cobaltstrike | 903740dbd2546990b15bc7846c34e6c3d220dc74bf084283e562a38983fe9757

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3bc076f23150dd1c91c97c26adc63f1a
SHA1

201eb7569a7a9f4ccee9199ea7357548d4460259
SHA256

903740dbd2546990b15bc7846c34e6c3d220dc74bf084283e562a38983fe9757
SHA512

1f6472296a34095e73c4b4de633a0c960c0d0a9429994ec1a2a843de48269998cb6d0abe369eb607a2237d947c72f9892a3b8f072d8dbe39f757ae2614f6bef4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234b6-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bb-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bc-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234bd-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c0-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c1-45.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234b8-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c2-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234be-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c3-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c7-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-130.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c8-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c6-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c5-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c4-72.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2780-61-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	xmrig
behavioral2/memory/464-91-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp	xmrig
behavioral2/memory/1084-106-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp	xmrig
behavioral2/memory/1408-105-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp	xmrig
behavioral2/memory/3304-94-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp	xmrig
behavioral2/memory/692-84-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp	xmrig
behavioral2/memory/3068-77-0x00007FF755ED0000-0x00007FF756221000-memory.dmp	xmrig
behavioral2/memory/916-70-0x00007FF768230000-0x00007FF768581000-memory.dmp	xmrig
behavioral2/memory/4008-66-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp	xmrig
behavioral2/memory/2268-133-0x00007FF759110000-0x00007FF759461000-memory.dmp	xmrig
behavioral2/memory/2240-135-0x00007FF612EC0000-0x00007FF613211000-memory.dmp	xmrig
behavioral2/memory/528-137-0x00007FF6D3750000-0x00007FF6D3AA1000-memory.dmp	xmrig
behavioral2/memory/1128-136-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp	xmrig
behavioral2/memory/1072-134-0x00007FF65E110000-0x00007FF65E461000-memory.dmp	xmrig
behavioral2/memory/2780-138-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	xmrig
behavioral2/memory/1972-150-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp	xmrig
behavioral2/memory/388-149-0x00007FF7962C0000-0x00007FF796611000-memory.dmp	xmrig
behavioral2/memory/1088-153-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp	xmrig
behavioral2/memory/3384-155-0x00007FF61C340000-0x00007FF61C691000-memory.dmp	xmrig
behavioral2/memory/5044-156-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp	xmrig
behavioral2/memory/1792-154-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp	xmrig
behavioral2/memory/3856-158-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp	xmrig
behavioral2/memory/944-157-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp	xmrig
behavioral2/memory/2780-163-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	xmrig
behavioral2/memory/4008-216-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp	xmrig
behavioral2/memory/916-218-0x00007FF768230000-0x00007FF768581000-memory.dmp	xmrig
behavioral2/memory/3068-220-0x00007FF755ED0000-0x00007FF756221000-memory.dmp	xmrig
behavioral2/memory/692-222-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp	xmrig
behavioral2/memory/464-224-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp	xmrig
behavioral2/memory/3304-226-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp	xmrig
behavioral2/memory/1408-231-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp	xmrig
behavioral2/memory/1084-233-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp	xmrig
behavioral2/memory/1128-235-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp	xmrig
behavioral2/memory/388-246-0x00007FF7962C0000-0x00007FF796611000-memory.dmp	xmrig
behavioral2/memory/1972-248-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp	xmrig
behavioral2/memory/5044-250-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp	xmrig
behavioral2/memory/1088-252-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp	xmrig
behavioral2/memory/1792-254-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp	xmrig
behavioral2/memory/3384-256-0x00007FF61C340000-0x00007FF61C691000-memory.dmp	xmrig
behavioral2/memory/3856-258-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp	xmrig
behavioral2/memory/944-262-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp	xmrig
behavioral2/memory/528-264-0x00007FF6D3750000-0x00007FF6D3AA1000-memory.dmp	xmrig
behavioral2/memory/2268-266-0x00007FF759110000-0x00007FF759461000-memory.dmp	xmrig
behavioral2/memory/1072-268-0x00007FF65E110000-0x00007FF65E461000-memory.dmp	xmrig
behavioral2/memory/2240-270-0x00007FF612EC0000-0x00007FF613211000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4008	VKvTAbh.exe
916	trhzSrC.exe
3068	IKFKMqm.exe
692	GCzlgnT.exe
464	Htvzuqj.exe
3304	lfegsgD.exe
1408	GHTotqy.exe
1084	baUDWCQ.exe
1128	pZehIwi.exe
388	yQImIkI.exe
1972	mGkCVJH.exe
5044	FuSrSNZ.exe
1088	rCvRxnV.exe
1792	yJaFXuT.exe
3384	TjXowml.exe
3856	OGIkvoO.exe
944	gfZQjol.exe
528	FmyhNyL.exe
2268	xNPYUov.exe
