cobaltstrike | ac5aa878ba3bd09590e7b22da70210dcded86a38242f36f32f25cbc6974c3265

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

523611914d59690ca735c32ef0ce6e70
SHA1

42df2b84529f60511e53aee6e37f7ef9621413be
SHA256

ac5aa878ba3bd09590e7b22da70210dcded86a38242f36f32f25cbc6974c3265
SHA512

8b44ddcbb8dc20df1251ca679d320a4f1c1419fae083e026d18fc4ae13ba70598b5314c167d22b46d89c363237d6793c70904aa37ec846f53c48a4975f741df8
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lD:RWWBibj56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002362d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023631-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023632-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023635-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023639-59.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002362e-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363c-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363b-77.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363a-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023636-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023634-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023638-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023637-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023633-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363d-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023640-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023642-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023643-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023644-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023641-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002363f-105.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3844-68-0x00007FF6B1EF0000-0x00007FF6B2241000-memory.dmp	xmrig
behavioral2/memory/2964-75-0x00007FF7AE9F0000-0x00007FF7AED41000-memory.dmp	xmrig
behavioral2/memory/1080-82-0x00007FF6397E0000-0x00007FF639B31000-memory.dmp	xmrig
behavioral2/memory/4964-74-0x00007FF75CCA0000-0x00007FF75CFF1000-memory.dmp	xmrig
behavioral2/memory/2744-69-0x00007FF616B70000-0x00007FF616EC1000-memory.dmp	xmrig
behavioral2/memory/1908-64-0x00007FF641610000-0x00007FF641961000-memory.dmp	xmrig
behavioral2/memory/1536-14-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	xmrig
behavioral2/memory/1536-114-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	xmrig
behavioral2/memory/3448-115-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp	xmrig
behavioral2/memory/2332-100-0x00007FF680B20000-0x00007FF680E71000-memory.dmp	xmrig
behavioral2/memory/4540-90-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	xmrig
behavioral2/memory/4540-130-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	xmrig
behavioral2/memory/4460-135-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp	xmrig
behavioral2/memory/2500-144-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp	xmrig
behavioral2/memory/3044-142-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp	xmrig
behavioral2/memory/3304-146-0x00007FF651340000-0x00007FF651691000-memory.dmp	xmrig
behavioral2/memory/3704-145-0x00007FF6BB7F0000-0x00007FF6BBB41000-memory.dmp	xmrig
behavioral2/memory/2412-136-0x00007FF609200000-0x00007FF609551000-memory.dmp	xmrig
behavioral2/memory/3536-134-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp	xmrig
behavioral2/memory/432-150-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp	xmrig
behavioral2/memory/2564-151-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp	xmrig
behavioral2/memory/2832-149-0x00007FF645120000-0x00007FF645471000-memory.dmp	xmrig
behavioral2/memory/4776-148-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp	xmrig
behavioral2/memory/4500-147-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp	xmrig
behavioral2/memory/4540-154-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	xmrig
behavioral2/memory/2332-214-0x00007FF680B20000-0x00007FF680E71000-memory.dmp	xmrig
behavioral2/memory/1536-216-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	xmrig
behavioral2/memory/3448-218-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp	xmrig
behavioral2/memory/3536-220-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp	xmrig
behavioral2/memory/1908-224-0x00007FF641610000-0x00007FF641961000-memory.dmp	xmrig
behavioral2/memory/2412-223-0x00007FF609200000-0x00007FF609551000-memory.dmp	xmrig
behavioral2/memory/3044-228-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp	xmrig
behavioral2/memory/4964-238-0x00007FF75CCA0000-0x00007FF75CFF1000-memory.dmp	xmrig
behavioral2/memory/4460-237-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp	xmrig
behavioral2/memory/3844-234-0x00007FF6B1EF0000-0x00007FF6B2241000-memory.dmp	xmrig
behavioral2/memory/2744-232-0x00007FF616B70000-0x00007FF616EC1000-memory.dmp	xmrig
behavioral2/memory/2964-230-0x00007FF7AE9F0000-0x00007FF7AED41000-memory.dmp	xmrig
behavioral2/memory/1080-227-0x00007FF6397E0000-0x00007FF639B31000-memory.dmp	xmrig
behavioral2/memory/2500-240-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp	xmrig
behavioral2/memory/4500-246-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp	xmrig
behavioral2/memory/4776-251-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp	xmrig
behavioral2/memory/2832-253-0x00007FF645120000-0x00007FF645471000-memory.dmp	xmrig
behavioral2/memory/432-260-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp	xmrig
behavioral2/memory/3304-257-0x00007FF651340000-0x00007FF651691000-memory.dmp	xmrig
behavioral2/memory/2564-261-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp	xmrig
behavioral2/memory/3704-256-0x00007FF6BB7F0000-0x00007FF6BBB41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2332	odIDREq.exe
1536	AOimCVv.exe
3448	WsoDTdJ.exe
3536	EuOdyYF.exe
4460	ZoxJKRe.exe
2412	TExxwsc.exe
