cobaltstrike | c740aaa1e650b0d4454c72fb4c2f67a65ca55853d04cb3d8b1153ef56a567ecd

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5eab5a8a110e8241c192ba499490e7cb
SHA1

69c6889e05652f0d600565fa2f20905144c242dc
SHA256

c740aaa1e650b0d4454c72fb4c2f67a65ca55853d04cb3d8b1153ef56a567ecd
SHA512

61bb9bd14d2d23f1c98d9eb445c51fd3455c3fbe12f5b1ab55f4cd68cdef43841d5686b2b5ee5a0405d0aeec23a3aa5ec05ce48a36f0cebec8c26036f24aac3c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lK:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b9e-6.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-16.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-26.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-32.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-57.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bae-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb1-97.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb3-116.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb2-121.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb4-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb0-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-104.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-92.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-69.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-62.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5028-58-0x00007FF706CE0000-0x00007FF707031000-memory.dmp	xmrig
behavioral2/memory/3968-123-0x00007FF719A80000-0x00007FF719DD1000-memory.dmp	xmrig
behavioral2/memory/1220-126-0x00007FF6395F0000-0x00007FF639941000-memory.dmp	xmrig
behavioral2/memory/3240-125-0x00007FF71F990000-0x00007FF71FCE1000-memory.dmp	xmrig
behavioral2/memory/4532-124-0x00007FF61F5A0000-0x00007FF61F8F1000-memory.dmp	xmrig
behavioral2/memory/2600-120-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp	xmrig
behavioral2/memory/2740-119-0x00007FF607640000-0x00007FF607991000-memory.dmp	xmrig
behavioral2/memory/2664-115-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp	xmrig
behavioral2/memory/668-91-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp	xmrig
behavioral2/memory/3012-90-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp	xmrig
behavioral2/memory/1520-79-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp	xmrig
behavioral2/memory/1648-59-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp	xmrig
behavioral2/memory/3532-52-0x00007FF742D20000-0x00007FF743071000-memory.dmp	xmrig
behavioral2/memory/2392-41-0x00007FF6124C0000-0x00007FF612811000-memory.dmp	xmrig
behavioral2/memory/2368-27-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp	xmrig
behavioral2/memory/864-128-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	xmrig
behavioral2/memory/2888-129-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp	xmrig
behavioral2/memory/1700-149-0x00007FF672990000-0x00007FF672CE1000-memory.dmp	xmrig
behavioral2/memory/4152-146-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp	xmrig
behavioral2/memory/756-144-0x00007FF700090000-0x00007FF7003E1000-memory.dmp	xmrig
behavioral2/memory/4440-136-0x00007FF718510000-0x00007FF718861000-memory.dmp	xmrig
behavioral2/memory/3756-133-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp	xmrig
behavioral2/memory/864-150-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	xmrig
behavioral2/memory/864-151-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	xmrig
behavioral2/memory/2888-213-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp	xmrig
behavioral2/memory/2368-215-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp	xmrig
behavioral2/memory/2392-217-0x00007FF6124C0000-0x00007FF612811000-memory.dmp	xmrig
behavioral2/memory/3532-219-0x00007FF742D20000-0x00007FF743071000-memory.dmp	xmrig
behavioral2/memory/5028-221-0x00007FF706CE0000-0x00007FF707031000-memory.dmp	xmrig
behavioral2/memory/3756-223-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp	xmrig
behavioral2/memory/1648-225-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp	xmrig
behavioral2/memory/2664-227-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp	xmrig
behavioral2/memory/1520-229-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp	xmrig
behavioral2/memory/668-236-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp	xmrig
behavioral2/memory/3012-242-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp	xmrig
behavioral2/memory/2600-244-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp	xmrig
behavioral2/memory/4440-241-0x00007FF718510000-0x00007FF718861000-memory.dmp	xmrig
behavioral2/memory/2740-238-0x00007FF607640000-0x00007FF607991000-memory.dmp	xmrig
behavioral2/memory/3968-252-0x00007FF719A80000-0x00007FF719DD1000-memory.dmp	xmrig
behavioral2/memory/3240-254-0x00007FF71F990000-0x00007FF71FCE1000-memory.dmp	xmrig
behavioral2/memory/756-250-0x00007FF700090000-0x00007FF7003E1000-memory.dmp	xmrig
behavioral2/memory/4532-249-0x00007FF61F5A0000-0x00007FF61F8F1000-memory.dmp	xmrig
behavioral2/memory/4152-247-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp	xmrig
behavioral2/memory/1220-256-0x00007FF6395F0000-0x00007FF639941000-memory.dmp	xmrig
behavioral2/memory/1700-260-0x00007FF672990000-0x00007FF672CE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2888	WbDSQaR.exe
2368	bRfeEEG.exe
2392	pXCvhgJ.exe
3532	aIZQiBU.exe
3756	pDUBynA.exe
5028	hxpPKuK.exe
1648	LZpUsvQ.exe
2664	jRIPlyk.exe
4440	MIUguoH.exe
1520	BgtwzWD.exe
2740	FitDUxz.exe
3012	QRwuOag.exe
2600	YrYZPwq.exe
668	utvodHY.exe
3968	NYOPcfO.exe
756	ABLexJU.exe
4532	LUnreLU.exe
4152	teeMRst.exe
3240	DtssKhk.exe
1700	EKAjQGY.exe
