cobaltstrike | 908ff2d90bb8dffadeaea6b8039903e6d7719505bdb18d7f4715499bb59879dd

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

44d6e4e3b976c8917eddf3a72f86fc61
SHA1

83701bb67ef71aed967e0bc5b56c2cb1332caa83
SHA256

908ff2d90bb8dffadeaea6b8039903e6d7719505bdb18d7f4715499bb59879dd
SHA512

3b1b56b26759c5bc29bb50d925b664515a76d7577225b236fad7206a5648045fff4831fb081496b1d1d39c186ea7fc3cd7123e1b00073ce0de6756106de0707c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023430-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023431-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-37.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-52.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-43.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4172-86-0x00007FF792460000-0x00007FF7927B1000-memory.dmp	xmrig
behavioral2/memory/324-87-0x00007FF60EEA0000-0x00007FF60F1F1000-memory.dmp	xmrig
behavioral2/memory/4472-112-0x00007FF7C2C90000-0x00007FF7C2FE1000-memory.dmp	xmrig
behavioral2/memory/1960-78-0x00007FF6A93C0000-0x00007FF6A9711000-memory.dmp	xmrig
behavioral2/memory/2944-73-0x00007FF624F00000-0x00007FF625251000-memory.dmp	xmrig
behavioral2/memory/3136-72-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp	xmrig
behavioral2/memory/2844-68-0x00007FF7320F0000-0x00007FF732441000-memory.dmp	xmrig
behavioral2/memory/2948-54-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	xmrig
behavioral2/memory/2948-128-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	xmrig
behavioral2/memory/2120-131-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp	xmrig
behavioral2/memory/2184-133-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp	xmrig
behavioral2/memory/3088-134-0x00007FF7584E0000-0x00007FF758831000-memory.dmp	xmrig
behavioral2/memory/2532-135-0x00007FF678260000-0x00007FF6785B1000-memory.dmp	xmrig
behavioral2/memory/640-137-0x00007FF6E75B0000-0x00007FF6E7901000-memory.dmp	xmrig
behavioral2/memory/3916-136-0x00007FF7EA340000-0x00007FF7EA691000-memory.dmp	xmrig
behavioral2/memory/1412-132-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp	xmrig
behavioral2/memory/2536-138-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/5072-144-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp	xmrig
behavioral2/memory/1260-139-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	xmrig
behavioral2/memory/2096-145-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp	xmrig
behavioral2/memory/3476-149-0x00007FF772540000-0x00007FF772891000-memory.dmp	xmrig
behavioral2/memory/432-151-0x00007FF624DE0000-0x00007FF625131000-memory.dmp	xmrig
behavioral2/memory/2212-150-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp	xmrig
behavioral2/memory/2948-153-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	xmrig
behavioral2/memory/3136-202-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp	xmrig
behavioral2/memory/4172-204-0x00007FF792460000-0x00007FF7927B1000-memory.dmp	xmrig
behavioral2/memory/2120-209-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp	xmrig
behavioral2/memory/1412-211-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp	xmrig
behavioral2/memory/2184-213-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp	xmrig
behavioral2/memory/3088-220-0x00007FF7584E0000-0x00007FF758831000-memory.dmp	xmrig
behavioral2/memory/2536-222-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/1260-224-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	xmrig
behavioral2/memory/2844-235-0x00007FF7320F0000-0x00007FF732441000-memory.dmp	xmrig
behavioral2/memory/1960-237-0x00007FF6A93C0000-0x00007FF6A9711000-memory.dmp	xmrig
behavioral2/memory/2944-239-0x00007FF624F00000-0x00007FF625251000-memory.dmp	xmrig
behavioral2/memory/324-241-0x00007FF60EEA0000-0x00007FF60F1F1000-memory.dmp	xmrig
behavioral2/memory/5072-243-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp	xmrig
behavioral2/memory/4472-245-0x00007FF7C2C90000-0x00007FF7C2FE1000-memory.dmp	xmrig
behavioral2/memory/2532-249-0x00007FF678260000-0x00007FF6785B1000-memory.dmp	xmrig
behavioral2/memory/2096-250-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp	xmrig
behavioral2/memory/2212-254-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp	xmrig
behavioral2/memory/3476-252-0x00007FF772540000-0x00007FF772891000-memory.dmp	xmrig
behavioral2/memory/432-256-0x00007FF624DE0000-0x00007FF625131000-memory.dmp	xmrig
behavioral2/memory/640-260-0x00007FF6E75B0000-0x00007FF6E7901000-memory.dmp	xmrig
behavioral2/memory/3916-258-0x00007FF7EA340000-0x00007FF7EA691000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3136	qJDUDfS.exe
4172	KkAaMJl.exe
2120	LeiUAQQ.exe
1412	PsymtRN.exe
2184	KzWcilM.exe
3088	xhSPNfz.exe
2536	UkAQnWt.exe
1260	sRBOLrA.exe
2844	zOGbisz.exe
2944	QghIspr.exe
1960	aqqsHCB.exe
5072	DvUezeN.exe
324	oGmzdKY.exe
2096	ASOnARy.exe
2532	KXsnWLk.exe
4472	MApsVNB.exe
3916	OlmSUGs.exe
3476	KLxpwdu.exe
2212	naMcBTo.exe
432	YBliomK.exe
640	NkixFLQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	upx
behavioral2/files/0x0008000000023430-4.dat	upx
behavioral2/memory/3136-8-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-10.dat	upx
behavioral2/files/0x0007000000023435-11.dat	upx
behavioral2/memory/4172-13-0x00007FF792460000-0x00007FF7927B1000-memory.dmp	upx