1072	YRPcakC.exe
2240	NBqngWA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2780-0-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	upx
behavioral2/files/0x00090000000234b6-5.dat	upx
behavioral2/memory/4008-7-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp	upx
behavioral2/files/0x00070000000234bb-10.dat	upx
behavioral2/files/0x00070000000234bc-11.dat	upx
behavioral2/memory/916-14-0x00007FF768230000-0x00007FF768581000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-24.dat	upx
behavioral2/memory/692-23-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp	upx
behavioral2/memory/3068-20-0x00007FF755ED0000-0x00007FF756221000-memory.dmp	upx
behavioral2/memory/464-30-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp	upx
behavioral2/files/0x00070000000234c0-33.dat	upx
behavioral2/memory/1408-42-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-45.dat	upx
behavioral2/files/0x00080000000234b8-46.dat	upx
behavioral2/memory/1128-52-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-55.dat	upx
behavioral2/memory/1084-50-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp	upx
behavioral2/memory/3304-34-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp	upx
behavioral2/files/0x00070000000234be-32.dat	upx
behavioral2/memory/2780-61-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-59.dat	upx
behavioral2/memory/388-63-0x00007FF7962C0000-0x00007FF796611000-memory.dmp	upx
behavioral2/memory/5044-83-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp	upx
behavioral2/memory/1792-93-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp	upx
behavioral2/memory/464-91-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-97.dat	upx
behavioral2/memory/1084-106-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-112.dat	upx
behavioral2/files/0x00070000000234cb-119.dat	upx
behavioral2/files/0x00070000000234cd-127.dat	upx
behavioral2/files/0x00070000000234ce-130.dat	upx
behavioral2/files/0x00070000000234cc-124.dat	upx
behavioral2/files/0x00070000000234c9-116.dat	upx
behavioral2/memory/3856-110-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp	upx
behavioral2/memory/1408-105-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp	upx
behavioral2/files/0x00070000000234c8-100.dat	upx
behavioral2/memory/3384-99-0x00007FF61C340000-0x00007FF61C691000-memory.dmp	upx
behavioral2/memory/3304-94-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp	upx
behavioral2/memory/1088-87-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp	upx
behavioral2/files/0x00070000000234c6-85.dat	upx
behavioral2/memory/692-84-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-78.dat	upx
behavioral2/memory/3068-77-0x00007FF755ED0000-0x00007FF756221000-memory.dmp	upx
behavioral2/memory/1972-76-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-72.dat	upx
behavioral2/memory/916-70-0x00007FF768230000-0x00007FF768581000-memory.dmp	upx
behavioral2/memory/4008-66-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp	upx
behavioral2/memory/944-132-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp	upx
behavioral2/memory/2268-133-0x00007FF759110000-0x00007FF759461000-memory.dmp	upx
behavioral2/memory/2240-135-0x00007FF612EC0000-0x00007FF613211000-memory.dmp	upx
behavioral2/memory/528-137-0x00007FF6D3750000-0x00007FF6D3AA1000-memory.dmp	upx
behavioral2/memory/1128-136-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp	upx
behavioral2/memory/1072-134-0x00007FF65E110000-0x00007FF65E461000-memory.dmp	upx
behavioral2/memory/2780-138-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	upx
behavioral2/memory/1972-150-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp	upx
behavioral2/memory/388-149-0x00007FF7962C0000-0x00007FF796611000-memory.dmp	upx
behavioral2/memory/1088-153-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp	upx
behavioral2/memory/3384-155-0x00007FF61C340000-0x00007FF61C691000-memory.dmp	upx
behavioral2/memory/5044-156-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp	upx
behavioral2/memory/1792-154-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp	upx
behavioral2/memory/3856-158-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp	upx
behavioral2/memory/944-157-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp	upx
behavioral2/memory/2780-163-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp	upx
behavioral2/memory/4008-216-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FmyhNyL.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQImIkI.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TjXowml.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OGIkvoO.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NBqngWA.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKvTAbh.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfegsgD.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pZehIwi.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mGkCVJH.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuSrSNZ.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJaFXuT.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNPYUov.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YRPcakC.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Htvzuqj.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IKFKMqm.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GCzlgnT.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GHTotqy.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\baUDWCQ.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rCvRxnV.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gfZQjol.