cobaltstrike | 20962710e1bfe91b069ef7a1a4c6565cfe6b57709894e1539c2a6644e7d7265c

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bb6e80c2ae727777873ff56cefe949ed
SHA1

dbbae1bb0a77d17c09d1606f1f4707b2ab5b86d0
SHA256

20962710e1bfe91b069ef7a1a4c6565cfe6b57709894e1539c2a6644e7d7265c
SHA512

3f433743c10683c510683618a196462f40aaba1eb7ac862679be2e663d54dc6d47d38780900d7e2224c044f9fa7d5efdf00e02f3013585dc49f23342eecf69cb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000234c7-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-20.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-105.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234c8-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-100.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cf-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dd-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4664-71-0x00007FF75D140000-0x00007FF75D491000-memory.dmp	xmrig
behavioral2/memory/1732-119-0x00007FF77CA10000-0x00007FF77CD61000-memory.dmp	xmrig
behavioral2/memory/4056-118-0x00007FF701D00000-0x00007FF702051000-memory.dmp	xmrig
behavioral2/memory/1156-114-0x00007FF714070000-0x00007FF7143C1000-memory.dmp	xmrig
behavioral2/memory/2916-93-0x00007FF6C8960000-0x00007FF6C8CB1000-memory.dmp	xmrig
behavioral2/memory/4932-66-0x00007FF6538E0000-0x00007FF653C31000-memory.dmp	xmrig
behavioral2/memory/1920-59-0x00007FF78EAF0000-0x00007FF78EE41000-memory.dmp	xmrig
behavioral2/memory/5108-51-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp	xmrig
behavioral2/memory/3320-124-0x00007FF612140000-0x00007FF612491000-memory.dmp	xmrig
behavioral2/memory/244-129-0x00007FF746A00000-0x00007FF746D51000-memory.dmp	xmrig
behavioral2/memory/2352-125-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp	xmrig
behavioral2/memory/4552-130-0x00007FF643550000-0x00007FF6438A1000-memory.dmp	xmrig
behavioral2/memory/1608-131-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp	xmrig
behavioral2/memory/5108-138-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp	xmrig
behavioral2/memory/2960-144-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp	xmrig
behavioral2/memory/4600-142-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp	xmrig
behavioral2/memory/4840-137-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp	xmrig
behavioral2/memory/3320-132-0x00007FF612140000-0x00007FF612491000-memory.dmp	xmrig
behavioral2/memory/1420-143-0x00007FF675550000-0x00007FF6758A1000-memory.dmp	xmrig
behavioral2/memory/3948-153-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp	xmrig
behavioral2/memory/3064-149-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	xmrig
behavioral2/memory/1672-148-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp	xmrig
behavioral2/memory/344-147-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp	xmrig
behavioral2/memory/1180-146-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp	xmrig
behavioral2/memory/3320-155-0x00007FF612140000-0x00007FF612491000-memory.dmp	xmrig
behavioral2/memory/2352-217-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp	xmrig
behavioral2/memory/244-222-0x00007FF746A00000-0x00007FF746D51000-memory.dmp	xmrig
behavioral2/memory/2960-224-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp	xmrig
behavioral2/memory/1608-227-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp	xmrig
behavioral2/memory/4664-231-0x00007FF75D140000-0x00007FF75D491000-memory.dmp	xmrig
behavioral2/memory/1920-228-0x00007FF78EAF0000-0x00007FF78EE41000-memory.dmp	xmrig
behavioral2/memory/4840-234-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp	xmrig
behavioral2/memory/5108-232-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp	xmrig
behavioral2/memory/4932-236-0x00007FF6538E0000-0x00007FF653C31000-memory.dmp	xmrig
behavioral2/memory/4600-242-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp	xmrig
behavioral2/memory/2916-244-0x00007FF6C8960000-0x00007FF6C8CB1000-memory.dmp	xmrig
behavioral2/memory/1180-246-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp	xmrig
behavioral2/memory/3064-248-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	xmrig
behavioral2/memory/1672-250-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp	xmrig
behavioral2/memory/1156-252-0x00007FF714070000-0x00007FF7143C1000-memory.dmp	xmrig
behavioral2/memory/1420-241-0x00007FF675550000-0x00007FF6758A1000-memory.dmp	xmrig
behavioral2/memory/4056-255-0x00007FF701D00000-0x00007FF702051000-memory.dmp	xmrig
behavioral2/memory/3948-258-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp	xmrig
behavioral2/memory/1732-260-0x00007FF77CA10000-0x00007FF77CD61000-memory.dmp	xmrig
behavioral2/memory/344-256-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp	xmrig
behavioral2/memory/4552-262-0x00007FF643550000-0x00007FF6438A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2352	NrfUGoe.exe
244	LQUcoIX.exe
1608	NWXHWdb.exe
2960	FGderBM.exe
4840	IPnarOx.exe
5108	DNpHWYo.exe
1920	UkLXFYM.exe
4932	BFmbRbr.exe
4664	lfXHqGV.exe
4600	rishgML.exe
1420	ESWeRJj.exe
2916	IVDpaAj.exe
1180	dNAQjPt.exe
344	ctHUKiK.exe
1672	elEzWJp.exe
3064	wQxIzau.exe
1156	PREIMmY.exe
4056	CNHeJYH.exe
1732	AbUaxkO.exe
3948	xCKdeZf.exe
4552	oqOvNsu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-0-0x00007FF612140000-0x00007FF612491000-memory.dmp	upx
behavioral2/files/0x00090000000234c7-5.dat	upx
behavioral2/memory/2352-10-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-20.dat	upx
behavioral2/files/0x00070000000234d0-35.dat	upx
behavioral2/files/0x00070000000234d1-41.dat	upx