behavioral2/files/0x0008000000023431-23.dat	upx
behavioral2/files/0x0007000000023436-28.dat	upx
behavioral2/memory/2184-30-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp	upx
behavioral2/memory/1412-25-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp	upx
behavioral2/memory/2120-20-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp	upx
behavioral2/files/0x0007000000023437-37.dat	upx
behavioral2/files/0x000700000002343a-50.dat	upx
behavioral2/files/0x000700000002343b-52.dat	upx
behavioral2/files/0x000700000002343c-55.dat	upx
behavioral2/files/0x000700000002343d-62.dat	upx
behavioral2/files/0x000700000002343e-75.dat	upx
behavioral2/memory/4172-86-0x00007FF792460000-0x00007FF7927B1000-memory.dmp	upx
behavioral2/files/0x0007000000023441-88.dat	upx
behavioral2/memory/324-87-0x00007FF60EEA0000-0x00007FF60F1F1000-memory.dmp	upx
behavioral2/files/0x0007000000023444-115.dat	upx
behavioral2/files/0x0007000000023443-123.dat	upx
behavioral2/files/0x0007000000023447-125.dat	upx
behavioral2/files/0x0007000000023446-119.dat	upx
behavioral2/files/0x0007000000023445-117.dat	upx
behavioral2/memory/2212-114-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp	upx
behavioral2/memory/3476-113-0x00007FF772540000-0x00007FF772891000-memory.dmp	upx
behavioral2/memory/4472-112-0x00007FF7C2C90000-0x00007FF7C2FE1000-memory.dmp	upx
behavioral2/memory/2096-103-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp	upx
behavioral2/files/0x0007000000023442-101.dat	upx
behavioral2/files/0x0007000000023440-95.dat	upx
behavioral2/memory/5072-81-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp	upx
behavioral2/files/0x000700000002343f-79.dat	upx
behavioral2/memory/1960-78-0x00007FF6A93C0000-0x00007FF6A9711000-memory.dmp	upx
behavioral2/memory/2944-73-0x00007FF624F00000-0x00007FF625251000-memory.dmp	upx
behavioral2/memory/3136-72-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp	upx
behavioral2/memory/2844-68-0x00007FF7320F0000-0x00007FF732441000-memory.dmp	upx
behavioral2/memory/2948-54-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	upx
behavioral2/memory/1260-53-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	upx
behavioral2/files/0x0007000000023439-43.dat	upx
behavioral2/memory/2536-41-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	upx
behavioral2/memory/3088-36-0x00007FF7584E0000-0x00007FF758831000-memory.dmp	upx
behavioral2/memory/2948-128-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	upx
behavioral2/memory/432-127-0x00007FF624DE0000-0x00007FF625131000-memory.dmp	upx
behavioral2/memory/2120-131-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp	upx
behavioral2/memory/2184-133-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp	upx
behavioral2/memory/3088-134-0x00007FF7584E0000-0x00007FF758831000-memory.dmp	upx
behavioral2/memory/2532-135-0x00007FF678260000-0x00007FF6785B1000-memory.dmp	upx
behavioral2/memory/640-137-0x00007FF6E75B0000-0x00007FF6E7901000-memory.dmp	upx
behavioral2/memory/3916-136-0x00007FF7EA340000-0x00007FF7EA691000-memory.dmp	upx
behavioral2/memory/1412-132-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp	upx
behavioral2/memory/2536-138-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	upx
behavioral2/memory/5072-144-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp	upx
behavioral2/memory/1260-139-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp	upx
behavioral2/memory/2096-145-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp	upx
behavioral2/memory/3476-149-0x00007FF772540000-0x00007FF772891000-memory.dmp	upx
behavioral2/memory/432-151-0x00007FF624DE0000-0x00007FF625131000-memory.dmp	upx
behavioral2/memory/2212-150-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp	upx
behavioral2/memory/2948-153-0x00007FF6962C0000-0x00007FF696611000-memory.dmp	upx
behavioral2/memory/3136-202-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp	upx
behavioral2/memory/4172-204-0x00007FF792460000-0x00007FF7927B1000-memory.dmp	upx
behavioral2/memory/2120-209-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp	upx
behavioral2/memory/1412-211-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp	upx
behavioral2/memory/2184-213-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sRBOLrA.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zOGbisz.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OlmSUGs.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KLxpwdu.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naMcBTo.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qJDUDfS.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PsymtRN.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KzWcilM.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXsnWLk.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YBliomK.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NkixFLQ.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LeiUAQQ.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xhSPNfz.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkAQnWt.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QghIspr.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aqqsHCB.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGmzdKY.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ASOnARy.