1908	JVWbdIH.exe
4964	aJnssdA.exe
3844	ElTtfIZ.exe
2744	NtZBOWP.exe
2964	oSOceoM.exe
3044	SeHosMp.exe
1080	bUZHrEl.exe
2500	kPjIlOE.exe
4500	GdzpyzZ.exe
4776	XxdEnqv.exe
2832	qmnKbmX.exe
432	XwfAIis.exe
2564	IaxKsBA.exe
3304	ZjFBsVh.exe
3704	sfdPJfu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4540-0-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	upx
behavioral2/files/0x000800000002362d-5.dat	upx
behavioral2/memory/2332-9-0x00007FF680B20000-0x00007FF680E71000-memory.dmp	upx
behavioral2/files/0x0007000000023631-12.dat	upx
behavioral2/files/0x0007000000023632-16.dat	upx
behavioral2/memory/3448-23-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp	upx
behavioral2/memory/3536-35-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp	upx
behavioral2/files/0x0007000000023635-44.dat	upx
behavioral2/files/0x0007000000023639-59.dat	upx
behavioral2/memory/3844-68-0x00007FF6B1EF0000-0x00007FF6B2241000-memory.dmp	upx
behavioral2/memory/2964-75-0x00007FF7AE9F0000-0x00007FF7AED41000-memory.dmp	upx
behavioral2/memory/1080-82-0x00007FF6397E0000-0x00007FF639B31000-memory.dmp	upx
behavioral2/files/0x000800000002362e-84.dat	upx
behavioral2/memory/2500-83-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp	upx
behavioral2/memory/3044-81-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp	upx
behavioral2/files/0x000700000002363c-79.dat	upx
behavioral2/files/0x000700000002363b-77.dat	upx
behavioral2/memory/4964-74-0x00007FF75CCA0000-0x00007FF75CFF1000-memory.dmp	upx
behavioral2/files/0x000700000002363a-70.dat	upx
behavioral2/memory/2744-69-0x00007FF616B70000-0x00007FF616EC1000-memory.dmp	upx
behavioral2/memory/1908-64-0x00007FF641610000-0x00007FF641961000-memory.dmp	upx
behavioral2/memory/4460-61-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp	upx
behavioral2/files/0x0007000000023636-56.dat	upx
behavioral2/files/0x0007000000023634-53.dat	upx
behavioral2/files/0x0007000000023638-52.dat	upx
behavioral2/memory/2412-41-0x00007FF609200000-0x00007FF609551000-memory.dmp	upx
behavioral2/files/0x0007000000023637-40.dat	upx
behavioral2/files/0x0007000000023633-31.dat	upx
behavioral2/memory/1536-14-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	upx
behavioral2/files/0x000700000002363d-89.dat	upx
behavioral2/memory/4500-91-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp	upx
behavioral2/files/0x0007000000023640-99.dat	upx
behavioral2/memory/4776-103-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp	upx
behavioral2/memory/1536-114-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	upx
behavioral2/memory/432-116-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp	upx
behavioral2/files/0x0007000000023642-123.dat	upx
behavioral2/files/0x0007000000023643-127.dat	upx
behavioral2/files/0x0007000000023644-125.dat	upx
behavioral2/memory/3448-115-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp	upx
behavioral2/files/0x0007000000023641-112.dat	upx
behavioral2/files/0x000700000002363f-105.dat	upx
behavioral2/memory/2832-104-0x00007FF645120000-0x00007FF645471000-memory.dmp	upx
behavioral2/memory/2332-100-0x00007FF680B20000-0x00007FF680E71000-memory.dmp	upx
behavioral2/memory/4540-90-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	upx
behavioral2/memory/4540-130-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	upx
behavioral2/memory/4460-135-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp	upx
behavioral2/memory/2500-144-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp	upx
behavioral2/memory/3044-142-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp	upx
behavioral2/memory/3304-146-0x00007FF651340000-0x00007FF651691000-memory.dmp	upx
behavioral2/memory/3704-145-0x00007FF6BB7F0000-0x00007FF6BBB41000-memory.dmp	upx
behavioral2/memory/2412-136-0x00007FF609200000-0x00007FF609551000-memory.dmp	upx
behavioral2/memory/3536-134-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp	upx
behavioral2/memory/2564-129-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp	upx
behavioral2/memory/432-150-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp	upx
behavioral2/memory/2564-151-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp	upx
behavioral2/memory/2832-149-0x00007FF645120000-0x00007FF645471000-memory.dmp	upx
behavioral2/memory/4776-148-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp	upx
behavioral2/memory/4500-147-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp	upx
behavioral2/memory/4540-154-0x00007FF600170000-0x00007FF6004C1000-memory.dmp	upx
behavioral2/memory/2332-214-0x00007FF680B20000-0x00007FF680E71000-memory.dmp	upx
behavioral2/memory/1536-216-0x00007FF6822E0000-0x00007FF682631000-memory.dmp	upx
behavioral2/memory/3448-218-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp	upx
behavioral2/memory/3536-220-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp	upx
behavioral2/memory/1908-224-0x00007FF641610000-0x00007FF641961000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EuOdyYF.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aJnssdA.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GdzpyzZ.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XxdEnqv.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwfAIis.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZjFBsVh.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odIDREq.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZoxJKRe.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NtZBOWP.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSOceoM.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qmnKbmX.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sfdPJfu.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsoDTdJ.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TExxwsc.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElTtfIZ.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JVWbdIH.