behavioral2/files/0x00070000000234d3-52.dat	upx
behavioral2/files/0x00070000000234d4-61.dat	upx
behavioral2/memory/4664-71-0x00007FF75D140000-0x00007FF75D491000-memory.dmp	upx
behavioral2/memory/1420-82-0x00007FF675550000-0x00007FF6758A1000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-85.dat	upx
behavioral2/memory/3064-95-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	upx
behavioral2/files/0x00070000000234da-107.dat	upx
behavioral2/memory/1732-119-0x00007FF77CA10000-0x00007FF77CD61000-memory.dmp	upx
behavioral2/memory/3948-122-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-120.dat	upx
behavioral2/memory/4056-118-0x00007FF701D00000-0x00007FF702051000-memory.dmp	upx
behavioral2/files/0x00070000000234db-115.dat	upx
behavioral2/memory/1156-114-0x00007FF714070000-0x00007FF7143C1000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-105.dat	upx
behavioral2/files/0x00080000000234c8-101.dat	upx
behavioral2/files/0x00070000000234d8-100.dat	upx
behavioral2/files/0x00070000000234d7-99.dat	upx
behavioral2/memory/344-94-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp	upx
behavioral2/memory/2916-93-0x00007FF6C8960000-0x00007FF6C8CB1000-memory.dmp	upx
behavioral2/memory/1672-92-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp	upx
behavioral2/memory/1180-90-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-84.dat	upx
behavioral2/memory/4932-66-0x00007FF6538E0000-0x00007FF653C31000-memory.dmp	upx
behavioral2/memory/4600-60-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp	upx
behavioral2/memory/1920-59-0x00007FF78EAF0000-0x00007FF78EE41000-memory.dmp	upx
behavioral2/files/0x00070000000234d2-54.dat	upx
behavioral2/memory/5108-51-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp	upx
behavioral2/files/0x00070000000234cf-43.dat	upx
behavioral2/files/0x00070000000234ce-36.dat	upx
behavioral2/files/0x00070000000234cd-30.dat	upx
behavioral2/files/0x00070000000234cc-29.dat	upx
behavioral2/memory/4840-27-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp	upx
behavioral2/memory/1608-23-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp	upx
behavioral2/memory/2960-22-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp	upx
behavioral2/memory/244-17-0x00007FF746A00000-0x00007FF746D51000-memory.dmp	upx
behavioral2/memory/3320-124-0x00007FF612140000-0x00007FF612491000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-126.dat	upx
behavioral2/memory/244-129-0x00007FF746A00000-0x00007FF746D51000-memory.dmp	upx
behavioral2/memory/2352-125-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp	upx
behavioral2/memory/4552-130-0x00007FF643550000-0x00007FF6438A1000-memory.dmp	upx
behavioral2/memory/1608-131-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp	upx
behavioral2/memory/5108-138-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp	upx
behavioral2/memory/2960-144-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp	upx
behavioral2/memory/4600-142-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp	upx
behavioral2/memory/4840-137-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp	upx
behavioral2/memory/3320-132-0x00007FF612140000-0x00007FF612491000-memory.dmp	upx
behavioral2/memory/1420-143-0x00007FF675550000-0x00007FF6758A1000-memory.dmp	upx
behavioral2/memory/3948-153-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp	upx
behavioral2/memory/3064-149-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp	upx
behavioral2/memory/1672-148-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp	upx
behavioral2/memory/344-147-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp	upx
behavioral2/memory/1180-146-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp	upx
behavioral2/memory/3320-155-0x00007FF612140000-0x00007FF612491000-memory.dmp	upx
behavioral2/memory/2352-217-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp	upx
behavioral2/memory/244-222-0x00007FF746A00000-0x00007FF746D51000-memory.dmp	upx
behavioral2/memory/2960-224-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp	upx
behavioral2/memory/1608-227-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp	upx
behavioral2/memory/4664-231-0x00007FF75D140000-0x00007FF75D491000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NrfUGoe.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQUcoIX.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\elEzWJp.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkLXFYM.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lfXHqGV.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CNHeJYH.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCKdeZf.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNAQjPt.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctHUKiK.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wQxIzau.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PREIMmY.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NWXHWdb.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGderBM.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rishgML.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IVDpaAj.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AbUaxkO.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqOvNsu.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPnarOx.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DNpHWYo.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BFmbRbr.