cobaltstrike | e26942aee186587a1aeed9257a91dc8f5d3f7a6f908cc8008794661d426bc889

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

c2995e5e00acd026c8e39af1770d7f58
SHA1

fd6ca1fb6430050ab7a5184aceb8bd5d3a680d94
SHA256

e26942aee186587a1aeed9257a91dc8f5d3f7a6f908cc8008794661d426bc889
SHA512

edf80d1bb95ff36e90aee4dee0cb9ec96e7d1dd4cb45e679b551e9680faa56838a8f965287e6e4bf6bb797692e6f3787a359054972dbf7394e77a28dabe28e9f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002341d-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023490-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348f-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023492-119.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002347e-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023491-103.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348e-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348d-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348c-85.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-36.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1212-68-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp	xmrig
behavioral2/memory/1512-73-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp	xmrig
behavioral2/memory/1940-79-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp	xmrig
behavioral2/memory/3080-93-0x00007FF684970000-0x00007FF684CC1000-memory.dmp	xmrig
behavioral2/memory/4372-98-0x00007FF6EA1D0000-0x00007FF6EA521000-memory.dmp	xmrig
behavioral2/memory/3508-78-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp	xmrig
behavioral2/memory/2408-121-0x00007FF7852E0000-0x00007FF785631000-memory.dmp	xmrig
behavioral2/memory/3112-123-0x00007FF7E0B20000-0x00007FF7E0E71000-memory.dmp	xmrig
behavioral2/memory/4876-125-0x00007FF7AC490000-0x00007FF7AC7E1000-memory.dmp	xmrig
behavioral2/memory/1912-124-0x00007FF6C22D0000-0x00007FF6C2621000-memory.dmp	xmrig
behavioral2/memory/1728-122-0x00007FF6C4610000-0x00007FF6C4961000-memory.dmp	xmrig
behavioral2/memory/3628-127-0x00007FF7686C0000-0x00007FF768A11000-memory.dmp	xmrig
behavioral2/memory/1752-126-0x00007FF6E21A0000-0x00007FF6E24F1000-memory.dmp	xmrig
behavioral2/memory/4792-128-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	xmrig
behavioral2/memory/4760-130-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp	xmrig
behavioral2/memory/1552-137-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp	xmrig
behavioral2/memory/4716-143-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp	xmrig
behavioral2/memory/628-135-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp	xmrig
behavioral2/memory/5100-133-0x00007FF701430000-0x00007FF701781000-memory.dmp	xmrig
behavioral2/memory/1564-131-0x00007FF7485E0000-0x00007FF748931000-memory.dmp	xmrig
behavioral2/memory/1460-129-0x00007FF763370000-0x00007FF7636C1000-memory.dmp	xmrig
behavioral2/memory/4844-145-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp	xmrig
behavioral2/memory/4792-150-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	xmrig
behavioral2/memory/4792-151-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	xmrig
behavioral2/memory/1460-207-0x00007FF763370000-0x00007FF7636C1000-memory.dmp	xmrig
behavioral2/memory/4760-209-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp	xmrig
behavioral2/memory/1212-211-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp	xmrig
behavioral2/memory/1564-213-0x00007FF7485E0000-0x00007FF748931000-memory.dmp	xmrig
behavioral2/memory/5100-218-0x00007FF701430000-0x00007FF701781000-memory.dmp	xmrig
behavioral2/memory/3508-228-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp	xmrig
behavioral2/memory/1512-230-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp	xmrig
behavioral2/memory/628-233-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp	xmrig
behavioral2/memory/1552-234-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp	xmrig
behavioral2/memory/1940-236-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp	xmrig
behavioral2/memory/3080-238-0x00007FF684970000-0x00007FF684CC1000-memory.dmp	xmrig
behavioral2/memory/4372-240-0x00007FF6EA1D0000-0x00007FF6EA521000-memory.dmp	xmrig
behavioral2/memory/3112-242-0x00007FF7E0B20000-0x00007FF7E0E71000-memory.dmp	xmrig
behavioral2/memory/1912-244-0x00007FF6C22D0000-0x00007FF6C2621000-memory.dmp	xmrig
behavioral2/memory/2408-250-0x00007FF7852E0000-0x00007FF785631000-memory.dmp	xmrig
behavioral2/memory/1752-248-0x00007FF6E21A0000-0x00007FF6E24F1000-memory.dmp	xmrig
behavioral2/memory/4716-246-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp	xmrig
behavioral2/memory/4876-252-0x00007FF7AC490000-0x00007FF7AC7E1000-memory.dmp	xmrig
behavioral2/memory/4844-258-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp	xmrig
behavioral2/memory/1728-254-0x00007FF6C4610000-0x00007FF6C4961000-memory.dmp	xmrig
behavioral2/memory/3628-257-0x00007FF7686C0000-0x00007FF768A11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1460	eCdFQoB.exe
4760	HgshhmF.exe
1212	AobpxAE.exe
1564	tloGanM.exe
5100	hGcXiUc.exe
1512	ZGfblei.exe
628	ZqMFulk.exe
3508	tfMytSE.exe
1552	OjoArmc.exe
1940	UvBtrTr.exe
3080	yUVkgIG.exe
3112	ujnrUJl.exe
4372	CVEgMBY.exe
1912	nMkWbWt.exe
4716	lbQytQV.exe
4876	NmDLvSo.exe
4844	flOjtkt.exe
1752	FmDqZjP.exe
2408	wDJoAwP.exe
3628	LvbdkJW.exe
1728	iEqtRVO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4792-0-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/files/0x000900000002341d-5.dat	upx
behavioral2/memory/1460-6-0x00007FF763370000-0x00007FF7636C1000-memory.dmp	upx
behavioral2/files/0x0007000000023481-16.dat	upx