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IaxKsBA.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AOimCVv.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SeHosMp.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUZHrEl.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kPjIlOE.exe	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2332	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4540 wrote to memory of 2332	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4540 wrote to memory of 1536	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4540 wrote to memory of 1536	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4540 wrote to memory of 3448	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4540 wrote to memory of 3448	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4540 wrote to memory of 3536	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4540 wrote to memory of 3536	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4540 wrote to memory of 4460	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4540 wrote to memory of 4460	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4540 wrote to memory of 2412	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4540 wrote to memory of 2412	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4540 wrote to memory of 3844	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4540 wrote to memory of 3844	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4540 wrote to memory of 1908	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4540 wrote to memory of 1908	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4540 wrote to memory of 4964	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4540 wrote to memory of 4964	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4540 wrote to memory of 2744	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4540 wrote to memory of 2744	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4540 wrote to memory of 2964	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4540 wrote to memory of 2964	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4540 wrote to memory of 3044	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4540 wrote to memory of 3044	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4540 wrote to memory of 1080	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4540 wrote to memory of 1080	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4540 wrote to memory of 2500	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4540 wrote to memory of 2500	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4540 wrote to memory of 4500	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4540 wrote to memory of 4500	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4540 wrote to memory of 4776	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4540 wrote to memory of 4776	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4540 wrote to memory of 2832	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4540 wrote to memory of 2832	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4540 wrote to memory of 432	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4540 wrote to memory of 432	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4540 wrote to memory of 2564	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4540 wrote to memory of 2564	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4540 wrote to memory of 3704	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4540 wrote to memory of 3704	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4540 wrote to memory of 3304	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 4540 wrote to memory of 3304	4540	2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_523611914d59690ca735c32ef0ce6e70_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\System\odIDREq.exe
  C:\Windows\System\odIDREq.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\AOimCVv.exe
  C:\Windows\System\AOimCVv.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\WsoDTdJ.exe
  C:\Windows\System\WsoDTdJ.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\EuOdyYF.exe
  C:\Windows\System\EuOdyYF.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\ZoxJKRe.exe
  C:\Windows\System\ZoxJKRe.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\TExxwsc.exe
  C:\Windows\System\TExxwsc.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\ElTtfIZ.exe
  C:\Windows\System\ElTtfIZ.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\JVWbdIH.exe
  C:\Windows\System\JVWbdIH.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\aJnssdA.exe
  C:\Windows\System\aJnssdA.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\NtZBOWP.exe
  C:\Windows\System\NtZBOWP.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\oSOceoM.exe
  C:\Windows\System\oSOceoM.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\SeHosMp.exe
  C:\Windows\System\SeHosMp.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\bUZHrEl.exe
  C:\Windows\System\bUZHrEl.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\kPjIlOE.exe
  C:\Windows\System\kPjIlOE.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\GdzpyzZ.exe
  C:\Windows\System\GdzpyzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\XxdEnqv.exe
  C:\Windows\System\XxdEnqv.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\qmnKbmX.exe
  C:\Windows\System\qmnKbmX.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\XwfAIis.exe
  C:\Windows\System\XwfAIis.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\IaxKsBA.exe
  C:\Windows\System\IaxKsBA.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\sfdPJfu.exe
  C:\Windows\System\sfdPJfu.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\ZjFBsVh.exe
  C:\Windows\System\ZjFBsVh.exe
  2⤵
  - Executes dropped EXE
  PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOimCVv.exe