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\trhzSrC.exe	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4008	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2780 wrote to memory of 4008	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2780 wrote to memory of 916	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2780 wrote to memory of 916	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2780 wrote to memory of 3068	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2780 wrote to memory of 3068	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2780 wrote to memory of 692	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2780 wrote to memory of 692	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2780 wrote to memory of 464	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2780 wrote to memory of 464	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2780 wrote to memory of 3304	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2780 wrote to memory of 3304	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2780 wrote to memory of 1408	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2780 wrote to memory of 1408	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2780 wrote to memory of 1084	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2780 wrote to memory of 1084	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2780 wrote to memory of 1128	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2780 wrote to memory of 1128	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2780 wrote to memory of 388	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2780 wrote to memory of 388	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2780 wrote to memory of 1972	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2780 wrote to memory of 1972	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2780 wrote to memory of 5044	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2780 wrote to memory of 5044	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2780 wrote to memory of 1088	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2780 wrote to memory of 1088	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2780 wrote to memory of 1792	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2780 wrote to memory of 1792	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2780 wrote to memory of 3384	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2780 wrote to memory of 3384	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2780 wrote to memory of 944	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2780 wrote to memory of 944	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2780 wrote to memory of 3856	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2780 wrote to memory of 3856	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2780 wrote to memory of 528	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2780 wrote to memory of 528	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2780 wrote to memory of 2268	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2780 wrote to memory of 2268	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2780 wrote to memory of 1072	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2780 wrote to memory of 1072	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2780 wrote to memory of 2240	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2780 wrote to memory of 2240	2780	2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_3bc076f23150dd1c91c97c26adc63f1a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System\VKvTAbh.exe
  C:\Windows\System\VKvTAbh.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\trhzSrC.exe
  C:\Windows\System\trhzSrC.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\IKFKMqm.exe
  C:\Windows\System\IKFKMqm.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\GCzlgnT.exe
  C:\Windows\System\GCzlgnT.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\Htvzuqj.exe
  C:\Windows\System\Htvzuqj.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\lfegsgD.exe
  C:\Windows\System\lfegsgD.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\GHTotqy.exe
  C:\Windows\System\GHTotqy.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\baUDWCQ.exe
  C:\Windows\System\baUDWCQ.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\pZehIwi.exe
  C:\Windows\System\pZehIwi.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\yQImIkI.exe
  C:\Windows\System\yQImIkI.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\mGkCVJH.exe
  C:\Windows\System\mGkCVJH.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\FuSrSNZ.exe
  C:\Windows\System\FuSrSNZ.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\rCvRxnV.exe
  C:\Windows\System\rCvRxnV.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\yJaFXuT.exe
  C:\Windows\System\yJaFXuT.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\TjXowml.exe
  C:\Windows\System\TjXowml.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\gfZQjol.exe
  C:\Windows\System\gfZQjol.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\OGIkvoO.exe
  C:\Windows\System\OGIkvoO.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\FmyhNyL.exe
  C:\Windows\System\FmyhNyL.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\xNPYUov.exe
  C:\Windows\System\xNPYUov.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\YRPcakC.exe
  C:\Windows\System\YRPcakC.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\NBqngWA.exe
  C:\Windows\System\NBqngWA.exe
  2⤵
  - Executes dropped EXE
  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FmyhNyL.exe