behavioral2/files/0x0007000000023483-17.dat	upx
behavioral2/files/0x0007000000023485-28.dat	upx
behavioral2/files/0x0007000000023484-39.dat	upx
behavioral2/memory/5100-42-0x00007FF701430000-0x00007FF701781000-memory.dmp	upx
behavioral2/files/0x0007000000023487-48.dat	upx
behavioral2/files/0x000700000002348b-66.dat	upx
behavioral2/memory/1212-68-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp	upx
behavioral2/memory/1512-73-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp	upx
behavioral2/memory/1940-79-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp	upx
behavioral2/memory/3080-93-0x00007FF684970000-0x00007FF684CC1000-memory.dmp	upx
behavioral2/files/0x0007000000023490-101.dat	upx
behavioral2/files/0x000700000002348f-108.dat	upx
behavioral2/files/0x0007000000023493-113.dat	upx
behavioral2/files/0x0007000000023492-119.dat	upx
behavioral2/files/0x000800000002347e-112.dat	upx
behavioral2/memory/4844-106-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp	upx
behavioral2/memory/4716-105-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp	upx
behavioral2/files/0x0007000000023491-103.dat	upx
behavioral2/files/0x000700000002348e-99.dat	upx
behavioral2/memory/4372-98-0x00007FF6EA1D0000-0x00007FF6EA521000-memory.dmp	upx
behavioral2/files/0x000700000002348d-95.dat	upx
behavioral2/files/0x000700000002348c-85.dat	upx
behavioral2/memory/3508-78-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp	upx
behavioral2/files/0x000700000002348a-69.dat	upx
behavioral2/memory/1552-61-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp	upx
behavioral2/files/0x0007000000023488-60.dat	upx
behavioral2/memory/628-52-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp	upx
behavioral2/files/0x0007000000023489-51.dat	upx
behavioral2/files/0x0007000000023486-46.dat	upx
behavioral2/memory/1564-32-0x00007FF7485E0000-0x00007FF748931000-memory.dmp	upx
behavioral2/files/0x0007000000023482-36.dat	upx
behavioral2/memory/4760-25-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp	upx
behavioral2/memory/2408-121-0x00007FF7852E0000-0x00007FF785631000-memory.dmp	upx
behavioral2/memory/3112-123-0x00007FF7E0B20000-0x00007FF7E0E71000-memory.dmp	upx
behavioral2/memory/4876-125-0x00007FF7AC490000-0x00007FF7AC7E1000-memory.dmp	upx
behavioral2/memory/1912-124-0x00007FF6C22D0000-0x00007FF6C2621000-memory.dmp	upx
behavioral2/memory/1728-122-0x00007FF6C4610000-0x00007FF6C4961000-memory.dmp	upx
behavioral2/memory/3628-127-0x00007FF7686C0000-0x00007FF768A11000-memory.dmp	upx
behavioral2/memory/1752-126-0x00007FF6E21A0000-0x00007FF6E24F1000-memory.dmp	upx
behavioral2/memory/4792-128-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/memory/4760-130-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp	upx
behavioral2/memory/1552-137-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp	upx
behavioral2/memory/4716-143-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp	upx
behavioral2/memory/628-135-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp	upx
behavioral2/memory/5100-133-0x00007FF701430000-0x00007FF701781000-memory.dmp	upx
behavioral2/memory/1564-131-0x00007FF7485E0000-0x00007FF748931000-memory.dmp	upx
behavioral2/memory/1460-129-0x00007FF763370000-0x00007FF7636C1000-memory.dmp	upx
behavioral2/memory/4844-145-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp	upx
behavioral2/memory/4792-150-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/memory/4792-151-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp	upx
behavioral2/memory/1460-207-0x00007FF763370000-0x00007FF7636C1000-memory.dmp	upx
behavioral2/memory/4760-209-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp	upx
behavioral2/memory/1212-211-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp	upx
behavioral2/memory/1564-213-0x00007FF7485E0000-0x00007FF748931000-memory.dmp	upx
behavioral2/memory/5100-218-0x00007FF701430000-0x00007FF701781000-memory.dmp	upx
behavioral2/memory/3508-228-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp	upx
behavioral2/memory/1512-230-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp	upx
behavioral2/memory/628-233-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp	upx
behavioral2/memory/1552-234-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp	upx
behavioral2/memory/1940-236-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CVEgMBY.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDJoAwP.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HgshhmF.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tloGanM.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NmDLvSo.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FmDqZjP.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iEqtRVO.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvbdkJW.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AobpxAE.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjoArmc.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZqMFulk.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tfMytSE.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ujnrUJl.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nMkWbWt.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lbQytQV.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCdFQoB.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGfblei.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yUVkgIG.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\flOjtkt.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hGcXiUc.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvBtrTr.exe	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1460	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 4792 wrote to memory of 1460	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	82