Filesize
5.2MB

MD5
109757dc40e89211c2b27f20e41b39b2

SHA1
b4ba0e02c13e63bf7651caf771a45a777a245d88

SHA256
0d3b13bdc8a7358faf2a3d102a566fb85b3867f78bf8f04eea0a3f35a505b574

SHA512
f62e3f346c765155956a1c77073fd4fbc1a3cbbc232060fa6b61c058446cfe2ab738ab1a78d1b40e4af63d03009c47928efd8db8f19d0b57d51c8d0e8c3f9d27

Download Submit
C:\Windows\System\ElTtfIZ.exe

Filesize
5.2MB

MD5
115da0b96b1be81bbaf1cf2a9e1e82b6

SHA1
3eaf5a2bf68123e758eede84782031941365d098

SHA256
b1142f1f5c0c5900873ae7fe30fb0e905b23e40a9a6fc166935086e72cfd45bc

SHA512
e9f6e9cb34e8522df6b657dd7044e8ec34dc180cce4647efc385b2cde0fa230103e573a73318280e55f8d38c629c05c36aa3c0bfd37668f9f9b80e89202ed38a

Download Submit
C:\Windows\System\EuOdyYF.exe

Filesize
5.2MB

MD5
aaecc4b907d4f28e2d778f062b61d3f0

SHA1
a6d460caf655f558ca4c5d1b2f00b79d7574f6cf

SHA256
11e5a39d7e3313867d1ae6b653cbf6594aeaf654187115e4031883ef8b45706f

SHA512
12af9215ffc563e2472056457e98f117f12c26e29d4cadef1596175dabfcdf397b408972c8e9e62240a365f41ac33ad8acc7e9f4af2941b1f664be999bff102a