Filesize
5.2MB

MD5
8968452ef96bce2b8dbecb4e3772a7bd

SHA1
6ffaa6cbb0792ce362bb9fec8c66e4bbb6a27cda

SHA256
32903f33eab5e3a27a3f8e9db9ed3f5de1106a8cf40de63486e7129c6b5a7bf0

SHA512
ac37b115557af7399756799f7cf5f75bc544c812ae9c0d93308f51bb9f8b0f4c48b6f23503fd2e0049f53ca95338dba40a7928f6f3262de8508a7fa3fb438902

Download Submit
C:\Windows\System\FuSrSNZ.exe

Filesize
5.2MB

MD5
82e8a0ae4d559f421b67a23d2e530a62

SHA1
a9e9a93dcc73eb0f104a73545f8733a553c70e20

SHA256
cc29e44612b09426cc508677542fe962e163dbaf5e30c521f484ab4e3d1eab2e

SHA512
da084789ce1574b9847c9a57a1b194d0488790a532c1dee41d9f1f22efcfe42bce56999bd66fe5fe8231edc766885bd15e5f72c3d7410bc37eb70195824a9c36

Download Submit
C:\Windows\System\GCzlgnT.exe

Filesize
5.2MB

MD5
22b113e3c8f42f002473988e9979a9db

SHA1
9656f7c2bc1644765a1697114cb86a457fe2070a

SHA256
f993fbffa9a350c819a86ab52de2979ffe3fd58e537516e3b9e125c6f29c62a2

SHA512
c3dfac72d1876be0c8b18cf7944ea0b306d3c7e2376e0ce84835c9f0d590271e7c2769d0da2542adcf2cc02583dc1d70a557d3ae74e46fb27df5ed93b65308d1

Download Submit
C:\Windows\System\GHTotqy.exe

Filesize
5.2MB

MD5
4d3902358de07df822aee06be1ce3bc9

SHA1
1641b9ac7ba8449bbfb73530f2e52817a0f09094

SHA256
51a814a9bdf88496ee931b993ac0df2adcdd930a37f205f0e1bbfc37b3577c72

SHA512
dde0e3554312b70fc9fc5cb4cc5532558939f40700e65c61c24f8c5926ceb673fe953ed60be9548388582c2b3f200fb663bf29da07d471514fd8e94430e9035c

Download Submit
C:\Windows\System\Htvzuqj.exe

Filesize
5.2MB

MD5
3de0d48a727227a1d6f63bbc45035c88

SHA1
d2a48cc1c35298756f891f00a861fc140d85c244

SHA256
4578132b74c3060441fec7ded932ab62ec0210309d2f49f992aabcc553774f3f

SHA512
b5bc8c565e4fd39ae2dcac8f8939abd2c7b5f2f486364c373a8d2e89dad1d8df3071cabc5aeff46c46f5e1d56b0f86f1ba5e48e57a2051196078878bc3ee6aff

Download Submit
C:\Windows\System\IKFKMqm.exe

Filesize
5.2MB

MD5
037ffec4b85072c5ff8b7eb30a5d8c46

SHA1
d2e3bb381fd8fd1c1169c74ef9791990cb2c895f

SHA256
84852c214831467277d0507874bcc2eea77ac4a9d5c370648b612634a22e8a0c

SHA512
909637b2b86b3ba423846a3ed37c5366dabed8235d665383fc81ff8edb01113fa1927c721b8e8a2c9caadc3d2f794122b95447e6ef83ecfb65c1f119e4b90d70

Download Submit
C:\Windows\System\NBqngWA.exe

Filesize
5.2MB

MD5
0e10898d01de61d53b7d763c877f0148

SHA1
2543d87d82d5f523f5dffde01bd632b29413bac0

SHA256
1976da0acf984a055894294843496aec3386c4a041a6d4c5b5cf424c9f687f4d

SHA512
b0124eca4e5320de19bf0c482cb93b2aadc37d3d516b770ece77f44099c3ad6125df26fe7f13f7fdd153abb131eaacfa9925439e7ee5853a5d07eea62da607e4

Download Submit
C:\Windows\System\OGIkvoO.exe

Filesize
5.2MB

MD5
045c9cfebbd64db327cd70efc9c07a92

SHA1
6c06e401467d620e323f1dd20c18745c10c41f55

SHA256
b88ad5929339b78a0b28982a30817502ea1f6f7b30ddc9ae1d9e2c43d68c9151

SHA512
85d541a94cc284b45db8e312f9da7eba83f1066830f3296b83e704488b3bec0e6c08fcea23634a3a26a7a502157448603c3076552c583ddc477bb46bf10eb463