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESWeRJj.exe	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2352	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3320 wrote to memory of 2352	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 3320 wrote to memory of 244	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3320 wrote to memory of 244	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3320 wrote to memory of 1608	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3320 wrote to memory of 1608	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3320 wrote to memory of 2960	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3320 wrote to memory of 2960	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3320 wrote to memory of 4840	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3320 wrote to memory of 4840	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3320 wrote to memory of 5108	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3320 wrote to memory of 5108	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3320 wrote to memory of 1920	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3320 wrote to memory of 1920	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3320 wrote to memory of 4932	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3320 wrote to memory of 4932	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3320 wrote to memory of 4664	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3320 wrote to memory of 4664	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3320 wrote to memory of 4600	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3320 wrote to memory of 4600	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3320 wrote to memory of 1420	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3320 wrote to memory of 1420	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3320 wrote to memory of 2916	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3320 wrote to memory of 2916	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3320 wrote to memory of 1180	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3320 wrote to memory of 1180	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3320 wrote to memory of 344	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3320 wrote to memory of 344	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3320 wrote to memory of 1672	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3320 wrote to memory of 1672	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3320 wrote to memory of 3064	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3320 wrote to memory of 3064	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3320 wrote to memory of 1156	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3320 wrote to memory of 1156	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3320 wrote to memory of 4056	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3320 wrote to memory of 4056	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3320 wrote to memory of 1732	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3320 wrote to memory of 1732	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3320 wrote to memory of 3948	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3320 wrote to memory of 3948	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3320 wrote to memory of 4552	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3320 wrote to memory of 4552	3320	2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_bb6e80c2ae727777873ff56cefe949ed_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\System\NrfUGoe.exe
  C:\Windows\System\NrfUGoe.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\LQUcoIX.exe
  C:\Windows\System\LQUcoIX.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System\NWXHWdb.exe
  C:\Windows\System\NWXHWdb.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\FGderBM.exe
  C:\Windows\System\FGderBM.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\IPnarOx.exe
  C:\Windows\System\IPnarOx.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\DNpHWYo.exe
  C:\Windows\System\DNpHWYo.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\UkLXFYM.exe
  C:\Windows\System\UkLXFYM.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\BFmbRbr.exe
  C:\Windows\System\BFmbRbr.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\lfXHqGV.exe
  C:\Windows\System\lfXHqGV.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\rishgML.exe
  C:\Windows\System\rishgML.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\ESWeRJj.exe
  C:\Windows\System\ESWeRJj.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\IVDpaAj.exe
  C:\Windows\System\IVDpaAj.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\dNAQjPt.exe
  C:\Windows\System\dNAQjPt.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\ctHUKiK.exe
  C:\Windows\System\ctHUKiK.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System\elEzWJp.exe
  C:\Windows\System\elEzWJp.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\wQxIzau.exe
  C:\Windows\System\wQxIzau.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\PREIMmY.exe
  C:\Windows\System\PREIMmY.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\CNHeJYH.exe
  C:\Windows\System\CNHeJYH.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\AbUaxkO.exe
  C:\Windows\System\AbUaxkO.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\xCKdeZf.exe
  C:\Windows\System\xCKdeZf.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\oqOvNsu.exe
  C:\Windows\System\oqOvNsu.exe
  2⤵
  - Executes dropped EXE
  PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AbUaxkO.exe