Download Submit
C:\Windows\System\GdzpyzZ.exe

Filesize
5.2MB

MD5
3748fac1bbeb5ec51f2be4ccba3dee4c

SHA1
f34e0532e5ee3d40fe474bafe3fc2de2bd600fb9

SHA256
57da4372e0d7a107a361c6fc3cc5ae648bd91a0b254c8fbde50c0c9b0aab5bc1

SHA512
90ed22297db58e82f965f3101713dca6fce71d0763ace245975549ed86012b8a6470328ace3aab85cf8c4cc0a32e090baa5c867ee7575f8cd8448249030cec1e

Download Submit
C:\Windows\System\IaxKsBA.exe

Filesize
5.2MB

MD5
5ba94016b3b2fb84f8a96933306eeccc

SHA1
8f5be60917a4ca305725230556fea75b6509800c

SHA256
df672c1bfb93d948ada7f954dbe714ba2dddfd5af99fb074a32ae587f87eb9ca

SHA512
f833492c65e8c47f7bc40287a9babee4a8a29ad406d09a5e0ab2d96a8753deca115efe04a0c71f3dbf8706062cf210fa7d4afc6a5be92869b72ed9ce728d17ec

Download Submit
C:\Windows\System\JVWbdIH.exe

Filesize
5.2MB

MD5
c911a0fdd7edbae136f5c11d530926cb

SHA1
9d9f34d48cc0c08ea059744fdcb6f619dd89c338

SHA256
de2d1a2c74122103f0f510e00ee9d0095e6734b137a18f224a6778f41f28f0a7

SHA512
2bd0baebb4eddf07ebb1e24df010f1dfcdda76b365d640ffb36afa77749e716a21cfe1a68a9efed99481bfc3f791b8844072acd2ac1cb578bf621b5f5f088778

Download Submit
C:\Windows\System\NtZBOWP.exe

Filesize
5.2MB

MD5
24c16c756aae288d2d7362e4192e48b0

SHA1
3820604e551e6afa50a9117f2e3febe0bf4989b9

SHA256
9d05418c81e0082e91415a29660794c57edd58722aaede99dd0786f331866bac

SHA512
f1750ab8a2c7e00097f95662a403f8a234f0ecf42600df07761fa884b4de3bc350110fbad17e554db841e09278d316716f2028e52c5a5a4ff89d8722aeb4c305

Download Submit
C:\Windows\System\SeHosMp.exe

Filesize
5.2MB

MD5
e04c008e40b7694248fbb4f41028e9c4

SHA1
49e39a185f6ab7fc1c36c64b7902eab02dc6e8ac

SHA256
9ce84926be39b384d9c031669f228da660bbf39d0282d8fca734a10d2cab1282

SHA512
d3158a357a469cf736d582c04922fbac121013982ad32b5feee9938b6b36ad6cb2b9b121ab50184f8ecb5505d368214a868d64430ec062da27dd79d7c8749436

Download Submit
C:\Windows\System\TExxwsc.exe

Filesize
5.2MB

MD5
fa51ecf31222cd2fedd973f1ca595066

SHA1
3508c4692cbc12ac3d152b7e96e36717ed3103b6

SHA256
0084a5a5184b703d92d7d5e74903c6ee70876b0c33cf7f521bac828b367f5eed

SHA512
b2885dd4033dbca173faeda600ae0f1c18c0e1b5d99b89d7278b53d85399d9f3e4536fcb1720f277a7f89e32fee96b5acdf3f8c635dae3a920979d63082a39b0

Download Submit
C:\Windows\System\WsoDTdJ.exe

Filesize
5.2MB

MD5
55295f0b899cb5a8ddca3058b5ce05da

SHA1
73ae10585f316adab53becff5719c061d45133bf

SHA256
2c8ee00769123b5dc4d1e9b229690dc8e4933fbbbac5b0fa6796d21b6af59c26

SHA512
7432d9edd8d2b1c98ede0dbe893c46efe7f886434a9eda707200d567b3ee6916af2442ca4620bba6832358d17a50a642b5d20e40f51dea88772d95466c75cd96

