cobaltstrike | 98e23a269c039dec6e2da32705b2fed25df041590165b73baac680742d44a29b

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ecce330ae6eeac65a3dfb73a777205d5
SHA1

d5746eee449e33cbf5df1776a0d987ef20be9828
SHA256

98e23a269c039dec6e2da32705b2fed25df041590165b73baac680742d44a29b
SHA512

7deb67afe45e86fecf7053d8ed0d2cc6c4feb9b5bd689c587647c1ee7f58a45bb116727557a4107a7cb58bcdde53e4df34b2900d56377f310bf88529c1590430
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023476-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-25.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-30.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347a-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023480-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-103.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-124.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-136.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-141.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/852-42-0x00007FF6FB340000-0x00007FF6FB691000-memory.dmp	xmrig
behavioral2/memory/4348-59-0x00007FF784850000-0x00007FF784BA1000-memory.dmp	xmrig
behavioral2/memory/1220-67-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp	xmrig
behavioral2/memory/2976-87-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp	xmrig
behavioral2/memory/5024-91-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp	xmrig
behavioral2/memory/2568-89-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	xmrig
behavioral2/memory/116-122-0x00007FF6302B0000-0x00007FF630601000-memory.dmp	xmrig
behavioral2/memory/2324-119-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp	xmrig
behavioral2/memory/988-84-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp	xmrig
behavioral2/memory/4868-75-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp	xmrig
behavioral2/memory/1212-73-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp	xmrig
behavioral2/memory/1040-138-0x00007FF6324D0000-0x00007FF632821000-memory.dmp	xmrig
behavioral2/memory/1808-133-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	xmrig
behavioral2/memory/4856-131-0x00007FF77B010000-0x00007FF77B361000-memory.dmp	xmrig
behavioral2/memory/2820-149-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp	xmrig
behavioral2/memory/3792-150-0x00007FF757010000-0x00007FF757361000-memory.dmp	xmrig
behavioral2/memory/992-154-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp	xmrig
behavioral2/memory/1564-153-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp	xmrig
behavioral2/memory/4572-162-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp	xmrig
behavioral2/memory/2520-165-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp	xmrig
behavioral2/memory/2760-164-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp	xmrig
behavioral2/memory/3272-170-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp	xmrig
behavioral2/memory/4348-166-0x00007FF784850000-0x00007FF784BA1000-memory.dmp	xmrig
behavioral2/memory/1220-216-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp	xmrig
behavioral2/memory/1212-224-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp	xmrig
behavioral2/memory/988-226-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp	xmrig
behavioral2/memory/4868-228-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp	xmrig
behavioral2/memory/852-230-0x00007FF6FB340000-0x00007FF6FB691000-memory.dmp	xmrig
behavioral2/memory/2976-232-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp	xmrig
behavioral2/memory/5024-234-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp	xmrig
behavioral2/memory/2324-240-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp	xmrig
behavioral2/memory/116-242-0x00007FF6302B0000-0x00007FF630601000-memory.dmp	xmrig
behavioral2/memory/4856-252-0x00007FF77B010000-0x00007FF77B361000-memory.dmp	xmrig
behavioral2/memory/1808-254-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	xmrig
behavioral2/memory/1040-256-0x00007FF6324D0000-0x00007FF632821000-memory.dmp	xmrig
behavioral2/memory/2568-258-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	xmrig
behavioral2/memory/2820-260-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp	xmrig
behavioral2/memory/1564-262-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp	xmrig
behavioral2/memory/3792-264-0x00007FF757010000-0x00007FF757361000-memory.dmp	xmrig
behavioral2/memory/992-267-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp	xmrig
behavioral2/memory/2760-270-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp	xmrig
behavioral2/memory/4572-269-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp	xmrig
behavioral2/memory/3272-274-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp	xmrig
behavioral2/memory/2520-276-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1220	qNqrTzC.exe
1212	QNCZvio.exe
988	BELElTb.exe
4868	UbwfBUL.exe
2976	iyurFrH.exe
5024	uhUwcvH.exe
852	EuWLpoN.exe
2324	jhVRuEa.exe
116	UMKWfOH.exe
4856	ePxIhxq.exe
1808	VtqUohz.exe
1040	eDezLyY.exe
2568	xUnWrbR.exe
2820	ErCYKYV.exe
3792	geGDZrq.exe
1564	zYrIVAT.exe
992	MKZqBHK.exe
4572	IBnAPXz.exe
2760	PmSkuIW.exe
2520	tNSwdOK.exe
3272	jExmggA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4348-0-0x00007FF784850000-0x00007FF784BA1000-memory.dmp	upx
behavioral2/files/0x0008000000023476-5.dat	upx
behavioral2/memory/1220-8-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp	upx
behavioral2/files/0x000700000002347d-10.dat	upx
behavioral2/files/0x000700000002347e-25.dat	upx
behavioral2/files/0x000700000002347f-30.dat	upx