Download Submit
C:\Windows\System\TjXowml.exe

Filesize
5.2MB

MD5
bf3b5488e8c736b89211f3738a8f178b

SHA1
95decd29b8c8f2f4593283c468b6f04005ec87bc

SHA256
82bf2c1777851d4baadc14567d5435ec678bf7b2e24ace2b67f0c49ba6db4215

SHA512
7126421205a1d81d9b41a7efaf7dd2feafc866199fa297acdc9f97e48dac7a3f9a161becc04bb1417be8214aa65227e60f9b786e5c613ca99840836e64f6fc98

Download Submit
C:\Windows\System\VKvTAbh.exe

Filesize
5.2MB

MD5
2e3dbd9f62004dbee46f4142fbcfd873

SHA1
51fcccbc2045f2dcdf1221dbcf8cc1e5051c109b

SHA256
3e24f117b64876d0543ea920fbbb1a73e81d019bde64b2260f7381ddac1ef720

SHA512
5ecb90e628d828e52b51d41687c6757c0e14562c856b32fa48525ffe1a4eed7a1ada06aeda2ea60ca309f4721b71d70d8e67198a6e82c5de52032b8d39773d85

Download Submit
C:\Windows\System\YRPcakC.exe

Filesize
5.2MB

MD5
63c19f2950d4945b496a27968cdfa8ad

SHA1
707f4ca05547ca1666c4e0fb30f433150c1e88c4

SHA256
56374505d231bbb5d26bfe86d3e7d5c253115e0e84e373a64d55e1728b51de72

SHA512
4dff202f486eb5a48b3859c88141d3ffd2ea96eae249f46283fdd350c002bc39b095b58a5a49d8e59c9303d5c745bce0c102f68971d8d91e6ad2b0c06642b135

Download Submit
C:\Windows\System\baUDWCQ.exe

Filesize
5.2MB

MD5
34997b9b5855b7a05e27f26a0e76e93e

SHA1
ac6c08c9d97a09d160f426428d5b6b129c0c1837

SHA256
38885ea4f04331001f7c16ccfa01240e5fade4f233eb14dfcc43707209f23d95

SHA512
f8400f81f735600a4b048f3dfe22d5788e4f370a6dd9b2a9413de558965e6248f1d3de943a26796c71f84a62e2f18f522b13bd5cc84b28a03d175beee239118e

Download Submit
C:\Windows\System\gfZQjol.exe

Filesize
5.2MB

MD5
5cf8e3c6559ae8e24c2b764cf2650b00

SHA1
3b63c3e4acb014ab111ab7e52445bdffb0812568

SHA256
3fda88fab7dc7527577abaff051c3a6ec06a91ebeb91ce82f3a3d6a6db4e385c

SHA512
c52bf88909cfbe7fda57da5384ce418cc8e4fe13043a30805f6481bcee4812beb6c25b005505666d1a233679e53a8aa915c09b2394c40dea64e523ba22b50a10

Download Submit
C:\Windows\System\lfegsgD.exe

Filesize
5.2MB

MD5
4d7fae6230a8147464e916cda283a2ca

SHA1
56f403ecde641ec676625a4abf60b7979826fc60

SHA256
c184e1f55a229527dec24af638c3e36c942c8b710b6d3a6ba93daa97328b3707

SHA512
9479f8a9f8416210aaaf5c6ef69733a76cc0c796d100c500726d4149b880a3c822d5342e3f9cc57c897138b03160494a2f9e46e73516bd1977b193e3570dee55

Download Submit
C:\Windows\System\mGkCVJH.exe

Filesize
5.2MB

MD5
d1d7c72124cb2dcfab7b7f3c33ecb091

SHA1
214258f7020b8b1dfea9d56e32c2073b0716750d

SHA256
374a080eb43ab9ea373f37ac36691ec462290085578b5b38334daa8ced951004

SHA512
811cb10f31b3b2d3faa0fee75c5af6ed5b9881d5ebb796ff2054a2356b96ceae271773782fb97daaf2cbc34d016a91f57fdee643db2c1ac34c297cf0804f8cb5

