cobaltstrike | 8dd968fdbdee8c41704696f7a4b2ae3c98d7789f9b1ea05c5d91b9a28ef416f0

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

92a362dc0458e8e1ba9e77588de76a4e
SHA1

e821c8af2e4ac35e32318085caac60007c3d16ae
SHA256

8dd968fdbdee8c41704696f7a4b2ae3c98d7789f9b1ea05c5d91b9a28ef416f0
SHA512

c45ce9a924e2cea8b1de0512590cf0bd62d04f7175c7ead01d43346031142fe5d45c13cb270b8ad958f5989d84308792bd59158397c7e1f4a39eaddc670a473b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibf56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023447-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-22.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002344b-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-63.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-104.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-51.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4276-61-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	xmrig
behavioral2/memory/5024-118-0x00007FF6743E0000-0x00007FF674731000-memory.dmp	xmrig
behavioral2/memory/2176-119-0x00007FF6F8FB0000-0x00007FF6F9301000-memory.dmp	xmrig
behavioral2/memory/3896-121-0x00007FF7592A0000-0x00007FF7595F1000-memory.dmp	xmrig
behavioral2/memory/2252-122-0x00007FF7EB1B0000-0x00007FF7EB501000-memory.dmp	xmrig
behavioral2/memory/4752-123-0x00007FF7ABEE0000-0x00007FF7AC231000-memory.dmp	xmrig
behavioral2/memory/1408-124-0x00007FF77EA80000-0x00007FF77EDD1000-memory.dmp	xmrig
behavioral2/memory/1168-125-0x00007FF65EF10000-0x00007FF65F261000-memory.dmp	xmrig
behavioral2/memory/2944-120-0x00007FF7C34D0000-0x00007FF7C3821000-memory.dmp	xmrig
behavioral2/memory/4924-117-0x00007FF652E30000-0x00007FF653181000-memory.dmp	xmrig
behavioral2/memory/4932-126-0x00007FF742F60000-0x00007FF7432B1000-memory.dmp	xmrig
behavioral2/memory/228-127-0x00007FF7BD3E0000-0x00007FF7BD731000-memory.dmp	xmrig
behavioral2/memory/2604-128-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	xmrig
behavioral2/memory/1448-129-0x00007FF7F8E40000-0x00007FF7F9191000-memory.dmp	xmrig
behavioral2/memory/3504-133-0x00007FF733250000-0x00007FF7335A1000-memory.dmp	xmrig
behavioral2/memory/1512-134-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp	xmrig
behavioral2/memory/924-135-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp	xmrig
behavioral2/memory/4276-130-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	xmrig
behavioral2/memory/4784-136-0x00007FF739840000-0x00007FF739B91000-memory.dmp	xmrig
behavioral2/memory/3260-140-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp	xmrig
behavioral2/memory/2696-138-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp	xmrig
behavioral2/memory/380-137-0x00007FF621F10000-0x00007FF622261000-memory.dmp	xmrig
behavioral2/memory/5116-139-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp	xmrig
behavioral2/memory/4276-153-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	xmrig
behavioral2/memory/2604-205-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	xmrig
behavioral2/memory/924-207-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp	xmrig
behavioral2/memory/3504-209-0x00007FF733250000-0x00007FF7335A1000-memory.dmp	xmrig
behavioral2/memory/1512-211-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp	xmrig
behavioral2/memory/4784-213-0x00007FF739840000-0x00007FF739B91000-memory.dmp	xmrig
behavioral2/memory/380-224-0x00007FF621F10000-0x00007FF622261000-memory.dmp	xmrig
behavioral2/memory/2696-226-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp	xmrig
behavioral2/memory/5116-228-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp	xmrig
behavioral2/memory/3260-230-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp	xmrig
behavioral2/memory/4924-232-0x00007FF652E30000-0x00007FF653181000-memory.dmp	xmrig
behavioral2/memory/1448-234-0x00007FF7F8E40000-0x00007FF7F9191000-memory.dmp	xmrig
behavioral2/memory/2944-242-0x00007FF7C34D0000-0x00007FF7C3821000-memory.dmp	xmrig
behavioral2/memory/5024-246-0x00007FF6743E0000-0x00007FF674731000-memory.dmp	xmrig
behavioral2/memory/2176-245-0x00007FF6F8FB0000-0x00007FF6F9301000-memory.dmp	xmrig
behavioral2/memory/3896-248-0x00007FF7592A0000-0x00007FF7595F1000-memory.dmp	xmrig
behavioral2/memory/2252-255-0x00007FF7EB1B0000-0x00007FF7EB501000-memory.dmp	xmrig
behavioral2/memory/4932-257-0x00007FF742F60000-0x00007FF7432B1000-memory.dmp	xmrig
behavioral2/memory/1408-260-0x00007FF77EA80000-0x00007FF77EDD1000-memory.dmp	xmrig
behavioral2/memory/1168-259-0x00007FF65EF10000-0x00007FF65F261000-memory.dmp	xmrig
behavioral2/memory/4752-253-0x00007FF7ABEE0000-0x00007FF7AC231000-memory.dmp	xmrig
behavioral2/memory/228-251-0x00007FF7BD3E0000-0x00007FF7BD731000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2604	oKpJYLp.exe
924	CLecULB.exe
3504	ypIKieh.exe
1512	qjhPWVP.exe
4784	ZMmpQCJ.exe
380	YIypkbs.exe
2696	vbvnyHO.exe
5116	RmaZjdQ.exe
3260	ufeOXDx.exe
4924	wrdYPBY.exe
1448	fGEJlCb.exe
5024	GTpbrun.exe
2176	qofdozw.exe
2944	yoznZZU.exe
3896	RLyqExD.exe
2252	JvXZBHI.exe
4752	dfVndYq.exe
1408	mEdhqgS.exe
1168	oWyhcaw.exe
4932	JkCAvXz.exe
228	MSthwbu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	upx
behavioral2/files/0x0009000000023447-5.dat	upx
behavioral2/memory/2604-6-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	upx
behavioral2/files/0x000700000002344f-10.dat	upx
behavioral2/files/0x000700000002344e-11.dat	upx
behavioral2/memory/3504-20-0x00007FF733250000-0x00007FF7335A1000-memory.dmp	upx
behavioral2/memory/924-14-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp	upx