behavioral2/files/0x000800000002347a-33.dat	upx
behavioral2/memory/5024-40-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp	upx
behavioral2/files/0x0007000000023480-37.dat	upx
behavioral2/memory/852-42-0x00007FF6FB340000-0x00007FF6FB691000-memory.dmp	upx
behavioral2/files/0x0007000000023481-36.dat	upx
behavioral2/memory/2976-34-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp	upx
behavioral2/memory/4868-28-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp	upx
behavioral2/memory/988-21-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp	upx
behavioral2/memory/1212-17-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp	upx
behavioral2/files/0x0007000000023482-47.dat	upx
behavioral2/files/0x0007000000023483-53.dat	upx
behavioral2/memory/2324-48-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp	upx
behavioral2/memory/116-54-0x00007FF6302B0000-0x00007FF630601000-memory.dmp	upx
behavioral2/files/0x0007000000023484-58.dat	upx
behavioral2/memory/4348-59-0x00007FF784850000-0x00007FF784BA1000-memory.dmp	upx
behavioral2/memory/1808-68-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	upx
behavioral2/memory/1220-67-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp	upx
behavioral2/files/0x0007000000023485-66.dat	upx
behavioral2/memory/4856-61-0x00007FF77B010000-0x00007FF77B361000-memory.dmp	upx
behavioral2/files/0x0007000000023486-77.dat	upx
behavioral2/memory/1040-76-0x00007FF6324D0000-0x00007FF632821000-memory.dmp	upx
behavioral2/memory/2976-87-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp	upx
behavioral2/memory/5024-91-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp	upx
behavioral2/memory/2568-89-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023489-94.dat	upx
behavioral2/memory/2820-96-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp	upx
behavioral2/files/0x000700000002348a-103.dat	upx
behavioral2/files/0x000700000002348c-111.dat	upx
behavioral2/memory/992-112-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp	upx
behavioral2/files/0x000700000002348d-124.dat	upx
behavioral2/memory/2760-123-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp	upx
behavioral2/memory/116-122-0x00007FF6302B0000-0x00007FF630601000-memory.dmp	upx
behavioral2/memory/2324-119-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp	upx
behavioral2/memory/4572-116-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp	upx
behavioral2/files/0x000700000002348b-113.dat	upx
behavioral2/memory/1564-102-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp	upx
behavioral2/memory/3792-97-0x00007FF757010000-0x00007FF757361000-memory.dmp	upx
behavioral2/files/0x0007000000023488-93.dat	upx
behavioral2/memory/988-84-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp	upx
behavioral2/files/0x0007000000023487-81.dat	upx
behavioral2/memory/4868-75-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp	upx
behavioral2/memory/1212-73-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp	upx
behavioral2/files/0x0007000000023490-136.dat	upx
behavioral2/memory/3272-140-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp	upx
behavioral2/files/0x000700000002348e-141.dat	upx
behavioral2/memory/1040-138-0x00007FF6324D0000-0x00007FF632821000-memory.dmp	upx
behavioral2/memory/2520-135-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp	upx
behavioral2/memory/1808-133-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp	upx
behavioral2/memory/4856-131-0x00007FF77B010000-0x00007FF77B361000-memory.dmp	upx
behavioral2/memory/2820-149-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp	upx
behavioral2/memory/3792-150-0x00007FF757010000-0x00007FF757361000-memory.dmp	upx
behavioral2/memory/992-154-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp	upx
behavioral2/memory/1564-153-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp	upx
behavioral2/memory/4572-162-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp	upx
behavioral2/memory/2520-165-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp	upx
behavioral2/memory/2760-164-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp	upx
behavioral2/memory/3272-170-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp	upx
behavioral2/memory/4348-166-0x00007FF784850000-0x00007FF784BA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ErCYKYV.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKZqBHK.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBnAPXz.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PmSkuIW.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNCZvio.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iyurFrH.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EuWLpoN.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VtqUohz.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\geGDZrq.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jExmggA.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qNqrTzC.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BELElTb.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMKWfOH.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUnWrbR.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eDezLyY.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYrIVAT.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNSwdOK.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UbwfBUL.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhUwcvH.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhVRuEa.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePxIhxq.exe	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1220	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4348 wrote to memory of 1220	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4348 wrote to memory of 1212	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4348 wrote to memory of 1212	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4348 wrote to memory of 988	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4348 wrote to memory of 988	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4348 wrote to memory of 4868	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4348 wrote to memory of 4868	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4348 wrote to memory of 2976	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4348 wrote to memory of 2976	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4348 wrote to memory of 5024	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4348 wrote to memory of 5024	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4348 wrote to memory of 852	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4348 wrote to memory of 852	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4348 wrote to memory of 2324	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4348 wrote to memory of 2324	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4348 wrote to memory of 116	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4348 wrote to memory of 116	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4348 wrote to memory of 4856	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4348 wrote to memory of 4856	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4348 wrote to memory of 1808	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4348 wrote to memory of 1808	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4348 wrote to memory of 1040	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4348 wrote to memory of 1040	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4348 wrote to memory of 2568	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4348 wrote to memory of 2568	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4348 wrote to memory of 2820	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4348 wrote to memory of 2820	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4348 wrote to memory of 3792	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4348 wrote to memory of 3792	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4348 wrote to memory of 1564	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4348 wrote to memory of 1564	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4348 wrote to memory of 992	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4348 wrote to memory of 992	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4348 wrote to memory of 4572	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4348 wrote to memory of 4572	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4348 wrote to memory of 2760	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4348 wrote to memory of 2760	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4348 wrote to memory of 2520	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4348 wrote to memory of 2520	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4348 wrote to memory of 3272	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4348 wrote to memory of 3272	4348	2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_ecce330ae6eeac65a3dfb73a777205d5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\System\qNqrTzC.exe
  C:\Windows\System\qNqrTzC.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\QNCZvio.exe
  C:\Windows\System\QNCZvio.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\BELElTb.exe
  C:\Windows\System\BELElTb.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\UbwfBUL.exe
  C:\Windows\System\UbwfBUL.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\iyurFrH.exe
  C:\Windows\System\iyurFrH.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\uhUwcvH.exe
  C:\Windows\System\uhUwcvH.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\EuWLpoN.exe
  C:\Windows\System\EuWLpoN.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\jhVRuEa.exe
  C:\Windows\System\jhVRuEa.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\UMKWfOH.exe
  C:\Windows\System\UMKWfOH.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\ePxIhxq.exe
  C:\Windows\System\ePxIhxq.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\VtqUohz.exe
  C:\Windows\System\VtqUohz.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\eDezLyY.exe
  C:\Windows\System\eDezLyY.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\xUnWrbR.exe
  C:\Windows\System\xUnWrbR.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\ErCYKYV.exe
  C:\Windows\System\ErCYKYV.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\geGDZrq.exe
  C:\Windows\System\geGDZrq.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\zYrIVAT.exe
  C:\Windows\System\zYrIVAT.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\MKZqBHK.exe
  C:\Windows\System\MKZqBHK.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\IBnAPXz.exe
  C:\Windows\System\IBnAPXz.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\PmSkuIW.exe
  C:\Windows\System\PmSkuIW.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\tNSwdOK.exe
  C:\Windows\System\tNSwdOK.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\jExmggA.exe
  C:\Windows\System\jExmggA.exe
  2⤵
  - Executes dropped EXE
  PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BELElTb.exe