1220	QblNHVW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/864-0-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/files/0x000b000000023b9e-6.dat	upx
behavioral2/files/0x000a000000023ba2-11.dat	upx
behavioral2/files/0x000a000000023ba3-16.dat	upx
behavioral2/files/0x000a000000023ba5-26.dat	upx
behavioral2/files/0x000a000000023ba4-32.dat	upx
behavioral2/files/0x000a000000023bac-57.dat	upx
behavioral2/memory/5028-58-0x00007FF706CE0000-0x00007FF707031000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-85.dat	upx
behavioral2/files/0x000a000000023bb1-97.dat	upx
behavioral2/files/0x000b000000023b9f-106.dat	upx
behavioral2/files/0x000a000000023bb3-116.dat	upx
behavioral2/memory/3968-123-0x00007FF719A80000-0x00007FF719DD1000-memory.dmp	upx
behavioral2/memory/1220-126-0x00007FF6395F0000-0x00007FF639941000-memory.dmp	upx
behavioral2/memory/3240-125-0x00007FF71F990000-0x00007FF71FCE1000-memory.dmp	upx
behavioral2/memory/4532-124-0x00007FF61F5A0000-0x00007FF61F8F1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-121.dat	upx
behavioral2/memory/2600-120-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp	upx
behavioral2/memory/2740-119-0x00007FF607640000-0x00007FF607991000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-118.dat	upx
behavioral2/memory/2664-115-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp	upx
behavioral2/memory/1700-114-0x00007FF672990000-0x00007FF672CE1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-110.dat	upx
behavioral2/memory/4152-108-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-104.dat	upx
behavioral2/memory/756-101-0x00007FF700090000-0x00007FF7003E1000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-92.dat	upx
behavioral2/memory/668-91-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp	upx
behavioral2/memory/3012-90-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-70.dat	upx
behavioral2/files/0x000a000000023ba8-69.dat	upx
behavioral2/memory/1520-79-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp	upx
behavioral2/memory/4440-67-0x00007FF718510000-0x00007FF718861000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-62.dat	upx
behavioral2/files/0x000a000000023ba9-60.dat	upx
behavioral2/memory/1648-59-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp	upx
behavioral2/memory/3532-52-0x00007FF742D20000-0x00007FF743071000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-48.dat	upx
behavioral2/memory/2392-41-0x00007FF6124C0000-0x00007FF612811000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-40.dat	upx
behavioral2/memory/3756-30-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp	upx
behavioral2/memory/2368-27-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp	upx
behavioral2/memory/2888-15-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp	upx
behavioral2/memory/864-128-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/memory/2888-129-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp	upx
behavioral2/memory/1700-149-0x00007FF672990000-0x00007FF672CE1000-memory.dmp	upx
behavioral2/memory/4152-146-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp	upx
behavioral2/memory/756-144-0x00007FF700090000-0x00007FF7003E1000-memory.dmp	upx
behavioral2/memory/4440-136-0x00007FF718510000-0x00007FF718861000-memory.dmp	upx
behavioral2/memory/3756-133-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp	upx
behavioral2/memory/864-150-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/memory/864-151-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/memory/2888-213-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp	upx
behavioral2/memory/2368-215-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp	upx
behavioral2/memory/2392-217-0x00007FF6124C0000-0x00007FF612811000-memory.dmp	upx
behavioral2/memory/3532-219-0x00007FF742D20000-0x00007FF743071000-memory.dmp	upx
behavioral2/memory/5028-221-0x00007FF706CE0000-0x00007FF707031000-memory.dmp	upx
behavioral2/memory/3756-223-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp	upx
behavioral2/memory/1648-225-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp	upx
behavioral2/memory/2664-227-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp	upx
behavioral2/memory/1520-229-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp	upx
behavioral2/memory/668-236-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp	upx
behavioral2/memory/3012-242-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp	upx
behavioral2/memory/2600-244-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ABLexJU.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LUnreLU.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bRfeEEG.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pXCvhgJ.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aIZQiBU.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxpPKuK.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BgtwzWD.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\utvodHY.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbDSQaR.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LZpUsvQ.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIUguoH.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FitDUxz.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QRwuOag.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\teeMRst.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pDUBynA.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtssKhk.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRIPlyk.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YrYZPwq.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NYOPcfO.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QblNHVW.