behavioral2/files/0x0007000000023450-22.dat	upx
behavioral2/files/0x000900000002344b-29.dat	upx
behavioral2/memory/4784-30-0x00007FF739840000-0x00007FF739B91000-memory.dmp	upx
behavioral2/memory/1512-24-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp	upx
behavioral2/files/0x0007000000023451-35.dat	upx
behavioral2/files/0x0007000000023453-41.dat	upx
behavioral2/memory/5116-48-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp	upx
behavioral2/files/0x0007000000023455-53.dat	upx
behavioral2/files/0x0007000000023457-63.dat	upx
behavioral2/files/0x000700000002345a-78.dat	upx
behavioral2/files/0x000700000002345c-90.dat	upx
behavioral2/files/0x000700000002345e-104.dat	upx
behavioral2/files/0x000700000002345f-109.dat	upx
behavioral2/files/0x0007000000023461-115.dat	upx
behavioral2/files/0x0007000000023460-113.dat	upx
behavioral2/files/0x000700000002345d-99.dat	upx
behavioral2/files/0x000700000002345b-86.dat	upx
behavioral2/files/0x0007000000023459-81.dat	upx
behavioral2/files/0x0007000000023458-76.dat	upx
behavioral2/files/0x0007000000023456-66.dat	upx
behavioral2/memory/4276-61-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	upx
behavioral2/memory/3260-54-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp	upx
behavioral2/files/0x0007000000023454-51.dat	upx
behavioral2/memory/2696-42-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp	upx
behavioral2/memory/380-38-0x00007FF621F10000-0x00007FF622261000-memory.dmp	upx
behavioral2/memory/5024-118-0x00007FF6743E0000-0x00007FF674731000-memory.dmp	upx
behavioral2/memory/2176-119-0x00007FF6F8FB0000-0x00007FF6F9301000-memory.dmp	upx
behavioral2/memory/3896-121-0x00007FF7592A0000-0x00007FF7595F1000-memory.dmp	upx
behavioral2/memory/2252-122-0x00007FF7EB1B0000-0x00007FF7EB501000-memory.dmp	upx
behavioral2/memory/4752-123-0x00007FF7ABEE0000-0x00007FF7AC231000-memory.dmp	upx
behavioral2/memory/1408-124-0x00007FF77EA80000-0x00007FF77EDD1000-memory.dmp	upx
behavioral2/memory/1168-125-0x00007FF65EF10000-0x00007FF65F261000-memory.dmp	upx
behavioral2/memory/2944-120-0x00007FF7C34D0000-0x00007FF7C3821000-memory.dmp	upx
behavioral2/memory/4924-117-0x00007FF652E30000-0x00007FF653181000-memory.dmp	upx
behavioral2/memory/4932-126-0x00007FF742F60000-0x00007FF7432B1000-memory.dmp	upx
behavioral2/memory/228-127-0x00007FF7BD3E0000-0x00007FF7BD731000-memory.dmp	upx
behavioral2/memory/2604-128-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	upx
behavioral2/memory/1448-129-0x00007FF7F8E40000-0x00007FF7F9191000-memory.dmp	upx
behavioral2/memory/3504-133-0x00007FF733250000-0x00007FF7335A1000-memory.dmp	upx
behavioral2/memory/1512-134-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp	upx
behavioral2/memory/924-135-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp	upx
behavioral2/memory/4276-130-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	upx
behavioral2/memory/4784-136-0x00007FF739840000-0x00007FF739B91000-memory.dmp	upx
behavioral2/memory/3260-140-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp	upx
behavioral2/memory/2696-138-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp	upx
behavioral2/memory/380-137-0x00007FF621F10000-0x00007FF622261000-memory.dmp	upx
behavioral2/memory/5116-139-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp	upx
behavioral2/memory/4276-153-0x00007FF688070000-0x00007FF6883C1000-memory.dmp	upx
behavioral2/memory/2604-205-0x00007FF61B140000-0x00007FF61B491000-memory.dmp	upx
behavioral2/memory/924-207-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp	upx
behavioral2/memory/3504-209-0x00007FF733250000-0x00007FF7335A1000-memory.dmp	upx
behavioral2/memory/1512-211-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp	upx
behavioral2/memory/4784-213-0x00007FF739840000-0x00007FF739B91000-memory.dmp	upx
behavioral2/memory/380-224-0x00007FF621F10000-0x00007FF622261000-memory.dmp	upx
behavioral2/memory/2696-226-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp	upx
behavioral2/memory/5116-228-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp	upx
behavioral2/memory/3260-230-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qjhPWVP.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GTpbrun.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yoznZZU.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JvXZBHI.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfVndYq.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLecULB.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ypIKieh.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLyqExD.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSthwbu.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oKpJYLp.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ufeOXDx.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RmaZjdQ.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wrdYPBY.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qofdozw.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oWyhcaw.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkCAvXz.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZMmpQCJ.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YIypkbs.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mEdhqgS.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vbvnyHO.