Filesize
5.2MB

MD5
61c007ccc4627275ee7337162492c5a3

SHA1
a32a910e7b80e08a8e87d82efe74578ca7b95bea

SHA256
9a6a07954ad1946fedb4d5de8e1ff5ce97046ab314c545a054d8d66edb657624

SHA512
3e63510bf258f2cd12391d2439ee6673ace009f947badcb5e0cd45ee7088a04d60ad0080fbb9f8ffa900db71d2e35e6f2260fce0951d5b6df7beb185e5b6cc7b

Download Submit
C:\Windows\System\ErCYKYV.exe

Filesize
5.2MB

MD5
3dce93eec4e73cf5537d430fef748d5a

SHA1
911002aec5f750b70a81891c551a323230649484

SHA256
b4b5d6d7efca1f33eb51fae2ce8237d35f88a46afaf9e4b1dbd1e3c24174a3c9

SHA512
540ba425a937ff1066ff33119496d32c2cb0b6a20e579a46e1a3b7fa5ee255b6ea7d0b527d56cf1de13ac2e276b47a94176137d83c57ebf03e99a9ad2dc9a434

Download Submit
C:\Windows\System\EuWLpoN.exe

Filesize
5.2MB

MD5
02d548ab3a8422df8754ebcd8ce0b7a5

SHA1
06d6f1506ab5279e51d6aa58ee0a46a475f49354

SHA256
2c8d037d4a83ae63c0ac7889233d2071a0456002f258c33b7cbfd6e0d8764f3a

SHA512
d0226293d2735829a34b9520bba924e67a623b9bc03cdb24f4ff2023443e0f10fa303d38eb144c063f6fc966ac7a55ddb72d53a5e9256eed415a42005c255032

Download Submit
C:\Windows\System\IBnAPXz.exe

Filesize
5.2MB

MD5
b7b85e8b0e0ebe218e9c20cd6a9b6559

SHA1
bb861dc1f413e4ff4857d337ba29e01521f219da

SHA256
ac52baacf5a16f0ed42a1e8333e74cb6916dfcc4d03871305da83a27998099c0

SHA512
5e7ff8489e57dea43c7ab0b7baf4195243109729d0359d1a137961230857701ef8c67a0a84289652f4a5869d1693dbc0e7668ce6dc019b580e73da4c38a38e61

Download Submit
C:\Windows\System\MKZqBHK.exe

Filesize
5.2MB

MD5
75874d4abfbc6dad6e8e8579b48480c9

SHA1
829ca2342c6e9d6275396183a07cdc4be6a1a6d8

SHA256
bd02a4db6dcab9e28cb7fa3f92a949562ce9c5f05a9ead60dbb79ad222bfd4f4

SHA512
827770712bcebd804905c3037be95b8ec263908cd9bc1c5feb9c97d9519bf603a6bc91ec2d8173fd6c7707013a788ed2e4ce0d0e1d0be787f82183849644aaaf

Download Submit
C:\Windows\System\PmSkuIW.exe

Filesize
5.2MB

MD5
abc042d9c5557f2cc5af8fb3d8265b90

SHA1
7a9f11b676eea7642f30c461c62b3697894a8600

SHA256
7fef2b0c16df9cc154540cacc5e8246ec72160c3f499c40626360070ecc15674

SHA512
4271517829439c16f59a35579d086fd7c49d39c3cba603c20df311fa91ddbdb1d736a9a6d043f14f06322256823e24c5b029a0c0743844ae11943da22b538f6f

Download Submit
C:\Windows\System\QNCZvio.exe

Filesize
5.2MB

MD5
550a5eea0c101e76b44a42db2811f0a1

SHA1
d8445405a62a7c59f6a5bf6607cbce07b57cc3a8

SHA256
966e15e2259d0f49fa859c21ecf25126e2fb8b694667a2e337fdc66522727de5

SHA512
465a662232fd37a1dbba194f66ef2ce8715b15ad581d238d61e6a0cc466579f360654197d0d748a954673f3115453bba740feb6e80738cd026411066ba65ca5d