Filesize
5.2MB

MD5
5974a44fe8be0c6fbabde10fb4b78783

SHA1
bcef24f0671b9565707121a1a38d53bbaef9d246

SHA256
29fce434a53538bfdb1f1c0b1ece4b5603c0f5465709d9c25d1b6d17716bdbf7

SHA512
ac42fd66ea5f58d0a1134517365622f20df89dd99d88bbd4acd298fbeaa5d1804398a3477dc360e153ff24c9ee2705f40f63f723e26c9cd7c2f28c8779a0e854

Download Submit
C:\Windows\System\BFmbRbr.exe

Filesize
5.2MB

MD5
69a2bc54a5bad302828c5cfc9f5260c8

SHA1
0c87682f75431b9fbfc128eb1a151cf573a91ab8

SHA256
ca72b350271019929d90b654848400a53466c0e0c46244ad1bf435fe1abc6b77

SHA512
b27e1996558a578c4b33c94fc9a9a9202856a6c9e454aa37a4e935214373759e141a8fded0625107a1f820f9105480acd07c39d10acfc0c56045e3e2ed0e480c

Download Submit
C:\Windows\System\CNHeJYH.exe

Filesize
5.2MB

MD5
b48f6e5120900388dbd3d4ed6003d9a5

SHA1
1fd0eac2e52db0f3eed9016e3556df8ea0dd84ea

SHA256
c9133bf568503b85d4882feb24dd4eb5a2c629a8af98332a71dd647217f5f659

SHA512
51eb01a718013f2025575bf0b30e882370182c728fc1c8166b96ac15b9676007a2d6f389469ec543926aa181c2459f80914620686c775ae88506825509249564

Download Submit
C:\Windows\System\DNpHWYo.exe

Filesize
5.2MB

MD5
fd2e179a219de8a35fe8b62eaa253b7b

SHA1
e0fd6c0773407d4ae65bcbf60c45fb7c86be9d4e

SHA256
12eb43efa460b634c4435a2da2d1b2337aa1383ab0c21eebe43cf7e4e1f169a1

SHA512
893c605cc6a3c3b353c02688a181bab96776f17987421c52e9fc36c44ca6b827f067ecd98fc8a4826230f05858a7e5d541c7190d5e91f292327d46fa4f733e42