PID 4792 wrote to memory of 4760	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4792 wrote to memory of 4760	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4792 wrote to memory of 1564	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4792 wrote to memory of 1564	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4792 wrote to memory of 1212	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4792 wrote to memory of 1212	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4792 wrote to memory of 5100	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4792 wrote to memory of 5100	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4792 wrote to memory of 1512	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4792 wrote to memory of 1512	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4792 wrote to memory of 628	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4792 wrote to memory of 628	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4792 wrote to memory of 3508	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4792 wrote to memory of 3508	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4792 wrote to memory of 1552	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4792 wrote to memory of 1552	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4792 wrote to memory of 1940	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4792 wrote to memory of 1940	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4792 wrote to memory of 3080	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4792 wrote to memory of 3080	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4792 wrote to memory of 3112	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4792 wrote to memory of 3112	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4792 wrote to memory of 4372	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4792 wrote to memory of 4372	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4792 wrote to memory of 1912	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4792 wrote to memory of 1912	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4792 wrote to memory of 4716	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4792 wrote to memory of 4716	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4792 wrote to memory of 4876	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4792 wrote to memory of 4876	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4792 wrote to memory of 4844	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4792 wrote to memory of 4844	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4792 wrote to memory of 1752	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4792 wrote to memory of 1752	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4792 wrote to memory of 2408	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4792 wrote to memory of 2408	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4792 wrote to memory of 1728	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4792 wrote to memory of 1728	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4792 wrote to memory of 3628	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4792 wrote to memory of 3628	4792	2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_c2995e5e00acd026c8e39af1770d7f58_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\System\eCdFQoB.exe
  C:\Windows\System\eCdFQoB.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\HgshhmF.exe
  C:\Windows\System\HgshhmF.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\tloGanM.exe
  C:\Windows\System\tloGanM.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\AobpxAE.exe
  C:\Windows\System\AobpxAE.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\hGcXiUc.exe
  C:\Windows\System\hGcXiUc.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\ZGfblei.exe
  C:\Windows\System\ZGfblei.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\ZqMFulk.exe
  C:\Windows\System\ZqMFulk.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\tfMytSE.exe
  C:\Windows\System\tfMytSE.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\OjoArmc.exe
  C:\Windows\System\OjoArmc.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\UvBtrTr.exe
  C:\Windows\System\UvBtrTr.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\yUVkgIG.exe
  C:\Windows\System\yUVkgIG.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\ujnrUJl.exe
  C:\Windows\System\ujnrUJl.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\CVEgMBY.exe
  C:\Windows\System\CVEgMBY.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\nMkWbWt.exe
  C:\Windows\System\nMkWbWt.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\lbQytQV.exe
  C:\Windows\System\lbQytQV.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\NmDLvSo.exe
  C:\Windows\System\NmDLvSo.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\flOjtkt.exe
  C:\Windows\System\flOjtkt.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\FmDqZjP.exe
  C:\Windows\System\FmDqZjP.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\wDJoAwP.exe
  C:\Windows\System\wDJoAwP.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\iEqtRVO.exe
  C:\Windows\System\iEqtRVO.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\LvbdkJW.exe
  C:\Windows\System\LvbdkJW.exe
  2⤵
  - Executes dropped EXE
  PID:3628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AobpxAE.exe