Download Submit
C:\Windows\System\UMKWfOH.exe

Filesize
5.2MB

MD5
7ad1f0bb5e8c5059be4051a010b7ad83

SHA1
335e0dc29b84717f907a0d838cd4435438f6bfa8

SHA256
23d6eba3c3dd81dc9973d53cc27991ea0154eea99e6b91b837dcf1297aae8206

SHA512
fc32086331350215a8d2ff02834bc07e40640ffca16e4fcdaf17b459d38374fcde4a7def0fab57b1b7549f4b58b043d999731627d6bf70e9c608acf4ac207a2d

Download Submit
C:\Windows\System\UbwfBUL.exe

Filesize
5.2MB

MD5
56e702ac3e4021d167c465c59211226e

SHA1
29f63ff72075be6033796f85252324a891d434c3

SHA256
d19ee530abb93515e90d04cd363b596d8fea8764837f97c3d2453107de82c614

SHA512
42d23b8d96112d1f8761b43960e0e19a7a2c0b05e636997f3c1d81ad67b85f7da1bdbc529eacf4888c23ca7787053162f163596422a9cbf8c0ca596bd6a67931

Download Submit
C:\Windows\System\VtqUohz.exe

Filesize
5.2MB

MD5
fcd28f851ee50d4e39dc21e8b92d9bcc

SHA1
d8ec04174e52701c879d57e01343676879339c58

SHA256
d6dc4b665a3476e0f2e7c81dd2cc2252ecb198442c3e1ec0cbce290d132f302d

SHA512
d61789bf72201cd2b62c907d9f451bb00ee43926132f1722563bce47882ec6299926594197979ba82b01ea41c05b5797c90245e13cd0381950ff0169ccf423a5

Download Submit
C:\Windows\System\eDezLyY.exe

Filesize
5.2MB

MD5
78fb4fc4f59ca7f37af3180ace6d9d96

SHA1
67c518619064be76d861c5c4da5f018c910186e9

SHA256
5b46d71c2130f1d023bfa89c567b7f86be7d1b60883d66e84e94d1ec0d6a7ecd

SHA512
25a65f913282a54de23d6ebf821da365c6b25d0402f8db583189d8fa902afd1b861b3a10a0ae74a34ae04169b4bf95f73544c973f3ad14c709f774e3c21b3ae3

Download Submit
C:\Windows\System\ePxIhxq.exe

Filesize
5.2MB

MD5
be2a4a614624fca63a3d470523ce5392

SHA1
1bd28ce7346a7d6ca6f421833afc15768f241224

SHA256
a01de0912a87fdc7110c3ae8865f9df3043d96da6614f66ea163437420ec1c40

SHA512
87334318006bc45d8bcb15f9f2894555e19930cc2168f2c63984c00211a9b9d7dfb8a5a0abe08f60b8f9333fdf8a9ec64cfec23dfd70bd08767d3ba7433bdbfd

Download Submit
C:\Windows\System\geGDZrq.exe

Filesize
5.2MB

MD5
49e11b23b6bddbc62581d20f15ced9e4

SHA1
79caf9b986cdf9f7ef2e20faacf84d32166a8eb6

SHA256
1308e82c559128f2b78a22c6e7110c9ef5d6552554c8b45026aeb1517535df6d

SHA512
7d2c49e11c9ad2a228d3332466d48ec57b30ee56beeacd1550f641a419a160ee1339b49a60f9e06f1ef332692fab064405229d5a24bcc515a40e0c99ecb03ca6

Download Submit
C:\Windows\System\iyurFrH.exe

Filesize
5.2MB

MD5
c629b0fea7800b98d114a5c4cce40cf9

SHA1
b02a39fcdcf34606c2eb74acf7d55f3b67b4cb2f

SHA256
b8b1e13290f2b7195c516f20ee8266cf9305679df18b4cac7dcfc4322f900d03

SHA512
541804100a4ace7181a631529cc3b197dd0ca0caaf5726ecbe7b5bd4937b7f0ca91f67c19a51372cd16e9370e8ab42b2c7b2f27406463dd92ead2c983daea2eb

Download Submit
C:\Windows\System\jExmggA.exe

Filesize
5.2MB

MD5
a311e89412c1579e74bed783a793d6f3

SHA1
1a502a775f2606d064568291d39949c2aee51bfb

SHA256
dc8632f023f03aa3a541204b846750745a566a3811795678a1d7680ae0aea233

SHA512
a8d09ecb0adb6e0a3e0a0592b12fbcfbd22406a0db87c1df1a7e1792628ba7366313972a74e9f9e3b5402f6756abefa91914540e896e9eb9ea5e4ceca748d372