Download Submit
C:\Windows\System\XwfAIis.exe

Filesize
5.2MB

MD5
9f1b21c69b140163baf8dd08646a153b

SHA1
d354d5dbf36143695739938e2df8e32f11976a3b

SHA256
7fce05c761fe3a1ce309cd05cb128d6b3fd9c8b888e3f382f83aaf2d5aac5f17

SHA512
a1798d4d6217078a603e4c69e08aec9b83c07563419d58b6cf5f2200f622b34fd912625b4b97c6abd6d306cdda14d14704ac2d713862e152e481119b1b841a6a

Download Submit
C:\Windows\System\XxdEnqv.exe

Filesize
5.2MB

MD5
e1e7359dd59b5fd83a708e8ed98a9dd7

SHA1
7f7925a739dfcc6df27e11a3f28c687c69b586e1

SHA256
d63bd3bc65367e907fbdc512561a76bd83fbab5ad2ded794d02c08c80fd81970

SHA512
c1e4f6634809f4146d0689ae4a39f4dedf86bb432c1089c9e3181f556d08e58a67caae7444107c858137f270cb4ee21f68ad959170feb1f5e6955d3bd140553b

Download Submit
C:\Windows\System\ZjFBsVh.exe

Filesize
5.2MB

MD5
2bd92fa999051ecb3459854e31c6a48e

SHA1
ef5a36975f0c6babb4902462a59d688546b20fcb

SHA256
c71e8caeefab48c365dffe561f1d1b5cef21f05a5972f15af8b98908a68a44db

SHA512
2ca5cb3fe9e501935c453911547b4bc231938a8d2ee8a0f4cb486cdf2eea701b758dad336f543e63f540a39c255060ea6852ade9f45393b7f3ca9529b95d2ae3

Download Submit
C:\Windows\System\ZoxJKRe.exe

Filesize
5.2MB

MD5
92a66f78eca30f93cfea33c934be41ce

SHA1
2d1c39e76a47093f91f555b7b0e57e9b96ea83bd

SHA256
b20a7e051c3b17de7748e6f1a7572796bb7340eb9bd2c306286ce36121b2a5c6

SHA512
43a870a103d0847db00409b9d79df3a99bf3325b311f9cd913e82c6511d4c13c657adc2bba4b85922da7fe26dc72d6de5e0db857f06c227fb17b7e32ae880aab

Download Submit
C:\Windows\System\aJnssdA.exe

Filesize
5.2MB

MD5
a8a50988c3571217661e706d26ed4752

SHA1
07ebbef9bf903b0a76d6a06cae64926c3178e7ab

SHA256
084abaacba2b8cf018a43da71a472bcbb425915e04a5456d60f1f57d4c1470b2

SHA512
bc4598bf92ea000e5802979971609436a3118c5fc55819749832f9a663567748d4ed72ede66333c29db42ba67184aa64b7c17d42880ed05d94ebc8e1172d5571

Download Submit
C:\Windows\System\bUZHrEl.exe

Filesize
5.2MB

MD5
837c5270e7354c2fb6024223ab46ca73

SHA1
269b756d99e91abc6218fe3e897602c0d12fccec

SHA256
8b1f73f3c17dd47c87fb19ec7a9cd2fa059781ed872c40fd63f581856aead5b4

SHA512
fff8d8b9c69b4364cb6d75a820dbcd86121940f3a1b254f02432696fb006a0b05a65b99297df39ae9cf6ec94118ce9d22a2c4dd663b54dd2233eb4d0dcf8dcea

Download Submit
C:\Windows\System\kPjIlOE.exe

Filesize
5.2MB

MD5
42a5579b74b58cc8a7618778f105f3bb

SHA1
299a71d95a9fb755d093be7c635ff7d211324524

SHA256
cecc7ceba17fd39882b24c8bd5417379e3d037459ad7df415f7c2c3278fea199

SHA512
b4862b13d97956f377352e07b75bc6bdf8e4f20973db9eeaf9329f9cfe17be6e59df2e2ef2f3c4e092abfa510ca374bc1788d6a6e5184385af7b761fa0afdc3a