Download Submit
C:\Windows\System\pZehIwi.exe

Filesize
5.2MB

MD5
f24dec7824f27cdcb3e142f84abd477d

SHA1
f4c79bec20d426405f5d72bc15c42622a94e8345

SHA256
936f705355690e2e83260bad4763e344a5abd516e0004a741bb1b53569abfc27

SHA512
94b3b6fd5fa3bd31ed6e9774f5ca1da40350e547e4530245ac39aeeccd4c4b364accff0a1f52b909b7cc2c2a2fca0f0b0b16868427d4db01ede1a2325f9c7020

Download Submit
C:\Windows\System\rCvRxnV.exe

Filesize
5.2MB

MD5
8a5e0b3a3b74bd3ffbb509b84f37499c

SHA1
ca046da3ccc169a2f1ca93faf95e71f199dc385c

SHA256
7299dc812070fbc8c627b2e54e1844c8d680d4d599d8e3cea2977b38c8c89830

SHA512
5c7a34493cf293ceacec67f68eac5a3232a55d8cbedf8ca2b056e42de8415a2cacb07a96f7a63b4297f419cd7dcc35b6414acd2b3a4250a45912106ff36e050c

Download Submit
C:\Windows\System\trhzSrC.exe

Filesize
5.2MB

MD5
8061b053290213dc5f23acb5af6bf7df

SHA1
6b7af4405078993f54cb8c973cc15f71405004a0

SHA256
f8e0a0db5706d7a77f24edbd77d7a94e336a296e1da1582ae74bc11aaaadf924

SHA512
6aedad27637622c3c0fb4637bc9c5d44fdec67db589007c0e55faccb127748ac50d92964fcc7add7f7b35ec3593b63631ef0ba77d134bd5cc16b9cd884d453dc

Download Submit
C:\Windows\System\xNPYUov.exe

Filesize
5.2MB

MD5
6857abc0711a9fa24e3b78bdd4c216c1

SHA1
442e40bcc1dd5448a8c5f0c1409b93a85a318ba8

SHA256
8e46f6ac010bc68a79b190fa0d6a345ba9f6024da5cad89d63733e084e062be2

SHA512
8cd54a8cf10ff5f5051f074c6614fe289d57000014f0e9e2c8e059bcc714c5e50799f3cc873ecc3093fdbf88a637a0951cfb942c34672c7dd15bf4be4c0fe169

Download Submit
C:\Windows\System\yJaFXuT.exe

Filesize
5.2MB

MD5
13a70f9f71b34897e286c69846708372

SHA1
33b50c6bcaf9308a6f61be8c3cee142c0c095469

SHA256
b4c819bb383e1b8b2489f7ba92763899f438e69f23e02cf21e16c446d472c2b8

SHA512
d412bf5e8e66f4fab8bac9e7237dcc532cda1fdde461a1cc6bd70bc71383d84004742d6f4e320e13c00514dedd549c1a89571d81b50ec1d61db3409507885d87

Download Submit
C:\Windows\System\yQImIkI.exe

Filesize
5.2MB

MD5
e5f76e2e04397815cebb490195b1c682

SHA1
76337dc0080c35e8d20bce2ed9ec24d3db309002

SHA256
0ff114d3af811b4932ea5e65791bc767909f07f92a140b3d8714fa247bdc7899

SHA512
5bec835d68a9fa684c3defbf5449021506adf31a8c77e825c69aff513424e87682b79a1ccbcf4931c7054054347c26b757187e261356f96d224ec3f9f3857395

Download Submit
memory/388-149-0x00007FF7962C0000-0x00007FF796611000-memory.dmp

Filesize
3.3MB

Download
memory/388-246-0x00007FF7962C0000-0x00007FF796611000-memory.dmp

Filesize
3.3MB

Download
memory/388-63-0x00007FF7962C0000-0x00007FF796611000-memory.dmp

Filesize
3.3MB

Download
memory/464-224-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/464-91-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/464-30-0x00007FF7C4A80000-0x00007FF7C4DD1000-memory.dmp