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fGEJlCb.exe	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 2604	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4276 wrote to memory of 2604	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4276 wrote to memory of 924	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4276 wrote to memory of 924	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4276 wrote to memory of 3504	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4276 wrote to memory of 3504	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4276 wrote to memory of 1512	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4276 wrote to memory of 1512	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4276 wrote to memory of 4784	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4276 wrote to memory of 4784	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4276 wrote to memory of 380	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4276 wrote to memory of 380	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4276 wrote to memory of 2696	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4276 wrote to memory of 2696	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4276 wrote to memory of 5116	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4276 wrote to memory of 5116	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4276 wrote to memory of 3260	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4276 wrote to memory of 3260	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4276 wrote to memory of 4924	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4276 wrote to memory of 4924	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4276 wrote to memory of 1448	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4276 wrote to memory of 1448	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4276 wrote to memory of 5024	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4276 wrote to memory of 5024	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4276 wrote to memory of 2176	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4276 wrote to memory of 2176	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4276 wrote to memory of 2944	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4276 wrote to memory of 2944	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4276 wrote to memory of 3896	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4276 wrote to memory of 3896	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4276 wrote to memory of 2252	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4276 wrote to memory of 2252	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4276 wrote to memory of 4752	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4276 wrote to memory of 4752	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4276 wrote to memory of 1408	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4276 wrote to memory of 1408	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4276 wrote to memory of 1168	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4276 wrote to memory of 1168	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4276 wrote to memory of 4932	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4276 wrote to memory of 4932	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4276 wrote to memory of 228	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4276 wrote to memory of 228	4276	2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_92a362dc0458e8e1ba9e77588de76a4e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\System\oKpJYLp.exe
  C:\Windows\System\oKpJYLp.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\CLecULB.exe
  C:\Windows\System\CLecULB.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\ypIKieh.exe
  C:\Windows\System\ypIKieh.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\qjhPWVP.exe
  C:\Windows\System\qjhPWVP.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\ZMmpQCJ.exe
  C:\Windows\System\ZMmpQCJ.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\YIypkbs.exe
  C:\Windows\System\YIypkbs.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\vbvnyHO.exe
  C:\Windows\System\vbvnyHO.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\RmaZjdQ.exe
  C:\Windows\System\RmaZjdQ.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\ufeOXDx.exe
  C:\Windows\System\ufeOXDx.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\wrdYPBY.exe
  C:\Windows\System\wrdYPBY.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\fGEJlCb.exe
  C:\Windows\System\fGEJlCb.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\GTpbrun.exe
  C:\Windows\System\GTpbrun.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\qofdozw.exe
  C:\Windows\System\qofdozw.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\yoznZZU.exe
  C:\Windows\System\yoznZZU.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\RLyqExD.exe
  C:\Windows\System\RLyqExD.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\JvXZBHI.exe
  C:\Windows\System\JvXZBHI.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\dfVndYq.exe
  C:\Windows\System\dfVndYq.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\mEdhqgS.exe
  C:\Windows\System\mEdhqgS.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\oWyhcaw.exe
  C:\Windows\System\oWyhcaw.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\JkCAvXz.exe
  C:\Windows\System\JkCAvXz.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\MSthwbu.exe
  C:\Windows\System\MSthwbu.exe
  2⤵
  - Executes dropped EXE
  PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLecULB.exe