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MApsVNB.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KkAaMJl.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvUezeN.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3136	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2948 wrote to memory of 3136	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2948 wrote to memory of 4172	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 4172	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2948 wrote to memory of 2120	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 2120	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2948 wrote to memory of 1412	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 1412	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2948 wrote to memory of 2184	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 2184	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2948 wrote to memory of 3088	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 3088	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2948 wrote to memory of 2536	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 2536	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2948 wrote to memory of 1260	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 1260	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2948 wrote to memory of 2844	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 2844	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2948 wrote to memory of 2944	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 2944	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2948 wrote to memory of 1960	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 1960	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2948 wrote to memory of 324	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 324	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2948 wrote to memory of 5072	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 5072	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2948 wrote to memory of 2096	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 2096	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2948 wrote to memory of 2532	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 2532	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2948 wrote to memory of 4472	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 4472	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2948 wrote to memory of 3916	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 3916	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2948 wrote to memory of 3476	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 3476	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2948 wrote to memory of 2212	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 2212	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2948 wrote to memory of 432	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 432	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2948 wrote to memory of 640	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2948 wrote to memory of 640	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System\qJDUDfS.exe
  C:\Windows\System\qJDUDfS.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\KkAaMJl.exe
  C:\Windows\System\KkAaMJl.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\LeiUAQQ.exe
  C:\Windows\System\LeiUAQQ.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\PsymtRN.exe
  C:\Windows\System\PsymtRN.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\KzWcilM.exe
  C:\Windows\System\KzWcilM.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\xhSPNfz.exe
  C:\Windows\System\xhSPNfz.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\UkAQnWt.exe
  C:\Windows\System\UkAQnWt.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\sRBOLrA.exe
  C:\Windows\System\sRBOLrA.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\zOGbisz.exe
  C:\Windows\System\zOGbisz.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\QghIspr.exe
  C:\Windows\System\QghIspr.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\aqqsHCB.exe
  C:\Windows\System\aqqsHCB.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\oGmzdKY.exe
  C:\Windows\System\oGmzdKY.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\DvUezeN.exe
  C:\Windows\System\DvUezeN.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\ASOnARy.exe
  C:\Windows\System\ASOnARy.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\KXsnWLk.exe
  C:\Windows\System\KXsnWLk.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\MApsVNB.exe
  C:\Windows\System\MApsVNB.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\OlmSUGs.exe
  C:\Windows\System\OlmSUGs.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\KLxpwdu.exe
  C:\Windows\System\KLxpwdu.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\naMcBTo.exe
  C:\Windows\System\naMcBTo.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\YBliomK.exe
  C:\Windows\System\YBliomK.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\NkixFLQ.exe
  C:\Windows\System\NkixFLQ.exe
  2⤵
  - Executes dropped EXE
  PID:640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ASOnARy.exe