Filesize
5.2MB

MD5
6aa1655e49ee6b6fa358ffa577b850f7

SHA1
de77d92f78e940458982420f9efbea8d1f886ec4

SHA256
40a36d891b8d4c974a047c4fa9d7dd8281821af0d8f02bcac4d6b049b9a99365

SHA512
3b8d922179bde4fd6f95efb6c39e2c6f1b847796c0999fd3898ce7ac6f27816fd5fdbd942841a888f43c71c1ecb11518c2ebc8624b6880c1bc343517c78ff734

Download Submit
C:\Windows\System\CVEgMBY.exe

Filesize
5.2MB

MD5
da9c1e17fa90641309a1f7dc43e058bd

SHA1
9d37ab8a369ff806e0432a3ebc5218cbfa089270

SHA256
cac6c477df350ff1993460c25804fb21c25836c3941ae48be5056061a2f928c7

SHA512
a3a07724f7519a6c892127b3c56deb53df187d08b646165fe635906a3f8ad20c5b494244417eb99d4c73521f34ae6b902ba00111be656217fe6dbf1172109c62

Download Submit
C:\Windows\System\FmDqZjP.exe

Filesize
5.2MB

MD5
346d31b6d4e45f4c02ffb564d1219822

SHA1
4db1940cff7482c7b568b5a061d478b2ca83715a

SHA256
5ab96dea9d4e22c01ac58ddb8283d80c137b53ce0fe4b52e2bbc57f19613eca2

SHA512
918404d132ff8c0db54011db5939197d51888dfec61e1c1ecf6a4fcca24d32749619f5b335d90b4585874558629aa3ca565e4182717e959876244f89d9466f29

Download Submit
C:\Windows\System\HgshhmF.exe

Filesize
5.2MB

MD5
8763ab9641d3632014cf1114fe85dd05

SHA1
ee36b7aa60fd7439cc9821153c3e89d4a2bd300a

SHA256
facb2ba5efa722535ded46779c390d99a767f3045aecc5343f125c4570b0764f

SHA512
b82dc1b5c535bfc058dd95f9be1d887cf8ac9c78cf983816e85987a1e98a49a34ed262ffbf22e07b5931d3578dd652e1651a911d990bfceb1b13c11f48f53c63

Download Submit
C:\Windows\System\LvbdkJW.exe

Filesize
5.2MB

MD5
342b29a6cba25cd895ebc4b5355446ab

SHA1
7effe6e633223991642bd8ad66163d042d1ca573

SHA256
58371f01dd0e1fd2eeb72c3a8927dedb396f839271a889087496d5f756ebaa82

SHA512
c845c1db433e97580388eeb8a3de705c25f30105cc9239d4040761bc086ee99518f1ce616534f1178f27c4d0cb0468a3a5b1c2a94a00bb2b5c57820557c268f5