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EKAjQGY.exe	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2888	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 864 wrote to memory of 2888	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 864 wrote to memory of 2368	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 864 wrote to memory of 2368	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 864 wrote to memory of 2392	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 864 wrote to memory of 2392	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 864 wrote to memory of 3532	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 864 wrote to memory of 3532	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 864 wrote to memory of 3756	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 864 wrote to memory of 3756	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 864 wrote to memory of 5028	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 864 wrote to memory of 5028	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 864 wrote to memory of 1648	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 864 wrote to memory of 1648	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 864 wrote to memory of 4440	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 864 wrote to memory of 4440	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 864 wrote to memory of 2664	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 864 wrote to memory of 2664	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 864 wrote to memory of 1520	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 864 wrote to memory of 1520	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 864 wrote to memory of 2740	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 864 wrote to memory of 2740	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 864 wrote to memory of 3012	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 864 wrote to memory of 3012	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 864 wrote to memory of 2600	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 864 wrote to memory of 2600	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 864 wrote to memory of 668	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 864 wrote to memory of 668	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 864 wrote to memory of 3968	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 864 wrote to memory of 3968	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 864 wrote to memory of 756	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 864 wrote to memory of 756	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 864 wrote to memory of 4532	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 864 wrote to memory of 4532	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 864 wrote to memory of 4152	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 864 wrote to memory of 4152	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 864 wrote to memory of 1220	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 864 wrote to memory of 1220	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 864 wrote to memory of 3240	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 864 wrote to memory of 3240	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 864 wrote to memory of 1700	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 864 wrote to memory of 1700	864	2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_5eab5a8a110e8241c192ba499490e7cb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System\WbDSQaR.exe
  C:\Windows\System\WbDSQaR.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\bRfeEEG.exe
  C:\Windows\System\bRfeEEG.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\pXCvhgJ.exe
  C:\Windows\System\pXCvhgJ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\aIZQiBU.exe
  C:\Windows\System\aIZQiBU.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\pDUBynA.exe
  C:\Windows\System\pDUBynA.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\hxpPKuK.exe
  C:\Windows\System\hxpPKuK.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\LZpUsvQ.exe
  C:\Windows\System\LZpUsvQ.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\MIUguoH.exe
  C:\Windows\System\MIUguoH.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\jRIPlyk.exe
  C:\Windows\System\jRIPlyk.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\BgtwzWD.exe
  C:\Windows\System\BgtwzWD.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\FitDUxz.exe
  C:\Windows\System\FitDUxz.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\QRwuOag.exe
  C:\Windows\System\QRwuOag.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\YrYZPwq.exe
  C:\Windows\System\YrYZPwq.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\utvodHY.exe
  C:\Windows\System\utvodHY.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\NYOPcfO.exe
  C:\Windows\System\NYOPcfO.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\ABLexJU.exe
  C:\Windows\System\ABLexJU.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\LUnreLU.exe
  C:\Windows\System\LUnreLU.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\teeMRst.exe
  C:\Windows\System\teeMRst.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\QblNHVW.exe
  C:\Windows\System\QblNHVW.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\DtssKhk.exe
  C:\Windows\System\DtssKhk.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\EKAjQGY.exe
  C:\Windows\System\EKAjQGY.exe
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ABLexJU.exe