Filesize
5.2MB

MD5
40b6857eb57be6a230daef828965edd2

SHA1
4d306a955ce2438a3271d43d9deba2222db5dab8

SHA256
76c813a13c42fed33568931f8a1744428f6760bd9b1eca67f1f4773260b31eef

SHA512
378800816a5061b22f9c03fc17abf8e6687aff00ef76441d544734ffec2844808af22a4fccd93d512e070990cc18192694d98df7ef49e6c1c05f782dd77f6f2a

Download Submit
C:\Windows\System\GTpbrun.exe

Filesize
5.2MB

MD5
edf985417922ed933209dbcf5e2519ab

SHA1
9ad40e829417c8d8b1bd1f83146a9383d7c06ef6

SHA256
a838f719f2316227ae0e5e2ffb9e7f3657404d57e790fac09efd8ffed5f28bce

SHA512
95f4b99745dcad08e52c04509d0bf02494593b554946e534a958e098ab2048c9dff0bffb5f9b4ed5b1ed15040eaa4227c7e8fcbc3cab216cf2b3dd38dc71466b

Download Submit
C:\Windows\System\JkCAvXz.exe

Filesize
5.2MB

MD5
28388354730e11420ff10858d058c5c4

SHA1
5fbe469622931bc6a28bfc8ae0fb6f440d63fc14

SHA256
cc57f06de800cf613856e6633940029ee1f86102417720c5556730658d3f5925

SHA512
bce3670367fc55782e8584006b31c111b34aa026356494e3812b6d4f490040cd3b83504e97a15c6f2384898386a1af71faecff5e9fdf7811ff9f62df91807295

