP.exe

Filesize
5.2MB

MD5
306339562210669f7750224bfa45d592

SHA1
364f2460f50f5f69dc3143ee44b3231a55555fa6

SHA256
1d576a198dc02ad202820d4db64cb934f540f9e08fce98a2125ee2164208467c

SHA512
4b279a3f7f6ac00c15fed933d31c6b604f15febf1bd5225c4e39577086d7524296a465363d4a798a97fdab7b6bc9d8a64264f56aba7944bd3a96a96db036001e

Download Submit
C:\Windows\System\bVApCKG.exe

Filesize
5.2MB

MD5
51af008bb09186fdf40f4179197be476

SHA1
72ec67a57ae4d1c1aa6a8e5c0fe9105e07f22bf0

SHA256
f9af047c68d98645d867e355d0609241080f764d9ea22c78ead805cc7c875490

SHA512
dc48d3c97dc8de630d4ad3f730e1660aa5a2beb5dc0b33af4de7c3dfe65b28b1821666538c007bbb53a6ae80f12334024d647b4603abbc905f96d01635c3ad59

Download Submit
C:\Windows\System\kNzbEEO.exe

Filesize
5.2MB

MD5
9b37bd6bb0dbd9cc9871970f08d35e00

SHA1
96e3518ca331ac2894aee2d740ce683e79b34d12

SHA256
7f4980081538a1ff6801c9240dc96b32b279d0e04c191d0631f9dba8acefc532

SHA512
fa2ffc2c27918e2917d218f81cd87f92efbd177e93e6d175dd71f88b224d33f943ae97ca98819d287a07cc5c74bfff35e77790ea9ec6d450b7bae88e589942db

Download Submit
C:\Windows\System\leZGZLB.exe

Filesize
5.2MB

MD5
02222b9100802fc6cf01a0ee335170e8

SHA1
73dc000067a396c292352ad83ca8f853ef2b1ca6

SHA256
5f54577c4c8b64476be3e27b092b62ee4673da81160d91db52c1785537b733b3

SHA512
f442fe683bf12b15a3060d7d64b62037f6550889dbecd09afe34ffbe80739d0235f577e1e07c6ebbe973354e443720f96cf1f3c8e57b65df910b4b4ae56dfcf2

Download Submit
C:\Windows\System\oAFjlJq.exe

Filesize
5.2MB

MD5
aa248fde79124f2c39fd1c8b6389d9c8

SHA1
602f893c213325f0a66eb1cfcbc1646fdbeff623

SHA256
730cf234a3661866197d0f0ded482f04adfd670c4d7798dcca02a40a744a3c43

SHA512
dc67e531bfc3396fce0127ba47f5c57a092d14b25f950c77a30c8957b66f48c7fdfd4680d343bc70298991ffea0a49955d7859d0b317882447e44ce2295fa6a0

Download Submit
C:\Windows\System\oeIJuHl.exe

Filesize
5.2MB

MD5
435f3a5a9ca0acc4e0568980e075f4d7

SHA1
4cada51f21ba4de9117408eec88714b5da89033a

SHA256
035c6d248f239e52e793066a5b8f5d59c6b0d8f24eca1eb103917a717e450285

SHA512
b55f8bdb408b1cbb03986adaf1beb2d580aad25c0374f0eff601f011d156613e1e7286c57bb7b0cb08dba3b3ec8d526b7a820cfed241d4cd1c3f279d28fed5e5

Download Submit
C:\Windows\System\pvAQvVw.exe

Filesize
5.2MB

MD5
1a9fb233ac2a08e90b26a8f7ce2429f6

SHA1
c3e04ba33f045910d17bd9b5641a1001db7acfe4

SHA256
ddd447468dcf9b110ecacb11ad5fd1b7ef7bbc06e1fd94389175fc00237fa344

SHA512
6f7738289a7f2ea6d590ce83b4a701f72707d49c43dc16a10100297bcd4947f9b8080fa0bb3339c88dbc3c8c2e0d2d1ea2607810153a533f9dc432c0164a9192