Download Submit
C:\Windows\System\NmDLvSo.exe

Filesize
5.2MB

MD5
417073f421b0c39167830f3be50f3a62

SHA1
e7d5367a377fc412548a60973357ec8eec80993f

SHA256
56f154f6e8d08f65c71ae17a0dcbbb79345516ff40544b84e0e488be3c7bb395

SHA512
cc19dc8a4afb301059f7d06134f0b9dbc82648b165eb2ecc20819bf093cdaf330078fa027146853c2aec07257fab7755d35ec65cda3bd52061bbdf6a1c4e89a2

Download Submit
C:\Windows\System\OjoArmc.exe

Filesize
5.2MB

MD5
bd9726c17f3f038171b2b7d255ff595b

SHA1
5517fc87b44b88a245f80df80c5b728b22fd8574

SHA256
128c4545c6d481ec9d2ee1fd2737bb4659ad0efed527ee6b151ba9ae20a71cbe

SHA512
37d6f8f6918928081bb6213f61cfbec3bd246b6ed58298e6301147d5cb7f4079e5181118732cd3bd36e3bf68298f2e59163ce540212e74cc52d408d69188d516

Download Submit
C:\Windows\System\UvBtrTr.exe

Filesize
5.2MB

MD5
f2adc61a7527ea3da350b195e3ae509a

SHA1
8570c8144e2d959898c55d0c86f79c7a92b63cb0

SHA256
10961578bfd5a1a24c6d2eccc5b112d6abb7f553d9fb869d56cd73c489e90241

SHA512
49f3cb00e46a778c2941e774e8da48b4a4073c8be1cbf0386f9d937d753482390e7d6e88767a07af40677a5a04281056388796c5c44c9d83c442ef60564a9529

Download Submit
C:\Windows\System\ZGfblei.exe

Filesize
5.2MB

MD5
79fdda3d56967c9c64ddf6647fe9a981

SHA1
ec3d05ec5affd6cc4102ca1aee354d6601b998f5

SHA256
c29b2706d4c95bfa7cbcf8123faefa95bbf87d21a58c01fa08f270a78d1e67d8

SHA512
11b7e070af566d63e4127f113a92deb058ca62683bc475d6eeb25a02936a686943b94a0bd9d07487ff42b7296edadeb46133eef9ca5e40da2bf3434cd74a0167

Download Submit
C:\Windows\System\ZqMFulk.exe

Filesize
5.2MB

MD5
683697cbb7014a24e745d4958d064326

SHA1
d2176625c51ea632509885edff6e44e1363f657c

SHA256
046c7f908183e92bde100847387d9a20678a347b94110903e78ee9d965276866

SHA512
89a2c88a093a573a584cb3df78e2e5b071ae46250bcb2a8e390f646e210d23522270a2b6952fc40e3097a2483525a0ecea02000ad36b14c9c56320e9a55b2e84

Download Submit
C:\Windows\System\eCdFQoB.exe

Filesize
5.2MB

MD5
7d6a3723e74141ce6d0e807ac0efd71b

SHA1
3da5e65e89f6a2f2caccfa4efaae0988171a877b

SHA256
6ea7f5bf6d63d294cd26a0d2e227ccfdbcd5174eda3f7b6f00d7cd9722666457

SHA512
183c2658cc028d803e347724474188c6d573c455470637c50161d5de7950a325487b25c94c76b9da3d2370016597a884acc6b44a3e971a3753063c6ff778a6ef

Download Submit
C:\Windows\System\flOjtkt.exe

Filesize
5.2MB

MD5
f918ca8d7836ea7f00399acdee7e6bda

SHA1
fd590323b87943badac6f707c29bf0352bc3486a

SHA256
d884eb91597c2c2623e0a0e8903210b6e7cd600d12b2270a466dad58eddeff25

SHA512
ef0581d33fe6a0ce4c62b978491c151a4af61403a9cb619588f3270a7d06167baa782208f5d91e68020934b7c329702b23e7db8cd240516a65ecddb6eea5c8ef