Filesize
5.2MB

MD5
1656b085c175441f835e5241227917f8

SHA1
9948fbb7602e940d41c76b19a0615e4abd4d3350

SHA256
4d6f28033e6bc90b61400468f200a161a9e7eda9a86f72fba6f07f8a58c66563

SHA512
e59b10c9a9d0ff5cf3eca01ef8685e65815f47e521e49604c688656e7d2c8530b3978651384c891ecefde1bd1c943b32d02f513917312ea93b2eb838658e4367

Download Submit
C:\Windows\System\BgtwzWD.exe

Filesize
5.2MB

MD5
39c717212f29764bae21d00090e2be1f

SHA1
c50e60ec68398232593a5dabe323889525d7ee63

SHA256
f2965d3f799b9f7a2e08ba40d5e915182fac10a41b76a040d0cfff2969b8aa54

SHA512
b87086959f41eee6407d27a728d19c6b625c1d4f4c6b3d9719c3094ee22d4939e2ddfa45364105ab616831dd89d11075adad49337e26616b63972979b8e4d1d6

Download Submit
C:\Windows\System\DtssKhk.exe

Filesize
5.2MB

MD5
04f7240daddc13ed15a7fe51b9f626fc

SHA1
e1548c76f81f5fe15f75a73bbba0c28b0c4706c0

SHA256
4def60d9103b9374c7307e61eb886b98d96cd8ec742194b04c93e056caf352bb

SHA512
e858fc48c9d455d248a88b4c351fd9e7317d26860f335a5782fd2327d67722d80f9091da1291e43c167925cd21901273b7c58e33814e4e14f678cc4dd36f34e4

Download Submit
C:\Windows\System\EKAjQGY.exe

Filesize
5.2MB

MD5
255ce390505f62d62ce253a5cc8733f9

SHA1
8d0641e6df57c5edb7673692b3c9a6ccd1a70532

SHA256
db3788343e4cf123f8afce9c4d240c767d7e8af97dabad22baf4501db3442f22

SHA512
f04f3aefaa7acfd28441ed0d0376d7b01d2dcddc38aa4a66b79ecec6a05045d6d6d4f809bd1690c1129203986f5047b75f05e739fa61a191e6db3f7f85081f7d

Download Submit
C:\Windows\System\FitDUxz.exe

Filesize
5.2MB

MD5
1b78cc65c4a863f009b40cc3b1d170f0

SHA1
f410a88cb0154b86c6a0a3fa66e51348c54f4036

SHA256
d6d099fefc79fcab34ec31171bddb43735fcf0f1528b1c32483afb50d730be8d

SHA512
ea66c5772d5e9073ecf44811de9d4d7410cbbaf952d7a33a98d0cbbc7141118b4911b103fc00b2462075653e3b5faeb7f0f52c3ed2cc6e03dfc4ac53e3754f08

Download Submit
C:\Windows\System\LUnreLU.exe

Filesize
5.2MB

MD5
ab476c426a762729de3116d03d6922f0

SHA1
d0aa7408ed0835e94303cae99effd64aa1de0855

SHA256
7998ac825ffa4e61e1a73ea466cbadaf133b532b77ffca66bb8a16f480d6e302

SHA512
db0e096c127699eb2a3e8a4994c6a16ef89d3506b9d888246f06c1e20991d82c7039f95f4e0ff6776e288a8742acbae16cd89492dbe57290072bba0cb849ce7c

Download Submit
C:\Windows\System\LZpUsvQ.exe

Filesize
5.2MB

MD5
498f4a69e29427e97c24cfa227f420e5

SHA1
0dca24b611c7962e4ec08887f8dd7293572ab4d2

SHA256
41556a6d5ac98629eb0ef5785664e5976ab767645258824204d2ffaee22b8cc6

SHA512
583d741f401d52900c10d0e0a5d247c586ed47df53296fb177d0ceef69a867bd967bcb68c4c596d0ab76718b34b3541ef371d4e154155c9790188d2a23adeea0