Filesize
5.2MB

MD5
5d0c3e3f8cf4d4cdf8725ad1dfd6f482

SHA1
3dee08082fe70c3aacd2dd618ffd9c6c539f6593

SHA256
685472c1242bfc79089207467a03763c95c0fb3c0b863fe03cacb613a12148ed

SHA512
4962349f225162ae6059c7a44f63a7ebfeadb7bc6c2f40bc977de24244114d5965f3e6e0870ffe6a92373d775166c756b029431054e321394254ba7c90a74039

Download Submit
C:\Windows\System\DvUezeN.exe

Filesize
5.2MB

MD5
6f142bd44fcac8897e894ec59a63cab8

SHA1
969a0a2d86d3aa879e3880ff7cfbe66447016fae

SHA256
bfc641df0af0afd37b970944e01a9171cf5f50bc402b9b70eeaa208b0d772e6a

SHA512
36e65afa27e33948fe300e2f0140cc96a0f23239a7b5f9aa9d231446f6e152c842de587c1b0819863406dc9c29217375013da56f5a5656dbc4e84dd12ece23ab

Download Submit
C:\Windows\System\KLxpwdu.exe

Filesize
5.2MB

MD5
2bf8797c3fa012d95eedd3ed0f58b989

SHA1
e18d865568c811347ea68326995172a4823e5bc1

SHA256
1ceb18796dce8de25203b5913471fddb0fdd0d19b7a83fb1ec9c84b5f8feea9a

SHA512
c99ec2101e1949acd6a07d97841f2fd4b641c54d7712f23180c1404a5e51ca50156edfd4fd9c63ca9a8d6659671eb7d0c3e4ecdf32006fa8516be9bb5c9fbd12

Download Submit
C:\Windows\System\KXsnWLk.exe

Filesize
5.2MB

MD5
b04a799b54520ccac19693c99e678e5c

SHA1
15ff34e586e0965942403867ce71576bc68f5e29

SHA256
285593750810e7754ee4b2d422b2c397fa0f00a839b2fdbba568cd76d06b706c

SHA512
f5f3445e9516c9996cf1b57e058e1fb8bccec4a17123cbb5cc0887da2a81c5d60795b459b976a4c1f8216c2f41faf00f56f65463f14c12cb5ae80a5db01a157e

Download Submit
C:\Windows\System\KkAaMJl.exe

Filesize
5.2MB

MD5
84b1b3c9c5bdbe4151b7d4036c6749e5

SHA1
0d6787f896842b7a57692d9e314ac41b4f78503e

SHA256
cbcad4ba8c2ef0dc61b715acce28b7c01fc29eb6b0bce9ebe523ed329c14910e

SHA512
866c0ee0cfa68b4f0d8c81713188a20f036c84703711a266a21858b970600ae70f64a000c860ee7921f0a25b0fd8e3674945876c3562ac6943b292b975931fcb

Download Submit
C:\Windows\System\KzWcilM.exe

Filesize
5.2MB

MD5
0f6c0c5bd96cd8c418a92da3e74735b7

SHA1
e7b5ec4cbce18f6e1c36f058c143da7e7841c2a2

SHA256
ec0cbbe8e1830287e6b366e7ef70e0e0aa4aa2551b67fde3654212382acb7d33

SHA512
ceea7ebba21a0a20e0ddfdf77b0a57df4c67a07eca4a564ac5f60291d58deaf67ea2b1e1aecec431a5d32879771acf8bc7eb691a876a9145446094c2338f3120

Download Submit
C:\Windows\System\LeiUAQQ.exe

Filesize
5.2MB

MD5
549378eb3a265ba2e29482fc5df0f52b

SHA1
6d65e265a02075d84c9a1fb1f30bf67f794d1260

SHA256
fd8afd559f3426226d5113b381c4a49fc1ccc29e67ea1457479a2ee9874a8930

SHA512
e66dc22b7c8bcbac38f77c890fd9bceaf0e662c41b28558c8b540728ec873b5ebbf9d3217993089877c916e8ea8c27f2fb6c0c22e2e7bb2f083776736b27f29f

Download Submit
C:\Windows\System\MApsVNB.exe

Filesize
5.2MB

MD5
bef7be238631589c1e5d9296159d9ceb

SHA1
c6a7a5d00fd552040712d81a02ac335c00815a6f

SHA256
c625139fe855a819868ee8be0b9eeb54c93c6b57ddf21971df5998beb28d5255

SHA512
5d54f58a250895cc4541b25008d92ff082de1bd1305b7643aca8e34681945a5a0fe574ee22685cff5580980c12fa1a2d7d34c8571ebccc28c8a3802e75e574c0