Download Submit
C:\Windows\System\rIIHlZc.exe

Filesize
5.2MB

MD5
190079710c1f6fd27652432912cfcb26

SHA1
29698b47e1f3c6385c7e1fdba8deca5831dfca12

SHA256
5f4b92c4cb8187088d7b98eff769e1d8682b51582e0cab91a0a4b3f5d80afb37

SHA512
6d8a3c1d96906e72ac5594f5fd4cef6bdaeddb06e6b40a83ac83b7e2a64c6edb1331c197b7b79351a2c891b6a787908297f9b06f14321484c956e51399729ad3

Download Submit
C:\Windows\System\rQLgChH.exe

Filesize
5.2MB

MD5
df10e15053fc9c1d96e63bec0c71a5ad

SHA1
7160ad63e79ff748a65fb2d8567deef045f07b8a

SHA256
533e018b49ca5ea3e6af618e0ea0055709da9f17dc926786c169db0869ff4139

SHA512
841435d4b822ac261124a7a52e21995521e3e611b9cf38e664fa62164a727fa431f6e89d16e7954face95bd3857fb168280ca7a7546f483e23ec90ef23aebd69

Download Submit
C:\Windows\System\sNZSCQz.exe

Filesize
5.2MB

MD5
7c17096edc351e4a25d7a9ac10b21914

SHA1
5a9507344c7c3e041c24fbcae11ec4ee8364d207

SHA256
52ca3fd9919537bae8499f5f378c50a57ecdc2d83bc78ea5c32e28b4f8e63c34

SHA512
7a848b8e70c8f200d39353f8bb7fa1f7b381018d9ec56d5ed8e3f8d066b14121312d9f682a689b0f5105e64db6f096da7b2802eea8e20f7d4eed229c1e399b55

Download Submit
C:\Windows\System\tABLskU.exe

Filesize
5.2MB

MD5
7770e53903b358d22b5f6ddb241e4e8a

SHA1
cb50266979d7e094a9576b706b7d9e19618e151d

SHA256
fee96ab2f2732438274b86efd19f20171db90237015a47567f860b4694ba4936

SHA512
e52e668a206cfb5fb167a4e726dbd561eb90e910fd92292e8c92c632cf3b2a33cab36377d04c6bd5e22954f507a1ef4f800af5bb359b375ac5825fad14933341

Download Submit
C:\Windows\System\wIcdomn.exe

Filesize
5.2MB

MD5
ebbfa4a1916264e40636cd65a6072347

SHA1
3c73f20326aa2d84144d1744d59f2eadf43d8d19

SHA256
4300e8e30d31cf41a591c6894b5c60e419fe977406db6ddb50beda17bc89ff0e

SHA512
d5dc07ca5dadb7c4295d9ea7b9d2a831fef6956eb0140cd40ae9af2c063a034db5e1df9e21ef5b9bae116fc1e5bb0e731185c7ef45de21db2ccca9a2ef7ef888

Download Submit
C:\Windows\System\zQTxgYV.exe

Filesize
5.2MB

MD5
d9bfa7f110ee9ce1088fd2f4afef04b0

SHA1
10970e7738f14a3b9ce71fc6cb40a812c7ce3c49

SHA256
50d36f4802933ed69dcd9e9460349432c3f27cd8e82ddce4f6dd4e5db42fc062

SHA512
288e7db042043909001a6ebb7612a1c499c346f3b7361388b981d0e014b4593fb0ebc68970653405f92f13b90a938a5ca138cf27df82b91af7f5c5569a7c5551

Download Submit
memory/316-146-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp

Filesize
3.3MB

Download
memory/316-113-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp

Filesize
3.3MB

Download
memory/316-258-0x00007FF7CC9E0000-0x00007FF7CCD31000-memory.dmp

Filesize
3.3MB

Download
memory/1776-135-0x00007FF7814B0000-0x00007FF781801000-memory.dmp

Filesize
3.3MB

Download
memory/1776-67-0x00007FF7814B0000-0x00007FF781801000-memory.dmp

Filesize
3.3MB

Download
memory/1776-228-0x00007FF7814B0000-0x00007FF781801000-memory.dmp

Filesize
3.3MB

Download
memory/1932-14-0x00007FF655880000-0x00007FF655BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-130-0x00007FF655880000-0x00007FF655BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-221-0x00007FF655880000-0x00007FF655BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-151-0x00007FF605FF0000-0x00007FF606341000-memory.dmp