Download Submit
C:\Windows\System\ESWeRJj.exe

Filesize
5.2MB

MD5
1210e430c4534d3921bae6d807e57498

SHA1
808104cbe35755c28b8a9d7c80572bcb521fae6e

SHA256
469222cc6ff3c3d2174e89762b4753cad88e86eba32aff7c2d67d4493334f6f0

SHA512
cb66b7a35e7a7ca804dd440ba763177eed69e518b9dacb908725ff6b2c5f65eae51d808163bd83f757d846c5c983b4a6119d108489c2a1a195fbb27228e365bd

Download Submit
C:\Windows\System\FGderBM.exe

Filesize
5.2MB

MD5
1b83093bf24f22ca933154bf52dcdcf0

SHA1
c45e0bef2099ee36702b51a5a9650175952ecbda

SHA256
154efe044607cf3439f56fa828637350084d92d549c587ba42443a5e9d67921e

SHA512
370a6becdc8a6082ff2a28a2a1a7cf09e4d343f38ca367795ab87a43f030ce6fc861840f132999f87fa69d19ac2395e63dd44d6078b3bd67138202bc5cdc9fb1

Download Submit
C:\Windows\System\IPnarOx.exe

Filesize
5.2MB

MD5
2fcfba8b34a1160e334bb5a4bd10514b

SHA1
894dd410c4253d03b25a3e5c664bda94c8d4eaec

SHA256
04cf0ecfe5b138c82c318aa4d2a02de10b3484a96f515a774688eb7e5103746a

SHA512
77195e7ee64ffd4f7059175e0cf289c246b37a869feacc1cfca8b0f0f54bb7d629ff6fc7559bde813e84287a8d6515a0b61ab697a19a1dd98b1340abe6d95227

Download Submit
C:\Windows\System\IVDpaAj.exe

Filesize
5.2MB

MD5
56c60ffb8097ffdd53c0c1d7d01a0f11

SHA1
db71e6a1c3723f477adf3a3ace8a042de2aa2a17

SHA256
f03f07efc3c46b77d7137380a6d539fdf81382185d9cbe0b1fe6873590c8bd89

SHA512
474fb2b26fbe8d1b6f4a30e5f839b03a6027e0d555274e0aca80fd902cb8cf9e8c9546f01f93934044e648c9c5de43f5b2aeef485930b8c75c001e19456e6d42

Download Submit
C:\Windows\System\LQUcoIX.exe

Filesize
5.2MB

MD5
dd2b06642a3ea6fda99d4f29d8cc7673

SHA1
5e72b0e2b4440615f21a25fb34b6d464356d7533

SHA256
497a32cd0ac33b0cd0c9a9edf062d0cd29714f5a10714cb62c7c6c75476f813b

SHA512
49250a0d904568eac16d691087be1020b001f2700d30083e1f2835108f156d7bb146ce9ac06a4161dde3cd4d415c2a9292af1832e930458e9e94cc114aca26cc

Download Submit
C:\Windows\System\NWXHWdb.exe

Filesize
5.2MB

MD5
3b0adbff9ca8a29fe46841be5a1fd64a

SHA1
6593f6ee68eb253537587cb2668485c03b2fe4bd

SHA256
1a20fbeb0c168c8f98c3d1f79915607fd73f19eaf8cad6cc6c011fad10f8b782

SHA512
c9c47e12c370512ba862e7d6478bdceb167ff030a16e2364489b21ef3a9af39d64e5de8c33c6ab696bd0f42abf0d389b3e0957d8f1f13adca4a4376c3f648224