Download Submit
C:\Windows\System\jhVRuEa.exe

Filesize
5.2MB

MD5
534657bc95e0e81b3662fc07b0a26498

SHA1
baf6277272e1b1167ed2bf4ce0c5b7839d1e82ee

SHA256
b1af3579866cbeb4e6fba5872022fd51d82e40c4496f827633260e43ca9f3c13

SHA512
034cfae9d206483754fb5ad10afef1a21845a4d452f204107f68271efd8e5db5387648e1ce323a60b562bd2d1bafc0d2e39d85a3894dd557e18fa9e9e6665fa5

Download Submit
C:\Windows\System\qNqrTzC.exe

Filesize
5.2MB

MD5
e20073488995ad6acc32c06f05ebe8d2

SHA1
037a077a9dcdf3ea0387b54ebcb951142c6c06f9

SHA256
f860b52d169882df1754902e3b8ec52ada7d087732b270a8ca47137d71308d60

SHA512
d0d856ea8781834bcb06fe5d07fa1bd935ade4f5623a43c1d5885b76c7e1af1a97707be5628ebe89cecc05e7878402f1511f7fb675f297aef3ffb53562186a7f

Download Submit
C:\Windows\System\tNSwdOK.exe

Filesize
5.2MB

MD5
c5b8d588f62f9f7e5e318f04b81371c1

SHA1
9c049ce97b903062f7b3d85cb8d43be09ddbf484

SHA256
c732446a3632f51299341c1747c10a376861be75e9529831f70dda9cc6e824e6

SHA512
9ce39b0f98abe78fdc6a748ce5ce7621c553c50db23f4ec6d7004c77042069bad1257186b4483db400164f69aea6a85eb5473b6aff71066e1bf7ce50a775baae

Download Submit
C:\Windows\System\uhUwcvH.exe

Filesize
5.2MB

MD5
da979f5514a0b3676cac90c911baba4f

SHA1
ac8f5401cb8f4b2226204e3bb36484ad721beb0d

SHA256
ff2de0c70b3c9878d7e12aba1e88da2f63238ea0bbebb7573fbfb55cdab6c7df

SHA512
0aa87f52bbdc6ae31fea59dca4192b3dac5b2bfc7713132e3cf742e1f9841734d9b0d1780ee0fc2e66e88bf239b8fdde804feb12bcb12cf96441c6792de2a691

Download Submit
C:\Windows\System\xUnWrbR.exe

Filesize
5.2MB

MD5
3d8c3a0e26fab620e97dba8d4ed97c9a

SHA1
c022c253959af0b033204b797c37bfb5148395c3

SHA256
9b66041fd989309491751ef318cc785dfef4969984d1348f569706cb835b1b67

SHA512
bb5cdfa9c9bca1562acfd76d793e6b5c039aca204ef1319958fee60e78564239fc356f15a4c1a3376db25b4c682dd9c1cec63ef00f04c238dee094e422fe3eb8

Download Submit
C:\Windows\System\zYrIVAT.exe

Filesize
5.2MB

MD5
12b6e5c7aca654e779175b7caa654abe

SHA1
891ba281e7c06c9f26e92bc32d0283bcd921a30f

SHA256
c5375789f39c81393477d99ba5190d5e5750dbf27262b904ede9dfb9b00bec97

SHA512
a4dc67560276ebae3ea5e71392c6a803988b531156fc7adcea0c009a3be6bd24c4aa27519d17517fdc44daabfa76fb988b8694ba1552dd6b2ef39ef181521f12