Download Submit
C:\Windows\System\JvXZBHI.exe

Filesize
5.2MB

MD5
f353eb665a67c625d6fd17f3895e3203

SHA1
a494d46a3adfd007f87c49121fb605d9e4580da6

SHA256
1fa922710509e46695712e3edc2437e4f5b83e33696fce436c19a992020c2f15

SHA512
efb10171a2c61607d350e2a5223e09c7eb8632435efee7bf106edbc80289f6e8330ed5f7f0049efd5e3b11dbf6d1b79623277bad53539160414712478c7c2146

Download Submit
C:\Windows\System\MSthwbu.exe

Filesize
5.2MB

MD5
7c724f25aecd666549008b453a2be2d1

SHA1
8f6caead2e45412761f4d6d24691be0e70f5a71e

SHA256
8e26c269b6d222e9a4ce34a326c9d5d130608b5e9296c16439838653d484bb90

SHA512
3e1244851815a05d733124d3109857543d99127201b7b3d4703f9ae3305e2fe497a8acd0066ac68d8225882b058b670f28d991d268844d0a855d16446c7cb279

Download Submit
C:\Windows\System\RLyqExD.exe

Filesize
5.2MB

MD5
d56989d8d55d7dbcc097ad6b679a6431

SHA1
31728a5d6852530832ca442838476be866b6aad0

SHA256
2d08d14f221ee0b4f386c71f6f71f9564b8cd69158c1903df93a4d304a28c042

SHA512
5cd794a205603fc5ccaeeca928bba25454a84588c01af4de1912ff0b456156c25d7d30206eda85c50b16664b66a401447adbefb4952527c280c0654da8dab1c2

Download Submit
C:\Windows\System\RmaZjdQ.exe

Filesize
5.2MB

MD5
46aca18cb2a62f541284a6ac29527009

SHA1
5e72b654aa16cb3803998d7c5da149064a41e79c

SHA256
6d8f64180f48a6fd4a38ec87198c39cc47d5fb7d0eef62ab19ca625e4c4bf4a0

SHA512
75846908f804d3bd1e10abc86304b7dd43c626840e6e0f3ca4768a5b561e7f2c84c221a9a51a5544e369f19799bd629183b7620b4eeace866066e1c94dd3c181

Download Submit
C:\Windows\System\YIypkbs.exe

Filesize
5.2MB

MD5
098c6824ca41d5d0b3c77d91589970f6

SHA1
d00071f226d63103315034b8ceac79021d86ecaf

SHA256
8e4dff1bbff1154697ce2a9817dbec24db88210d117af6899b1902b1531c34bc

SHA512
899d461411b14589b5a6fa17dcd2ed1dae1a88ed95222ac9c77ed1ec4666d6e7ef31b8876b5198746c8630a48f0c51bf3320112f07d85effcfdc248af4f69c96

Download Submit
C:\Windows\System\ZMmpQCJ.exe

Filesize
5.2MB

MD5
a81d8e6eef701c6daa22f12559982c92

SHA1
c129063c1d74cb83ced69cfbe1ef8b2eecabbde4

SHA256
7d286ab0d5df7295addb2b4fdef2abe0328b5a142565e33e74e21680f075dce9

SHA512
b92fe820c8bd93497cd555e67120c13a9733051040dc0a522c46ed1c2ae8f9c54d5f903b77dea0127749d2987ddc1360e6d93abc57fa18e95a217a2bef3d7919

Download Submit
C:\Windows\System\dfVndYq.exe

Filesize
5.2MB

MD5
2210c20439343364c525abd9a57d467b

SHA1
46434d00ee4e123a65c472f023416c8b7413e0e7

SHA256
9575f86ae217740eadb4c8fa0371b7fd4babc4d259d0d317218dacceffb4c916

SHA512
8a41f2221228c4b56029b9fa7235e2faf2f36bda99cfcd91fb46c25ea15495deee6200e2b2cf8f293ad9222844965016092d8935cdce4940c405ffa76c308ab8