Download Submit
C:\Windows\System\NrfUGoe.exe

Filesize
5.2MB

MD5
0603fd07e6a01926624ab1c73a31ab09

SHA1
6ff47d88130564c8c86b1c5f1b229b19e61dec07

SHA256
e5ec9d4bc9e51dee71dc58508a88857521df3538fda05b37187d8f1a0e563902

SHA512
88156d4160c8386ee1b51467dfb44f053f062f7502cde6f8c45b7efe911cbc61c7e8692dbefc1b3738610bb3c8b399b3a3181b14f4060f2b2076a52a0e2c56e9

Download Submit
C:\Windows\System\PREIMmY.exe

Filesize
5.2MB

MD5
15903ee4a157aa8f2cfc7c598bee527b

SHA1
9d5dea26f6f1a27f2359e71cebe842ce319eec02

SHA256
e422e7bc2b8c9e8afc8b258b5efafe48e3237c6e0dad49cc79938819ee4230da

SHA512
605a2d89c786cd2513a6c4d450adcae1497ec2e0dfee46afc3a63ac1a74e051f18d35e64d56fd3ac2d08dfdba274dc36e224b0d82b59cc52ba45a169bd3f05b7

Download Submit
C:\Windows\System\UkLXFYM.exe

Filesize
5.2MB

MD5
1d16dc2320e2156872a90968c70bfabf

SHA1
cd4707abc6309a187d5c9a8447c2b187008a3b0f

SHA256
7e33e4da2f4488799bce7b858b36febb11b20b75f9c94259882aef1be1ef7260

SHA512
7091fff49e3effaedfa53b5eb229caf160fe16b8929fbd6ea9e2cdd35313ee9b46084e4fd17ba5bafc288545644d512ed16c65dc530b60f9f622911d598a597d

Download Submit
C:\Windows\System\ctHUKiK.exe

Filesize
5.2MB

MD5
9ff3f97842998f75e7698a63aeb4db81

SHA1
e8c3e10cc6a3731155419a055233906ddfa16e39

SHA256
8a68848db2598cbd322923c1b492210648b74e3c40d18dac128bddad04788bbf

SHA512
de1d22fd97172aefe633eb8c330f85a4ab4ed08799dc7aafec829ca9ff8d8854257c84620a4fe16b03f81198fec9707b725531006c9250a65db948dbc1246ea5

Download Submit
C:\Windows\System\dNAQjPt.exe

Filesize
5.2MB

MD5
e514e4bf41d6008ae4d1a3e1c3f6a48e

SHA1
faad1b52736ddd649b346eb8752bf2a8abb68d42

SHA256
6d1e5937335fd4623de8a1ba748922571f45adc96f9cfdec9783be67551bb76b

SHA512
5fe7a5fd91afd8f86de24b1ea09627146acbda7976c7553223536955c049dec33335b1477404fde989b0770abc52e0a9041beb7a2db3ff71ee0ac56d69ac39d3

Download Submit
C:\Windows\System\elEzWJp.exe

Filesize
5.2MB

MD5
94a293b6a17d7ff0fe8c99753698c9f6

SHA1
35befd0de286c7ee2593f95b108ee139cc0fef5d

SHA256
ec8fe7fa55d6a4c527f4832ba9e6690732439cc20c691f46e5c50aa66c80cc43

SHA512
644e038d4b216d89b7d7ded0b3f88a326b0a4248c96eb5c6b6e5e9861d663f53baf7bab01c75e1afd2ee91d2c80d2ed37bfcc6111e7e2d4d16d5d279e353bab3

Download Submit
C:\Windows\System\lfXHqGV.exe

Filesize
5.2MB

MD5
bee74bc5612701f09f349673a3ed156c

SHA1
df23bc1fe7e88946a5a15a3c51917791edfcafd9

SHA256
6b7a4992c05ec8d247d3ed9760e295593a998fb10e4399101a2e269cbed8828c

SHA512
9a4afda1c26dd719c71d3d1bef4184ec8a54cc548738a6e08e1d14361b63767132f3c9a700e27cd421aadc3a1d1ff01fcde942bb5257b18be298b4a98a9602ec