Download Submit
memory/116-54-0x00007FF6302B0000-0x00007FF630601000-memory.dmp

Filesize
3.3MB

Download
memory/116-122-0x00007FF6302B0000-0x00007FF630601000-memory.dmp

Filesize
3.3MB

Download
memory/116-242-0x00007FF6302B0000-0x00007FF630601000-memory.dmp

Filesize
3.3MB

Download
memory/852-42-0x00007FF6FB340000-0x00007FF6FB691000-memory.dmp

Filesize
3.3MB

Download
memory/852-230-0x00007FF6FB340000-0x00007FF6FB691000-memory.dmp

Filesize
3.3MB

Download
memory/988-21-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp

Filesize
3.3MB

Download
memory/988-226-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp

Filesize
3.3MB

Download
memory/988-84-0x00007FF78AF80000-0x00007FF78B2D1000-memory.dmp

Filesize
3.3MB

Download
memory/992-154-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/992-112-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/992-267-0x00007FF77D280000-0x00007FF77D5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-256-0x00007FF6324D0000-0x00007FF632821000-memory.dmp

Filesize
3.3MB

Download
memory/1040-138-0x00007FF6324D0000-0x00007FF632821000-memory.dmp

Filesize
3.3MB

Download
memory/1040-76-0x00007FF6324D0000-0x00007FF632821000-memory.dmp

Filesize
3.3MB

Download
memory/1212-17-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1212-224-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1212-73-0x00007FF6CE3B0000-0x00007FF6CE701000-memory.dmp

Filesize
3.3MB

Download
memory/1220-67-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp

Filesize
3.3MB

Download
memory/1220-8-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp

Filesize
3.3MB

Download
memory/1220-216-0x00007FF77AD00000-0x00007FF77B051000-memory.dmp

Filesize
3.3MB

Download
memory/1564-262-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-102-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-153-0x00007FF73B180000-0x00007FF73B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-68-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-133-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-254-0x00007FF70B790000-0x00007FF70BAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-240-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp

Filesize
3.3MB

Download
memory/2324-119-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp

Filesize
3.3MB

Download
memory/2324-48-0x00007FF6517F0000-0x00007FF651B41000-memory.dmp

Filesize
3.3MB

Download
memory/2520-135-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-276-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-165-0x00007FF6D2A50000-0x00007FF6D2DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-89-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-258-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-123-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp

Filesize
3.3MB

Download
memory/2760-270-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp

Filesize
3.3MB

Download
memory/2760-164-0x00007FF7629E0000-0x00007FF762D31000-memory.dmp

Filesize
3.3MB

Download
memory/2820-149-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-260-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-96-0x00007FF6F4390000-0x00007FF6F46E1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-232-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-87-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-34-0x00007FF6E5570000-0x00007FF6E58C1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-170-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp

Filesize
3.3MB

Download
memory/3272-274-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp

Filesize
3.3MB

Download
memory/3272-140-0x00007FF70A6F0000-0x00007FF70AA41000-memory.dmp

Filesize
3.3MB

Download
memory/3792-150-0x00007FF757010000-0x00007FF757361000-memory.dmp

Filesize
3.3MB

Download
memory/3792-264-0x00007FF757010000-0x00007FF757361000-memory.dmp

Filesize
3.3MB

Download
memory/3792-97-0x00007FF757010000-0x00007FF757361000-memory.dmp

Filesize
3.3MB

Download
memory/4348-0-0x00007FF784850000-0x00007FF784BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-59-0x00007FF784850000-0x00007FF784BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-166-0x00007FF784850000-0x00007FF784BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-1-0x0000020A49230000-0x0000020A49240000-memory.dmp

Filesize
64KB

Download
memory/4572-269-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp

Filesize
3.3MB

Download
memory/4572-162-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp

Filesize
3.3MB

Download
memory/4572-116-0x00007FF7C45E0000-0x00007FF7C4931000-memory.dmp

Filesize
3.3MB

Download
memory/4856-131-0x00007FF77B010000-0x00007FF77B361000-memory.dmp

Filesize
3.3MB

Download
memory/4856-252-0x00007FF77B010000-0x00007FF77B361000-memory.dmp

Filesize
3.3MB

Download
memory/4856-61-0x00007FF77B010000-0x00007FF77B361000-memory.dmp

Filesize
3.3MB

Download
memory/4868-28-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-228-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-75-0x00007FF68E790000-0x00007FF68EAE1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-40-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-234-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-91-0x00007FF64E360000-0x00007FF64E6B1000-memory.dmp

Filesize
3.3MB

Download