Download Submit
C:\Windows\System\MIUguoH.exe

Filesize
5.2MB

MD5
f4cb44e0c9392677d02e9a3e2450c6a0

SHA1
859c1eb1c76deebf156401bda436659f6011c6e5

SHA256
c61a05710fce458b99eee9fcd8cf1c7029e36d4d27b15de70aef5ad132fff0eb

SHA512
d1000fdb317128c6daa8c1d0e8bc873878e6b36d88d6ca7b4c23429ac5ddf7d061c411bf74aecef25290e4cfa5466d4df37d008568647e7706d4ffc62a3b712f

Download Submit
C:\Windows\System\NYOPcfO.exe

Filesize
5.2MB

MD5
d64d595d92f5915b93c66bc2cf061030

SHA1
3021522be6f02cb4b42964710f4f9df7c3f1c7bb

SHA256
8b6809a432e89cfdd22c72f3ce0d7db058a33360040635e52c1823cabdb3ba4a

SHA512
e269b56a18c946426345309e86cba7ea34e33b0a4c5d0f1c8a83665d745d2a9197bff7550d9520dbf6048a11e8ccad188ac058ff8591d2bc52b8d1f476fabd4a

Download Submit
C:\Windows\System\QRwuOag.exe

Filesize
5.2MB

MD5
2ea6a5649a4c0a8dbbaeef697965217c

SHA1
2d3f654e380380f97d166ba3ca20aa1775d50ec2

SHA256
0740e48cda4203c3f224d58f61fabffb5a63114e5d61cc57faa6281027ddb971

SHA512
af0010c5810ec2c2597d4e144eac401eff1c8bc7ccfe072d303d1ce3c45a67fd251a4a2e3fa0357b8369d5446b903d096232df3cbb3816281b250b0ae3f8d6e0

Download Submit
C:\Windows\System\QblNHVW.exe

Filesize
5.2MB

MD5
52d3a0404f300bd9d71c3905ed3d4f64

SHA1
86e026238cd8a59f242d6c464416bdb599ed526d

SHA256
8e17148f6c57774a81ebc1ec500dc2c29ce1fa082b35db99efbc5bc417c71d44

SHA512
3fc41511c5da51fad112e4c0dcba3aa481be32d35776cf436fe2f86719a0c227d8e61b945fbb9eba19a6c753e444b577a5b6a0e740778ca0012152ad9f666079

Download Submit
C:\Windows\System\WbDSQaR.exe

Filesize
5.2MB

MD5
f65625964cfc4b182c4afe16948b36bd

SHA1
52b3cd39c433e019e4f1a95e1cbd1d0a35af649b

SHA256
c11f41c3a98d75b6ca29a0fc1f9af8941027c1d0ce4df02ae3aafeedd993e053

SHA512
d5bb9d7317ba7317f94f552aa3681fe968cd3d0b4decef4311ef8bbb9b9b9f7d3cc8e297d81307b109901a14002b4a7698292f6d3945a3c142dd7d758c6f81ec

Download Submit
C:\Windows\System\YrYZPwq.exe

Filesize
5.2MB

MD5
52cea62d970af06f7585e8875fa56a88

SHA1
ac140acda403b519087affcf89a300f630170412

SHA256
5eba19eb6f25cca65575e2a8090d0289a667b9d52f9990ef6c591766ec20c811

SHA512
e0a3537c10cbfe83346dcd5c4b9ca6c2653f313df71b35c30d323046dfc763f6e262636a92e8f4c6dab3aa9ba94ccaf6304304d5a42bd579aa18ddd7021f39a5

Download Submit
C:\Windows\System\aIZQiBU.exe

Filesize
5.2MB

MD5
3535446866166cd4ee45feaa0d9188fc

SHA1
23e7113ade713ff833daa4892d77f12ab0dc6361

SHA256
082db84c06e6c5e968d2d23022c88b7578f32cf9dc5997da04f6a3c6137120f4

SHA512
fe77de52ad3f618a4534718db68fbb7a603301118d20a6f5c7d0a1e52b21ecb9ff4946f430943930e76ce8ad4bba504729d2e3481fbe567b5bb7244a5e2dd7e3

Download Submit
C:\Windows\System\bRfeEEG.exe

Filesize
5.2MB

MD5
d2eb3a9971e477ba0765167f496c8a3c

SHA1
74f4623e1315dda2ebf93371f61e8b0c81bb63d4

SHA256
a2d217b462af21548242ae80d91f222b1a412412e3804644496380bec17b9706

SHA512
9165541a29c8a446e98e2ad9837f820461a9bba53222246b9c814a394ca3ad69958c2af38b812535c18df9d9cce1d7635a7f7568fc48af8cc5cca3f1c9eab92e