Filesize
3.3MB

Download
memory/2012-1-0x000002CAA0460000-0x000002CAA0470000-memory.dmp

Filesize
64KB

Download
memory/2012-150-0x00007FF605FF0000-0x00007FF606341000-memory.dmp

Filesize
3.3MB

Download
memory/2012-128-0x00007FF605FF0000-0x00007FF606341000-memory.dmp

Filesize
3.3MB

Download
memory/2012-0-0x00007FF605FF0000-0x00007FF606341000-memory.dmp

Filesize
3.3MB

Download
memory/2060-224-0x00007FF71C520000-0x00007FF71C871000-memory.dmp

Filesize
3.3MB

Download
memory/2060-131-0x00007FF71C520000-0x00007FF71C871000-memory.dmp

Filesize
3.3MB

Download
memory/2060-32-0x00007FF71C520000-0x00007FF71C871000-memory.dmp

Filesize
3.3MB

Download
memory/2088-81-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp

Filesize
3.3MB

Download
memory/2088-237-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp

Filesize
3.3MB

Download
memory/2488-238-0x00007FF7C1F30000-0x00007FF7C2281000-memory.dmp

Filesize
3.3MB

Download
memory/2488-96-0x00007FF7C1F30000-0x00007FF7C2281000-memory.dmp

Filesize
3.3MB

Download
memory/2580-253-0x00007FF7892C0000-0x00007FF789611000-memory.dmp

Filesize
3.3MB

Download
memory/2580-120-0x00007FF7892C0000-0x00007FF789611000-memory.dmp

Filesize
3.3MB

Download
memory/2716-232-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp

Filesize
3.3MB

Download
memory/2716-122-0x00007FF6B5F20000-0x00007FF6B6271000-memory.dmp

Filesize
3.3MB

Download
memory/3304-246-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp

Filesize
3.3MB

Download
memory/3304-143-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp

Filesize
3.3MB

Download
memory/3304-109-0x00007FF6FD630000-0x00007FF6FD981000-memory.dmp

Filesize
3.3MB

Download
memory/3424-148-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-119-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-255-0x00007FF7B4E70000-0x00007FF7B51C1000-memory.dmp

Filesize
3.3MB

Download
memory/3568-134-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp

Filesize
3.3MB

Download
memory/3568-52-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp

Filesize
3.3MB

Download
memory/3568-230-0x00007FF6FFA30000-0x00007FF6FFD81000-memory.dmp

Filesize
3.3MB

Download
memory/3588-110-0x00007FF6F03F0000-0x00007FF6F0741000-memory.dmp

Filesize
3.3MB

Download
memory/3588-250-0x00007FF6F03F0000-0x00007FF6F0741000-memory.dmp

Filesize
3.3MB

Download
memory/3864-7-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-201-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-129-0x00007FF786D70000-0x00007FF7870C1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-256-0x00007FF72B280000-0x00007FF72B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-126-0x00007FF72B280000-0x00007FF72B5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-244-0x00007FF630C30000-0x00007FF630F81000-memory.dmp

Filesize
3.3MB

Download
memory/4172-125-0x00007FF630C30000-0x00007FF630F81000-memory.dmp

Filesize
3.3MB

Download
memory/4396-123-0x00007FF7E8200000-0x00007FF7E8551000-memory.dmp

Filesize
3.3MB

Download
memory/4396-240-0x00007FF7E8200000-0x00007FF7E8551000-memory.dmp

Filesize
3.3MB

Download
memory/4872-124-0x00007FF688230000-0x00007FF688581000-memory.dmp

Filesize
3.3MB

Download
memory/4872-242-0x00007FF688230000-0x00007FF688581000-memory.dmp

Filesize
3.3MB

Download
memory/4908-234-0x00007FF709E70000-0x00007FF70A1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-80-0x00007FF709E70000-0x00007FF70A1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-248-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp

Filesize
3.3MB

Download
memory/4928-97-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp

Filesize
3.3MB

Download
memory/4928-142-0x00007FF77E1F0000-0x00007FF77E541000-memory.dmp

Filesize
3.3MB

Download
memory/4968-222-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

Filesize
3.3MB

Download
memory/4968-121-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

Filesize
3.3MB

Download
memory/4972-226-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

Filesize
3.3MB

Download
memory/4972-133-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

Filesize
3.3MB

Download
memory/4972-36-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

Filesize
3.3MB

Download