Download Submit
C:\Windows\System\fGEJlCb.exe

Filesize
5.2MB

MD5
f3c70a6a2d3e371079f309452260d159

SHA1
45c898c4daa0202830f6241426dff8d4e7d7e33c

SHA256
6a9aa7c6b0e1fa0a667956440edfae43d837308626d21132bd2baa577f63f6d1

SHA512
6baad137468df65878d8c9b519962f71f245968c1d43f2d563b4ac2d1c47c44fca7a8035fe1fa0603779652027a02c832d5ff311949fae47860f074d9c354073

Download Submit
C:\Windows\System\mEdhqgS.exe

Filesize
5.2MB

MD5
6a07d6882f567dfd6dbd4d770f36a151

SHA1
16675e5c4265deeef548a19625cc2de1a77d5e3b

SHA256
3bb68f01dbee646c75f31b99aeabad639fbf5bc9ddef3d4a87d9a80b4b708e3d

SHA512
55768a4c7b95593d415542ecfd0324c6d3b03af1442f43141232ecc39b2b957b3548fef54681f758312cc948cc9a74de58d79157dc07e726746eb2fd28e762d6

Download Submit
C:\Windows\System\oKpJYLp.exe

Filesize
5.2MB

MD5
29138e94e6704d1d9bcb31018f44095f

SHA1
f8c76c4f953df19c2423bb0577c7acaf12044ffe

SHA256
f9a9066bbeb894492d4f11db33dc1d06da8edd36c371a90a24636e5d5e647e99

SHA512
4ebe5f4e33ee2545e902a81d38991f6b357b9b312ba33ab728673a9dc1d23e8fcd7767aa7c6c3d92c4e2f3789f11e748008af2e6397f9589042bd5b58f4bec75

Download Submit
C:\Windows\System\oWyhcaw.exe

Filesize
5.2MB

MD5
d962282ea083f5a7eb11b4c082c84b82

SHA1
29233f392aa28941f892379915431092560604a3

SHA256
6af8be11d1ab501abb207d6d1984b54ca12336d5ebc8e616895d90486efc10b7

SHA512
7b93bd073054fe7266a87d927b98d59105154804e73af99a9889e9b1c8fa6a560f09840cb1891d52a03e9d6e2da0f13d0cb1324865261310cd3c61d09f39893e

Download Submit
C:\Windows\System\qjhPWVP.exe

Filesize
5.2MB

MD5
b15bc23287c7784429ebc4715bc41440

SHA1
a22e72d4db88bdd1c6452e6a34e6af835f5f6454

SHA256
ed6b57998e3d96e533b99a2d831e6afef0817b30e3a77d1222bbf31728519c88

SHA512
c231fa27f791db6e0dff0edd29cd7bccff69218d7d3ebc2daadc8b55a3c00fd757298a6f8925abe881eaddb800eef85bdeab4e1b45c17dbc9a7d3f9a4c6bf680

Download Submit
C:\Windows\System\qofdozw.exe

Filesize
5.2MB

MD5
cad2e707983b496f3d9b027cbe7b2a03

SHA1
851b05a797f4cce9e5918541a99587514617bf48

SHA256
fac3891cca721078504b7520d6fdb68c586c28cdf2accde2654a47ae728fa9f2

SHA512
8cdec5f6eedb7a5cd9eaf8a192edc83b504804f08af5558fe6c68983913c30ab56e5999267163a8a269c3c25e1b15685635d2283b43364fd5b10bfc612b00140

Download Submit
C:\Windows\System\ufeOXDx.exe

Filesize
5.2MB

MD5
69b95aa020b958e4acdda8f5216fbb60

SHA1
989b80c4e5c362a504e8a298c3ccd5a7ef7c6a1a

SHA256
679968338a8af9eb791c1750fe8607d674bbe886ec8dae88f776a12a4f6723e0

SHA512
d88821aa23153e4ec52fc018b97e9ca8aac44ba51303927ae76e26d5b6a04010dd43cfb2c4580c8eef598f5563f69e07126b5dcdb6269436380b5c01b296a9ad