Filesize
3.3MB

Download
memory/528-137-0x00007FF6D3750000-0x00007FF6D3AA1000-memory.dmp

Filesize
3.3MB

Download
memory/528-264-0x00007FF6D3750000-0x00007FF6D3AA1000-memory.dmp

Filesize
3.3MB

Download
memory/692-84-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp

Filesize
3.3MB

Download
memory/692-23-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp

Filesize
3.3MB

Download
memory/692-222-0x00007FF6379E0000-0x00007FF637D31000-memory.dmp

Filesize
3.3MB

Download
memory/916-14-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/916-218-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/916-70-0x00007FF768230000-0x00007FF768581000-memory.dmp

Filesize
3.3MB

Download
memory/944-132-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/944-262-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/944-157-0x00007FF64F5A0000-0x00007FF64F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1072-134-0x00007FF65E110000-0x00007FF65E461000-memory.dmp

Filesize
3.3MB

Download
memory/1072-268-0x00007FF65E110000-0x00007FF65E461000-memory.dmp

Filesize
3.3MB

Download
memory/1084-106-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp

Filesize
3.3MB

Download
memory/1084-233-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp

Filesize
3.3MB

Download
memory/1084-50-0x00007FF69AD30000-0x00007FF69B081000-memory.dmp

Filesize
3.3MB

Download
memory/1088-252-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-87-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1088-153-0x00007FF72DF60000-0x00007FF72E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-235-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-52-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-136-0x00007FF6AFC70000-0x00007FF6AFFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1408-231-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp

Filesize
3.3MB

Download
memory/1408-105-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp

Filesize
3.3MB

Download
memory/1408-42-0x00007FF7348F0000-0x00007FF734C41000-memory.dmp

Filesize
3.3MB

Download
memory/1792-93-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-154-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-254-0x00007FF75E150000-0x00007FF75E4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-248-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-150-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-76-0x00007FF78F570000-0x00007FF78F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-270-0x00007FF612EC0000-0x00007FF613211000-memory.dmp

Filesize
3.3MB

Download
memory/2240-135-0x00007FF612EC0000-0x00007FF613211000-memory.dmp

Filesize
3.3MB

Download
memory/2268-133-0x00007FF759110000-0x00007FF759461000-memory.dmp

Filesize
3.3MB

Download
memory/2268-266-0x00007FF759110000-0x00007FF759461000-memory.dmp

Filesize
3.3MB

Download
memory/2780-138-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp

Filesize
3.3MB

Download
memory/2780-163-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp

Filesize
3.3MB

Download
memory/2780-61-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp

Filesize
3.3MB

Download
memory/2780-0-0x00007FF7DBFB0000-0x00007FF7DC301000-memory.dmp

Filesize
3.3MB

Download
memory/2780-1-0x000001D109C10000-0x000001D109C20000-memory.dmp

Filesize
64KB

Download
memory/3068-220-0x00007FF755ED0000-0x00007FF756221000-memory.dmp

Filesize
3.3MB

Download
memory/3068-77-0x00007FF755ED0000-0x00007FF756221000-memory.dmp

Filesize
3.3MB

Download
memory/3068-20-0x00007FF755ED0000-0x00007FF756221000-memory.dmp

Filesize
3.3MB

Download
memory/3304-226-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp

Filesize
3.3MB

Download
memory/3304-34-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp

Filesize
3.3MB

Download
memory/3304-94-0x00007FF7DB320000-0x00007FF7DB671000-memory.dmp

Filesize
3.3MB

Download
memory/3384-99-0x00007FF61C340000-0x00007FF61C691000-memory.dmp

Filesize
3.3MB

Download
memory/3384-155-0x00007FF61C340000-0x00007FF61C691000-memory.dmp

Filesize
3.3MB

Download
memory/3384-256-0x00007FF61C340000-0x00007FF61C691000-memory.dmp

Filesize
3.3MB

Download
memory/3856-110-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-158-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-258-0x00007FF7E8E90000-0x00007FF7E91E1000-memory.dmp

Filesize
3.3MB

Download
memory/4008-216-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp

Filesize
3.3MB

Download
memory/4008-66-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp

Filesize
3.3MB

Download
memory/4008-7-0x00007FF6CEDD0000-0x00007FF6CF121000-memory.dmp

Filesize
3.3MB

Download
memory/5044-250-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp

Filesize
3.3MB

Download
memory/5044-83-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp

Filesize
3.3MB

Download
memory/5044-156-0x00007FF6B69D0000-0x00007FF6B6D21000-memory.dmp

Filesize
3.3MB

Download