Download Submit
C:\Windows\System\NkixFLQ.exe

Filesize
5.2MB

MD5
f8e105aed4d65e75606b54e2328dbd2b

SHA1
51498c3a3d582b2f9dcc45c67dcbdca68451aae8

SHA256
886bfac7168ad3bf4bbb4f293f2d4949bd757094fedc609f306ac3137c23db04

SHA512
ca13e52273f93b04f48d3aa61a6b35328cd1800383c7d02080fda137e774870aa60e69c3d567e493a6daecb43ccd94ca34cbfb3169cf76d45b5024b5fb381b5e

Download Submit
C:\Windows\System\OlmSUGs.exe

Filesize
5.2MB

MD5
e616d2eb0bc2b6808ab80ae77a46df13

SHA1
5bcb0ee80677bc57bc1d6ebd6da4f07d40f98603

SHA256
7f7a1cb40fa8bafa4eb743bbdf83e2174ac5075ccd5498db66c5cfa4e3578d8c

SHA512
32d5ae5530e3da6e44c9702cb680ba5c2e071e8e7674c7fc51edd8c3b0f48e872e30812498389d824b76c57d3bc01e1a396b4cc265e81f19c04cf6a42a8c7933

Download Submit
C:\Windows\System\PsymtRN.exe

Filesize
5.2MB

MD5
7b8e384c288a3956f3cb2e28144d6379

SHA1
887d502f122c8c7dc6845497141dcd9abf000f90

SHA256
bd4a483d2fb0bff74fe035ea4be62878501bdfe870d262b115052f0125b24653

SHA512
0454f690c2804459ffbe4e1d5f813ddcd35faf04bad448de1cd6aaf645b120f1f5c5e370de1e9475d6c1170c639ab20686df70a3bc9ec393015c2ced47371940

Download Submit
C:\Windows\System\QghIspr.exe

Filesize
5.2MB

MD5
bcee0e72358bc6a70f9bf33651f6de03

SHA1
30ecaabba49cf5c874fee345aed09bba8106e16e

SHA256
fdcdd8b977f5f03ffd0a4573cf7acc084f7192b6021cecd023b0c0835a1dda3e

SHA512
6ba54fe28955cad50080187d7c10967921e809944b947db0088ad0d70565f8d7819724ac9961595327d0fa888d1d6117616b328495ae7c1cdf9e0f1324a97adb

Download Submit
C:\Windows\System\UkAQnWt.exe

Filesize
5.2MB

MD5
8caa11fd3b4d752e596ad7e928118fc6

SHA1
4dc2daadb7cc77e90af6f2b492a761cca999d7b2

SHA256
c88200134b01bfc25edb29d9d77b09814f20ff4f04b0b337c007594080034f7b

SHA512
70f7fbbed04707736319db65b87c61b8c013b84f5fe3e21e6ce7d92f705ef2b7f47efb12d943c4a905d1d4ba361eb1d3fee35b1a0b02fb9947f06f9873b844d7

Download Submit
C:\Windows\System\YBliomK.exe

Filesize
5.2MB

MD5
65b7e67b560e44142eb4bddbfb90e758

SHA1
76589b623f3e283825a500eb5232b60691d4d6df

SHA256
dbcfda4f45ca287d1389e6f44993c3b4282194b87517e7adfa1bd111681f5399

SHA512
4f22ed1877bd4bd2c7cc5cce3446c6dc53add168811ae3e52ce8652a088728fcc900a88fb7c7721ec20cad1cebea607753c0f7bd921ce28d47b70a60ba678993

Download Submit
C:\Windows\System\aqqsHCB.exe

Filesize
5.2MB

MD5
1f083569cb37e7798db5bacd6c39d758

SHA1
2d768c3aa809147fca6f6e9e6ca8cf6cdc7b0135

SHA256
16713fd5b49e491edf9e22adfb9b3389c0137e6e61fb1d02df994320237c87a4

SHA512
6ca9ae0db6b6cd41d5479b51936e12f608957201cf6f6b9869d5d61e997ad920c3e7aaa7b1d5dbd5963160eb86650b10525e8b6b6511dc8434b5757713be0f0d