Download Submit
C:\Windows\System\oqOvNsu.exe

Filesize
5.2MB

MD5
c0b0ea418a8703955eed51a6d4140a28

SHA1
6e82c8cb683fb359006e7a3e2b5cbafb6b1dff89

SHA256
1a64faaabc6f93a52a3b62ed9bdbdbf7b8b3d43f5477ef98d7a19a8dca195100

SHA512
a7dd448a8402f87f1d7f5677884c93885c1c2d31b44ca7e689e5865f2c7a90125a208332a027f892064379cf2c788edb03d81f03ac0dd75e185e34f403717b66

Download Submit
C:\Windows\System\rishgML.exe

Filesize
5.2MB

MD5
5d4e3ee47d49b6807c1038af78930965

SHA1
10310621a0e61a51a91cdda19b9102103da24296

SHA256
788ef7d4212e7ac61e9f7b935c609f23e59c79fbf5b0e8cc1668043063f5f167

SHA512
087d3a78f745544ff932932389ac5c1f35add39a0b6fae2fd78e33eb7c0a2d837eaf953edf28f5fd991644da016b0efb99eff33bf02d6030cb87f17b279f10f2

Download Submit
C:\Windows\System\wQxIzau.exe

Filesize
5.2MB

MD5
a57eca8983f3bd9bd4f6723452d49806

SHA1
377cbee0e01f79dc3779aab8377859acec274432

SHA256
731dc2da6001385425f7f7a74360611bde59f4de8135df4a0e893a58f8f41b9b

SHA512
105205450b83ebe587ec4acc76ab0e345f3cab8f01f0cafaa8c31af5d1b9cf662bbb275846d51560bcb762fb7f1c6c54a4fce47bd7cf251a7094edc0554746b9

Download Submit
C:\Windows\System\xCKdeZf.exe

Filesize
5.2MB

MD5
94cccbac85136d946bf7811d47ee09fa

SHA1
f0368c787dd48017db4a17aba125d0bdb2a17e8d

SHA256
38963ba972730479172e9ba722ca7f552744680a0f5924aaca4b5b66b9649735

SHA512
84a6424ad151b36cb163bd55d8e14ac1f712da83f2a8111a30ecdaa9cbf7f17a7a3d13844ea41bf7a088b9fac03a72a951677a20d881c718ae3d13dec1bfe074

Download Submit
memory/244-129-0x00007FF746A00000-0x00007FF746D51000-memory.dmp

Filesize
3.3MB

Download
memory/244-17-0x00007FF746A00000-0x00007FF746D51000-memory.dmp

Filesize
3.3MB

Download
memory/244-222-0x00007FF746A00000-0x00007FF746D51000-memory.dmp

Filesize
3.3MB

Download
memory/344-94-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp

Filesize
3.3MB

Download
memory/344-147-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp

Filesize
3.3MB

Download
memory/344-256-0x00007FF7DA300000-0x00007FF7DA651000-memory.dmp

Filesize
3.3MB

Download
memory/1156-114-0x00007FF714070000-0x00007FF7143C1000-memory.dmp

Filesize
3.3MB

Download
memory/1156-252-0x00007FF714070000-0x00007FF7143C1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-90-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp

Filesize
3.3MB

Download
memory/1180-146-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp

Filesize
3.3MB

Download
memory/1180-246-0x00007FF6B9320000-0x00007FF6B9671000-memory.dmp

Filesize
3.3MB

Download
memory/1420-143-0x00007FF675550000-0x00007FF6758A1000-memory.dmp

Filesize
3.3MB

Download
memory/1420-82-0x00007FF675550000-0x00007FF6758A1000-memory.dmp

Filesize
3.3MB

Download
memory/1420-241-0x00007FF675550000-0x00007FF6758A1000-memory.dmp

Filesize
3.3MB

Download
memory/1608-23-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp

Filesize
3.3MB

Download
memory/1608-227-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp

Filesize
3.3MB

Download
memory/1608-131-0x00007FF7FC610000-0x00007FF7FC961000-memory.dmp

Filesize
3.3MB

Download
memory/1672-148-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp

Filesize
3.3MB

Download
memory/1672-250-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp

Filesize
3.3MB

Download
memory/1672-92-0x00007FF7B8FF0000-0x00007FF7B9341000-memory.dmp

Filesize
3.3MB

Download
memory/1732-119-0x00007FF77CA10000-0x00007FF77CD61000-memory.dmp

Filesize
3.3MB

Download
memory/1732-260-0x00007FF77CA10000-0x00007FF77CD61000-memory.dmp

Filesize
3.3MB

Download
memory/1920-59-0x00007FF78EAF0000-0x00007FF78EE41000-memory.dmp

Filesize
3.3MB

Download
memory/1920-228-0x00007FF78EAF0000-0x00007FF78EE41000-memory.dmp

Filesize
3.3MB

Download
memory/2352-10-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp

Filesize
3.3MB

Download
memory/2352-125-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp

Filesize
3.3MB

Download
memory/2352-217-0x00007FF62D840000-0x00007FF62DB91000-memory.dmp

Filesize
3.3MB

Download
memory/2916-93-0x00007FF6C8960000-0x00007FF6C8CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2916-244-0x00007FF6C8960000-0x00007FF6C8CB1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-22-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-224-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-144-0x00007FF773C70000-0x00007FF773FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-248-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3064-149-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3064-95-0x00007FF6FE100000-0x00007FF6FE451000-memory.dmp

Filesize
3.3MB

Download
memory/3320-132-0x00007FF612140000-0x00007FF612491000-memory.dmp

Filesize
3.3MB

Download
memory/3320-124-0x00007FF612140000-0x00007FF612491000-memory.dmp

Filesize
3.3MB

Download
memory/3320-0-0x00007FF612140000-0x00007FF612491000-memory.dmp

Filesize
3.3MB

Download
memory/3320-155-0x00007FF612140000-0x00007FF612491000-memory.dmp

Filesize
3.3MB

Download
memory/3320-1-0x000001E64EA90000-0x000001E64EAA0000-memory.dmp

Filesize
64KB

Download
memory/3948-122-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-153-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp

Filesize
3.3MB

Download
memory/3948-258-0x00007FF7D0920000-0x00007FF7D0C71000-memory.dmp

Filesize
3.3MB

Download
memory/4056-118-0x00007FF701D00000-0x00007FF702051000-memory.dmp

Filesize
3.3MB

Download
memory/4056-255-0x00007FF701D00000-0x00007FF702051000-memory.dmp

Filesize
3.3MB

Download
memory/4552-130-0x00007FF643550000-0x00007FF6438A1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-262-0x00007FF643550000-0x00007FF6438A1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-60-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-242-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4600-142-0x00007FF7B4850000-0x00007FF7B4BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-231-0x00007FF75D140000-0x00007FF75D491000-memory.dmp

Filesize
3.3MB

Download
memory/4664-71-0x00007FF75D140000-0x00007FF75D491000-memory.dmp

Filesize
3.3MB

Download
memory/4840-234-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp

Filesize
3.3MB

Download
memory/4840-137-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp

Filesize
3.3MB

Download
memory/4840-27-0x00007FF7F9910000-0x00007FF7F9C61000-memory.dmp

Filesize
3.3MB

Download
memory/4932-66-0x00007FF6538E0000-0x00007FF653C31000-memory.dmp

Filesize
3.3MB

Download
memory/4932-236-0x00007FF6538E0000-0x00007FF653C31000-memory.dmp

Filesize
3.3MB

Download
memory/5108-138-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-232-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp

Filesize
3.3MB

Download
memory/5108-51-0x00007FF668D50000-0x00007FF6690A1000-memory.dmp

Filesize
3.3MB

Download