Download Submit
C:\Windows\System\vbvnyHO.exe

Filesize
5.2MB

MD5
68af9038093729c88841232e76df9c97

SHA1
b238f45b056ddc83b7e03bb9a72b95a0a665b348

SHA256
ad3c2b08fd8d72548fccbfb84be35976bdc75821b9df5ed2394f072122d14409

SHA512
69772739cbb641a5dbf060be531ddea344e20627d584c552b4b3b327f90ad6041c7bc9860042f7a359dd279b28e912c5fc5a9a8bb5b72e2c565e5b3227f22f2c

Download Submit
C:\Windows\System\wrdYPBY.exe

Filesize
5.2MB

MD5
1ec33eba555f7f22d1aab52253125e2e

SHA1
321d94692bc414ec835b89af15b71793fbf3e428

SHA256
b6995ac0242275434c7db20ec4516c607783d7775ea17ba4eb42a514f563fa2c

SHA512
24bf0bc0e0c3ec9d290d2bc3eec6dfe97f64c78531b69c1d4bae9c5bcc87ae2684976898e75b65049cc66eb18beec32c20c5ef88956601ade9a139b15265b289

Download Submit
C:\Windows\System\yoznZZU.exe

Filesize
5.2MB

MD5
ee24ad703aac20ae4bf9ff9fff3a8e9f

SHA1
d8e88f0f65a9f76a9efcfcfc8442fc60bd303252

SHA256
0aee759b4bd29bd4483cebecc2d5b695e5efff749928ee9c408936c50a525b8d

SHA512
e0487afc96a948c97d57bb954ac8b31a005cfca31c88935ee4ab815784018ba4fdcfa4ea72f7b33c8bb2605de82d4322b8025508f03a9a7774f2a7292b9a0173

Download Submit
C:\Windows\System\ypIKieh.exe

Filesize
5.2MB

MD5
2fb76cf22bcce9fcbc2d430b1e84e429

SHA1
1f48f66ce1a61360df91f6bcc1f21cd38e8d1a3d

SHA256
7bc719966ac8e05212500dc57ab1d770e3562c84f95790611be3e278126d36d1

SHA512
3be288ec238e18648321e5810e08241c4b70440ff5f8b8feb6a31261b890f93790af21f23981a919fd1c5168ccd83c24f9cb1d1e77e38446249cb7f9f6491543

Download Submit
memory/228-127-0x00007FF7BD3E0000-0x00007FF7BD731000-memory.dmp

Filesize
3.3MB

Download
memory/228-251-0x00007FF7BD3E0000-0x00007FF7BD731000-memory.dmp

Filesize
3.3MB

Download
memory/380-224-0x00007FF621F10000-0x00007FF622261000-memory.dmp

Filesize
3.3MB

Download
memory/380-38-0x00007FF621F10000-0x00007FF622261000-memory.dmp

Filesize
3.3MB

Download
memory/380-137-0x00007FF621F10000-0x00007FF622261000-memory.dmp

Filesize
3.3MB

Download
memory/924-14-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp

Filesize
3.3MB

Download
memory/924-135-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp

Filesize
3.3MB

Download
memory/924-207-0x00007FF7F0000000-0x00007FF7F0351000-memory.dmp

Filesize
3.3MB

Download
memory/1168-125-0x00007FF65EF10000-0x00007FF65F261000-memory.dmp

Filesize
3.3MB

Download
memory/1168-259-0x00007FF65EF10000-0x00007FF65F261000-memory.dmp

Filesize
3.3MB

Download
memory/1408-124-0x00007FF77EA80000-0x00007FF77EDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1408-260-0x00007FF77EA80000-0x00007FF77EDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-129-0x00007FF7F8E40000-0x00007FF7F9191000-memory.dmp