Download Submit
C:\Windows\System\naMcBTo.exe

Filesize
5.2MB

MD5
e65b8ff406d87dc9b4ce8d184f52ca64

SHA1
7a3066992d2d446303ce3291bf6100d18ef7485b

SHA256
9f3bc9f4340cfd94f422435117b220dfbe1fe50924db08816f12167f4666f28d

SHA512
eab60b0cf0f5a8f562bb2717834fa650672625803e81df99271c9c40173471c33a018b018949e932b2c0c39d8f77c560079aa9521df06715e355b2fb48d32948

Download Submit
C:\Windows\System\oGmzdKY.exe

Filesize
5.2MB

MD5
8b82dbf2ee6875c34daa52d8b682e227

SHA1
183d4ca4429eaf7eed9f820f78e99c2536f30424

SHA256
a9ea3884de488663daf168611cea2f1b9b3d318afe83c4be563f14283d8d8031

SHA512
707959e090f4120f4e1c6fc50ec926aa18530724a97c8d442404bc50e3433bdef369c27447b0fec2adb4be3caa616ddec1592a842556bc9343eca83a210ade34

Download Submit
C:\Windows\System\qJDUDfS.exe

Filesize
5.2MB

MD5
7c4fc191132591cb33ebf5bfdd5afae7

SHA1
1b09346440b1bbec7d3aa141ef2e8750d3f45c8a

SHA256
36aa88dda837290ffee17b88d8bb25e77c16291ce34736cb38f9d3745dd1a30c

SHA512
6668afa786f8926f1b9d5900fd9aeb35cf2864e1b650d2f6fcf0a821fdd2d9736706427c0a640c2d2f39ded48fdd4c6e70cd41d2035e7ed9b57d392ba70eb2eb

Download Submit
C:\Windows\System\sRBOLrA.exe

Filesize
5.2MB

MD5
bc979505f1f254614195d2b2e5fa3558

SHA1
d2e97ad02bd1b5d1b3398456890d176161ed391a

SHA256
62de822975f94a2529fcaf6a4263ce3219ade0a8fb7ecc160d7fd274cde71ea4

SHA512
b84ac23d13c470080ab05e22000f3482dad93d3374f30676697963461767d90017bc2441a8410e171c70711cb786d181d1562f7bbd0a313b02c7386b5dbbb88d

Download Submit
C:\Windows\System\xhSPNfz.exe

Filesize
5.2MB

MD5
384cd42974662c198391162df6a27b98

SHA1
90f02828143d9b005db628fe9c2c06f906848d28

SHA256
d22bf69989f4eef49adf3be0df85851bcdfefe16c36bd6c3f2b10325a91d39bf

SHA512
45b93676dbbd66ae5bcd3d28c8d3abe5d2495bd9ab81dfdf3665eff534e856cea28b03e6b74fa7b3b77223bde84e3ae9e348d36ac9683f40bba65678e9314aaf

Download Submit
C:\Windows\System\zOGbisz.exe

Filesize
5.2MB

MD5
6443e3395b5efe63c8955a37fab611d1

SHA1
c7e57d9e66e0a9973612c393e31bc7e9cba96e52

SHA256
d05404fcc16642007e4ffb55a2af82d384d2bafbbe97cbcfacb597762b0155e5

SHA512
61cebb178dfac4f9d6dd417d17f21e31db0f668d89726ccd1b5219c5af66b816c193a442beaf9f7d82ee627846461962f9a35a95d2108896569e2d3d265d66ec

Download Submit
memory/324-87-0x00007FF60EEA0000-0x00007FF60F1F1000-memory.dmp

Filesize
3.3MB

Download
memory/324-241-0x00007FF60EEA0000-0x00007FF60F1F1000-memory.dmp

Filesize
3.3MB

Download
memory/432-256-0x00007FF624DE0000-0x00007FF625131000-memory.dmp

Filesize
3.3MB

Download
memory/432-127-0x00007FF624DE0000-0x00007FF625131000-memory.dmp

Filesize
3.3MB

Download
memory/432-151-0x00007FF624DE0000-0x00007FF625131000-memory.dmp

Filesize
3.3MB

Download
memory/640-137-0x00007FF6E75B0000-0x00007FF6E7901000-memory.dmp

Filesize
3.3MB

Download
memory/640-260-0x00007FF6E75B0000-0x00007FF6E7901000-memory.dmp

Filesize
3.3MB

Download
memory/1260-53-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/1260-224-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/1260-139-0x00007FF64DA10000-0x00007FF64DD61000-memory.dmp