Download Submit
C:\Windows\System\hxpPKuK.exe

Filesize
5.2MB

MD5
36fd96780c73850c2e2c9133d1503a67

SHA1
ccfeb225c15c72d965b5116287d7233f979bcbb0

SHA256
ee2af6cc14b0d9759ecc7ee7d3900ef0db4d3ff3474ee1221f4f476956c186b0

SHA512
1114aa0b3389ba284fc0dd1e27bab19a3362f6326ccd7ebfcd2e37f46480f2a8f20e35bb95843f671fe79f9965deda5405275cfbc90aba7d2e9ad124e4c945bb

Download Submit
C:\Windows\System\jRIPlyk.exe

Filesize
5.2MB

MD5
2279cdf9746f76dc7341993360028558

SHA1
22cc28099c4f89052b2e5d519aab8c3c51e3a2b7

SHA256
ff40c542ecdd2d8c5a818eefb555c0c30b9fdf44a33215c60b52d812d508b33f

SHA512
df12eee0d4a74f89a6b7bdb1b03c2894a18aacdcff19ace3a8bfd1ef605f4bea432f23183a063934e6b91b4bb4a41c9f95008f7e3f6173210516015a777d8830

Download Submit
C:\Windows\System\pDUBynA.exe

Filesize
5.2MB

MD5
9bd774fcca9e3bbe43e825c1768ad149

SHA1
febe5c4491afd3c150114f6b1777d6c2d0f1575e

SHA256
b3ce8b0c5c8404cab3edcfecc1a06f8a70c30ec21d34569b79152d6ab0d0b114

SHA512
a4857a4bf64bb6454f7dc41721f1b672af034a3f1363b03393dd517b6e463bcd0c4c7f1c66914e756b8f0aef75c2be074fd71d742c10028799624ebcf2d033e2

Download Submit
C:\Windows\System\pXCvhgJ.exe

Filesize
5.2MB

MD5
5e1e2bd8f0a1c25d28db500cf7065517

SHA1
ec73fdac3c23fb8ec8639c3fd0137fc85cd6967f

SHA256
9ff39413d94d0a259fe2eed0455fde91c9efbe13b13daefa0180389a04b33468

SHA512
cde3c95d727727c2a3534baa9e372cd6716a7c727e4f46ce09f03bb3aca9bda914eefa272f623570d1d52038d642f5e982175298900d1275741efdf3034da80c

Download Submit
C:\Windows\System\teeMRst.exe

Filesize
5.2MB

MD5
a1f9403b0b1220277b586a4746768c1a

SHA1
7b6d5313d6d1ca550eebe4f2aa39867802c8dc2a

SHA256
f76767c23bd57d97ff5619a22ddc52aa10c7087374a66110c2cc5d6417eac82d

SHA512
d3e825838cdde5a9c2d549447438452a87501aaa7054ebb8866ad7cbab69458ed20906cda784cdd46d9a38bd3cd6ea2e335eb689aa18754b642adf6fd587b912

Download Submit
C:\Windows\System\utvodHY.exe

Filesize
5.2MB

MD5
e507c0ddf244d7d7b945750f2e0c9c34

SHA1
d0e5658f9b14e7548dfc4f0fb8839d8bfbd9b8d4

SHA256
1d039056167f63d45731c7109cd4a2961bc5a5858cb5d812a8235a91f37bba6a

SHA512
f5879ab18843693bf87ca2cdfd9c34f5a6e3a8993203a5f1221326fcb60741a319d304d4bc1124ae562491a440b597efb58498c3b5570cf398d347f82e615f74

Download Submit
memory/668-236-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp

Filesize
3.3MB

Download
memory/668-91-0x00007FF7A0A10000-0x00007FF7A0D61000-memory.dmp

Filesize
3.3MB

Download
memory/756-144-0x00007FF700090000-0x00007FF7003E1000-memory.dmp

Filesize
3.3MB

Download
memory/756-250-0x00007FF700090000-0x00007FF7003E1000-memory.dmp

Filesize
3.3MB

Download
memory/756-101-0x00007FF700090000-0x00007FF7003E1000-memory.dmp

Filesize
3.3MB

Download
memory/864-0-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp

Filesize
3.3MB

Download
memory/864-151-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp

Filesize
3.3MB

Download
memory/864-128-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp

Filesize
3.3MB

Download
memory/864-1-0x0000028CA1190000-0x0000028CA11A0000-memory.dmp

Filesize
64KB

Download
memory/864-150-0x00007FF7ECF40000-0x00007FF7ED291000-memory.dmp

Filesize
3.3MB

Download
memory/1220-126-0x00007FF6395F0000-0x00007FF639941000-memory.dmp

Filesize
3.3MB

Download
memory/1220-256-0x00007FF6395F0000-0x00007FF639941000-memory.dmp

Filesize
3.3MB

Download
memory/1520-79-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-229-0x00007FF71E670000-0x00007FF71E9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-225-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp

Filesize
3.3MB

Download
memory/1648-59-0x00007FF78CAB0000-0x00007FF78CE01000-memory.dmp

Filesize
3.3MB

Download
memory/1700-149-0x00007FF672990000-0x00007FF672CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-114-0x00007FF672990000-0x00007FF672CE1000-memory.dmp

Filesize
3.3MB

Download
memory/1700-260-0x00007FF672990000-0x00007FF672CE1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-27-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-215-0x00007FF6CB750000-0x00007FF6CBAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-217-0x00007FF6124C0000-0x00007FF612811000-memory.dmp

Filesize
3.3MB

Download
memory/2392-41-0x00007FF6124C0000-0x00007FF612811000-memory.dmp

Filesize
3.3MB

Download
memory/2600-120-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp

Filesize
3.3MB

Download
memory/2600-244-0x00007FF7F0E30000-0x00007FF7F1181000-memory.dmp

Filesize
3.3MB

Download
memory/2664-115-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp

Filesize
3.3MB

Download
memory/2664-227-0x00007FF6818F0000-0x00007FF681C41000-memory.dmp

Filesize
3.3MB

Download
memory/2740-238-0x00007FF607640000-0x00007FF607991000-memory.dmp

Filesize
3.3MB

Download
memory/2740-119-0x00007FF607640000-0x00007FF607991000-memory.dmp

Filesize
3.3MB

Download
memory/2888-15-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp

Filesize
3.3MB

Download
memory/2888-129-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp

Filesize
3.3MB

Download
memory/2888-213-0x00007FF7CAFF0000-0x00007FF7CB341000-memory.dmp

Filesize
3.3MB

Download
memory/3012-90-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3012-242-0x00007FF79FB60000-0x00007FF79FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-254-0x00007FF71F990000-0x00007FF71FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3240-125-0x00007FF71F990000-0x00007FF71FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/3532-52-0x00007FF742D20000-0x00007FF743071000-memory.dmp

Filesize
3.3MB

Download
memory/3532-219-0x00007FF742D20000-0x00007FF743071000-memory.dmp

Filesize
3.3MB

Download
memory/3756-133-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp

Filesize
3.3MB

Download
memory/3756-30-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp

Filesize
3.3MB

Download
memory/3756-223-0x00007FF6698F0000-0x00007FF669C41000-memory.dmp

Filesize
3.3MB

Download
memory/3968-252-0x00007FF719A80000-0x00007FF719DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3968-123-0x00007FF719A80000-0x00007FF719DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-108-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp

Filesize
3.3MB

Download
memory/4152-146-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp

Filesize
3.3MB

Download
memory/4152-247-0x00007FF6BF340000-0x00007FF6BF691000-memory.dmp

Filesize
3.3MB

Download
memory/4440-241-0x00007FF718510000-0x00007FF718861000-memory.dmp

Filesize
3.3MB

Download
memory/4440-136-0x00007FF718510000-0x00007FF718861000-memory.dmp

Filesize
3.3MB

Download
memory/4440-67-0x00007FF718510000-0x00007FF718861000-memory.dmp

Filesize
3.3MB

Download
memory/4532-124-0x00007FF61F5A0000-0x00007FF61F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/4532-249-0x00007FF61F5A0000-0x00007FF61F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-221-0x00007FF706CE0000-0x00007FF707031000-memory.dmp

Filesize
3.3MB

Download
memory/5028-58-0x00007FF706CE0000-0x00007FF707031000-memory.dmp

Filesize
3.3MB

Download