Filesize
3.3MB

Download
memory/1448-234-0x00007FF7F8E40000-0x00007FF7F9191000-memory.dmp

Filesize
3.3MB

Download
memory/1512-211-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-134-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-24-0x00007FF6ACBA0000-0x00007FF6ACEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2176-119-0x00007FF6F8FB0000-0x00007FF6F9301000-memory.dmp

Filesize
3.3MB

Download
memory/2176-245-0x00007FF6F8FB0000-0x00007FF6F9301000-memory.dmp

Filesize
3.3MB

Download
memory/2252-255-0x00007FF7EB1B0000-0x00007FF7EB501000-memory.dmp

Filesize
3.3MB

Download
memory/2252-122-0x00007FF7EB1B0000-0x00007FF7EB501000-memory.dmp

Filesize
3.3MB

Download
memory/2604-128-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/2604-6-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/2604-205-0x00007FF61B140000-0x00007FF61B491000-memory.dmp

Filesize
3.3MB

Download
memory/2696-42-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp

Filesize
3.3MB

Download
memory/2696-226-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp

Filesize
3.3MB

Download
memory/2696-138-0x00007FF6A2030000-0x00007FF6A2381000-memory.dmp

Filesize
3.3MB

Download
memory/2944-120-0x00007FF7C34D0000-0x00007FF7C3821000-memory.dmp

Filesize
3.3MB

Download
memory/2944-242-0x00007FF7C34D0000-0x00007FF7C3821000-memory.dmp

Filesize
3.3MB

Download
memory/3260-54-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp

Filesize
3.3MB

Download
memory/3260-140-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp

Filesize
3.3MB

Download
memory/3260-230-0x00007FF6D9340000-0x00007FF6D9691000-memory.dmp

Filesize
3.3MB

Download
memory/3504-133-0x00007FF733250000-0x00007FF7335A1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-209-0x00007FF733250000-0x00007FF7335A1000-memory.dmp

Filesize
3.3MB

Download
memory/3504-20-0x00007FF733250000-0x00007FF7335A1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-248-0x00007FF7592A0000-0x00007FF7595F1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-121-0x00007FF7592A0000-0x00007FF7595F1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-130-0x00007FF688070000-0x00007FF6883C1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-61-0x00007FF688070000-0x00007FF6883C1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-153-0x00007FF688070000-0x00007FF6883C1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-0-0x00007FF688070000-0x00007FF6883C1000-memory.dmp

Filesize
3.3MB

Download
memory/4276-1-0x0000021571530000-0x0000021571540000-memory.dmp

Filesize
64KB

Download
memory/4752-253-0x00007FF7ABEE0000-0x00007FF7AC231000-memory.dmp

Filesize
3.3MB

Download
memory/4752-123-0x00007FF7ABEE0000-0x00007FF7AC231000-memory.dmp

Filesize
3.3MB

Download
memory/4784-213-0x00007FF739840000-0x00007FF739B91000-memory.dmp

Filesize
3.3MB

Download
memory/4784-30-0x00007FF739840000-0x00007FF739B91000-memory.dmp

Filesize
3.3MB

Download
memory/4784-136-0x00007FF739840000-0x00007FF739B91000-memory.dmp

Filesize
3.3MB

Download
memory/4924-232-0x00007FF652E30000-0x00007FF653181000-memory.dmp

Filesize
3.3MB

Download
memory/4924-117-0x00007FF652E30000-0x00007FF653181000-memory.dmp

Filesize
3.3MB

Download
memory/4932-257-0x00007FF742F60000-0x00007FF7432B1000-memory.dmp

Filesize
3.3MB

Download
memory/4932-126-0x00007FF742F60000-0x00007FF7432B1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-246-0x00007FF6743E0000-0x00007FF674731000-memory.dmp

Filesize
3.3MB

Download
memory/5024-118-0x00007FF6743E0000-0x00007FF674731000-memory.dmp

Filesize
3.3MB

Download
memory/5116-228-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp

Filesize
3.3MB

Download
memory/5116-139-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp

Filesize
3.3MB

Download
memory/5116-48-0x00007FF6C8FD0000-0x00007FF6C9321000-memory.dmp

Filesize
3.3MB

Download