Filesize
3.3MB

Download
memory/1412-25-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp

Filesize
3.3MB

Download
memory/1412-211-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp

Filesize
3.3MB

Download
memory/1412-132-0x00007FF7DC230000-0x00007FF7DC581000-memory.dmp

Filesize
3.3MB

Download
memory/1960-237-0x00007FF6A93C0000-0x00007FF6A9711000-memory.dmp

Filesize
3.3MB

Download
memory/1960-78-0x00007FF6A93C0000-0x00007FF6A9711000-memory.dmp

Filesize
3.3MB

Download
memory/2096-145-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp

Filesize
3.3MB

Download
memory/2096-250-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp

Filesize
3.3MB

Download
memory/2096-103-0x00007FF62ED00000-0x00007FF62F051000-memory.dmp

Filesize
3.3MB

Download
memory/2120-20-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

Filesize
3.3MB

Download
memory/2120-209-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

Filesize
3.3MB

Download
memory/2120-131-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

Filesize
3.3MB

Download
memory/2184-213-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-133-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-30-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-254-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

Filesize
3.3MB

Download
memory/2212-150-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

Filesize
3.3MB

Download
memory/2212-114-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

Filesize
3.3MB

Download
memory/2532-135-0x00007FF678260000-0x00007FF6785B1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-249-0x00007FF678260000-0x00007FF6785B1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-41-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-222-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-138-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-235-0x00007FF7320F0000-0x00007FF732441000-memory.dmp

Filesize
3.3MB

Download
memory/2844-68-0x00007FF7320F0000-0x00007FF732441000-memory.dmp

Filesize
3.3MB

Download
memory/2944-239-0x00007FF624F00000-0x00007FF625251000-memory.dmp

Filesize
3.3MB

Download
memory/2944-73-0x00007FF624F00000-0x00007FF625251000-memory.dmp

Filesize
3.3MB

Download
memory/2948-0-0x00007FF6962C0000-0x00007FF696611000-memory.dmp

Filesize
3.3MB

Download
memory/2948-1-0x0000019A763A0000-0x0000019A763B0000-memory.dmp

Filesize
64KB

Download
memory/2948-153-0x00007FF6962C0000-0x00007FF696611000-memory.dmp

Filesize
3.3MB

Download
memory/2948-54-0x00007FF6962C0000-0x00007FF696611000-memory.dmp

Filesize
3.3MB

Download
memory/2948-128-0x00007FF6962C0000-0x00007FF696611000-memory.dmp

Filesize
3.3MB

Download
memory/3088-220-0x00007FF7584E0000-0x00007FF758831000-memory.dmp

Filesize
3.3MB

Download
memory/3088-134-0x00007FF7584E0000-0x00007FF758831000-memory.dmp

Filesize
3.3MB

Download
memory/3088-36-0x00007FF7584E0000-0x00007FF758831000-memory.dmp

Filesize
3.3MB

Download
memory/3136-72-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-8-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-202-0x00007FF77CBA0000-0x00007FF77CEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3476-252-0x00007FF772540000-0x00007FF772891000-memory.dmp

Filesize
3.3MB

Download
memory/3476-149-0x00007FF772540000-0x00007FF772891000-memory.dmp

Filesize
3.3MB

Download
memory/3476-113-0x00007FF772540000-0x00007FF772891000-memory.dmp

Filesize
3.3MB

Download
memory/3916-136-0x00007FF7EA340000-0x00007FF7EA691000-memory.dmp

Filesize
3.3MB

Download
memory/3916-258-0x00007FF7EA340000-0x00007FF7EA691000-memory.dmp

Filesize
3.3MB

Download
memory/4172-86-0x00007FF792460000-0x00007FF7927B1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-13-0x00007FF792460000-0x00007FF7927B1000-memory.dmp

Filesize
3.3MB

Download
memory/4172-204-0x00007FF792460000-0x00007FF7927B1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-245-0x00007FF7C2C90000-0x00007FF7C2FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-112-0x00007FF7C2C90000-0x00007FF7C2FE1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-243-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-81-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp

Filesize
3.3MB

Download
memory/5072-144-0x00007FF6A6C80000-0x00007FF6A6FD1000-memory.dmp

Filesize
3.3MB

Download