Download Submit
C:\Windows\System\oSOceoM.exe

Filesize
5.2MB

MD5
1a11da679293819558ef1c36158ce59f

SHA1
bdcbc03c1ca6d228f7a273172f0dc9d2feae7146

SHA256
2faa479ec4ba932041fd2c20a9f84aa77f319bbf0b1dd970e7825e9a9d422f82

SHA512
4456d5a1923c536f6bb87e85613c4963df168f85204a6f7cd1b50a1b40c7aff86c4ed0535e47e8a0c4f963329ab4623ae167e1574795da660353a90ca63f9bec

Download Submit
C:\Windows\System\odIDREq.exe

Filesize
5.2MB

MD5
322b97bd7352a77da23fc3021bf2de3e

SHA1
c5d8525f0c56bf2f91e5205667fff6549c0e4beb

SHA256
b2de12581240731a5f052544578426cf153e468071b99cbb756c591d2e552a1d

SHA512
0edf66fefdb0d9d8578d7d69971e3e62ee16f717bd6f96be6a3879a7187e238ce6a4298615f52e4bda8c1310668296994f53fa50dd004332f8a06f325a1a2aef

Download Submit
C:\Windows\System\qmnKbmX.exe

Filesize
5.2MB

MD5
120a35647912fb0baabd05c74e916d7c

SHA1
00638e3cfa779214dd1f9fe04c31dd9065005219

SHA256
37e865f723c23a7228594bc4a7cb212bc7f3382d3530333f6a87f6a8c5b3b032

SHA512
b3002efb13230aa7bf3bfbe5cb2aeee00fb72ac3431ff1432f01d11be95947be17de8310da90f8ed19943358d278ec93b0ed21083152a73877b7c80025bdc33f

Download Submit
C:\Windows\System\sfdPJfu.exe

Filesize
5.2MB

MD5
231e66e0e76acdad71fa557d50a50d11

SHA1
8f8dd4880f23d3c0f907e2dc218e43fdeef8a5f8

SHA256
e973cda21ff59e6a201b2dbf351d945afe2a675207f8c1d533d7b675802dec5b

SHA512
af4b9df87140c056a48be61e850a06b408416e94d2ce1c688d72ea42dc9266b5cca81a2debbea1c01ac5c39b6fe4611d7c6141f3ef928cc9f7ab9aae67cb3ed4

Download Submit
memory/432-150-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp

Filesize
3.3MB

Download
memory/432-116-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp

Filesize
3.3MB

Download
memory/432-260-0x00007FF67D8D0000-0x00007FF67DC21000-memory.dmp

Filesize
3.3MB

Download
memory/1080-82-0x00007FF6397E0000-0x00007FF639B31000-memory.dmp

Filesize
3.3MB

Download
memory/1080-227-0x00007FF6397E0000-0x00007FF639B31000-memory.dmp

Filesize
3.3MB

Download
memory/1536-114-0x00007FF6822E0000-0x00007FF682631000-memory.dmp

Filesize
3.3MB

Download
memory/1536-14-0x00007FF6822E0000-0x00007FF682631000-memory.dmp

Filesize
3.3MB

Download
memory/1536-216-0x00007FF6822E0000-0x00007FF682631000-memory.dmp

Filesize
3.3MB

Download
memory/1908-64-0x00007FF641610000-0x00007FF641961000-memory.dmp

Filesize
3.3MB

Download
memory/1908-224-0x00007FF641610000-0x00007FF641961000-memory.dmp

Filesize
3.3MB

Download
memory/2332-214-0x00007FF680B20000-0x00007FF680E71000-memory.dmp

Filesize
3.3MB

Download
memory/2332-9-0x00007FF680B20000-0x00007FF680E71000-memory.dmp

Filesize
3.3MB

Download
memory/2332-100-0x00007FF680B20000-0x00007FF680E71000-memory.dmp

Filesize
3.3MB

Download
memory/2412-136-0x00007FF609200000-0x00007FF609551000-memory.dmp

Filesize
3.3MB

Download
memory/2412-223-0x00007FF609200000-0x00007FF609551000-memory.dmp

Filesize
3.3MB

Download
memory/2412-41-0x00007FF609200000-0x00007FF609551000-memory.dmp

Filesize
3.3MB

Download
memory/2500-240-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-83-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-144-0x00007FF6B08A0000-0x00007FF6B0BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2564-129-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp

Filesize
3.3MB

Download
memory/2564-151-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp

Filesize
3.3MB

Download
memory/2564-261-0x00007FF7BFFB0000-0x00007FF7C0301000-memory.dmp

Filesize
3.3MB

Download
memory/2744-69-0x00007FF616B70000-0x00007FF616EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-232-0x00007FF616B70000-0x00007FF616EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-104-0x00007FF645120000-0x00007FF645471000-memory.dmp

Filesize
3.3MB

Download
memory/2832-253-0x00007FF645120000-0x00007FF645471000-memory.dmp

Filesize
3.3MB

Download
memory/2832-149-0x00007FF645120000-0x00007FF645471000-memory.dmp

Filesize
3.3MB

Download
memory/2964-230-0x00007FF7AE9F0000-0x00007FF7AED41000-memory.dmp

Filesize
3.3MB

Download
memory/2964-75-0x00007FF7AE9F0000-0x00007FF7AED41000-memory.dmp

Filesize
3.3MB

Download
memory/3044-142-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-228-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-81-0x00007FF79AE70000-0x00007FF79B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-257-0x00007FF651340000-0x00007FF651691000-memory.dmp

Filesize
3.3MB

Download
memory/3304-146-0x00007FF651340000-0x00007FF651691000-memory.dmp

Filesize
3.3MB

Download
memory/3448-115-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

Filesize
3.3MB

Download
memory/3448-218-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

Filesize
3.3MB

Download
memory/3448-23-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

Filesize
3.3MB

Download
memory/3536-35-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp

Filesize
3.3MB

Download
memory/3536-220-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp

Filesize
3.3MB

Download
memory/3536-134-0x00007FF61D6E0000-0x00007FF61DA31000-memory.dmp

Filesize
3.3MB

Download
memory/3704-256-0x00007FF6BB7F0000-0x00007FF6BBB41000-memory.dmp

Filesize
3.3MB

Download
memory/3704-145-0x00007FF6BB7F0000-0x00007FF6BBB41000-memory.dmp

Filesize
3.3MB

Download
memory/3844-234-0x00007FF6B1EF0000-0x00007FF6B2241000-memory.dmp

Filesize
3.3MB

Download
memory/3844-68-0x00007FF6B1EF0000-0x00007FF6B2241000-memory.dmp

Filesize
3.3MB

Download
memory/4460-135-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp

Filesize
3.3MB

Download
memory/4460-237-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp

Filesize
3.3MB

Download
memory/4460-61-0x00007FF7F89B0000-0x00007FF7F8D01000-memory.dmp

Filesize
3.3MB

Download
memory/4500-147-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4500-91-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4500-246-0x00007FF6C9960000-0x00007FF6C9CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-1-0x000001C2AAE30000-0x000001C2AAE40000-memory.dmp

Filesize
64KB

Download
memory/4540-154-0x00007FF600170000-0x00007FF6004C1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-0-0x00007FF600170000-0x00007FF6004C1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-90-0x00007FF600170000-0x00007FF6004C1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-130-0x00007FF600170000-0x00007FF6004C1000-memory.dmp

Filesize
3.3MB

Download
memory/4776-103-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-148-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp

Filesize
3.3MB

Download
memory/4776-251-0x00007FF6686E0000-0x00007FF668A31000-memory.dmp

Filesize
3.3MB

Download
memory/4964-238-0x00007FF75CCA0000-0x00007FF75CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-74-0x00007FF75CCA0000-0x00007FF75CFF1000-memory.dmp

Filesize
3.3MB

Download