Download Submit
C:\Windows\System\hGcXiUc.exe

Filesize
5.2MB

MD5
031a398a683e5a740abfa164e30e066d

SHA1
b86d5dd966eec80ce277df0e40e6a3fa719fab80

SHA256
33ebff30b034b51cc42b93ffaca3c3b62b14c2da8b34177803923f26c99ee8b5

SHA512
080d6a36b1e7094391b66c92319e2b86239ada3ade2149d4f00cc28416553f9e39702257664ed5f4ad5628ec0cd57afc2f740b6e1466e13b8bc9c4fd2bf0ea85

Download Submit
C:\Windows\System\iEqtRVO.exe

Filesize
5.2MB

MD5
5867454115ffa2b059df89f362c05d0c

SHA1
354daeba1e4d8c193060da0d0d8d0ee4a040cd1a

SHA256
baf9f7174495240684178452a31e336a950c929c3d2db017a48a747fa0aad63a

SHA512
0661feeb703ac44afa90f4ea9d6337fe68f5a477044ea97d95df831272854a9454081cefdf43e63c290b931e97437666dc578cb8a2ade205ecf82c5cc5397fa6

Download Submit
C:\Windows\System\lbQytQV.exe

Filesize
5.2MB

MD5
85ab22fb5ae1d423fdc3e3d40c592f8c

SHA1
5b7dcd2e1c001bca3de69ccba13c9c8261f4544d

SHA256
af7fcdb0fd8a1626d76793780759510540979319499bfbb9c064881dcd20868b

SHA512
c76309a26ec322fb2293f95c8ee993fd2633dece0b66c468d205ffdd0c32b04939ac7c87aca13793ec2057f5a84edb9b0541ba9ead78633e4dedabcae05395d5

Download Submit
C:\Windows\System\nMkWbWt.exe

Filesize
5.2MB

MD5
46985f042ecc02f43f6049fbb4ed89f7

SHA1
b49e20f8e1e0dd8c6b7e5cc9db91c9dad56d3287

SHA256
d015d8d855eeec3ab28d46694a65b77305fddf890e98169ac79b8c979761d83a

SHA512
883de4cab062d4a44ca7c049e664ed874af63b963565ec7d452e862257eb98f226ca32ce57a9414068a47c231c63999acc9407abfe6cdf79d107f8f2e6464f02

Download Submit
C:\Windows\System\tfMytSE.exe

Filesize
5.2MB

MD5
2e6f20353e34c7e83a7c2da769dd3e2b

SHA1
bd14841046d7c6eafdf2553300a69b698c971e38

SHA256
9b88757208d98622cd3476b639b959616c5ae1d6426f5b06c058fa6c681ddb2f

SHA512
cf2e70e36b031fa96e55c6b00a9ad0679274af34a7c851a00bfd51eb206f1a4bab3a45ec027bf13cb87747bd330b93e1e1f1d647b2b9a3e0aacd178c0cc2399e

Download Submit
C:\Windows\System\tloGanM.exe

Filesize
5.2MB

MD5
21cf1fd8219574bbb4a9e6f460ce49e5

SHA1
6a523f0b7a5726ef0e371b0d90204a69a6156119

SHA256
c4de87a1984fb651840c3b7c9baeb47358cae259f438e5a9f15d944f52570750

SHA512
3c4096cf84323eaf4ec6f409d905e8061e2fbb8eb6da559d30b405e84b217c262958f8f700a62b5448b4eae45f37632b1007dc4d5cab0b7a325a1e6e57719fdd

Download Submit
C:\Windows\System\ujnrUJl.exe

Filesize
5.2MB

MD5
aa06c3e3926b95ce44e656fcd4784040

SHA1
0a6aa2efcb0d7057fc7a6e9c83f7eae1f57f5bc6

SHA256
92c99e9684f0110264300dffb3f9f0b626a913b67549ca6c5d33040374ae8a2d

SHA512
9428bb52c419c8f3a8b89fe3326db6cc5a67d0d1f361397f0dda4a05ba21abdf8c0621ed5a39cd7a07dbba595245557b36c0d7d37d53ddac9e96c6074f04b12b

Download Submit
C:\Windows\System\wDJoAwP.exe

Filesize
5.2MB

MD5
1e63db439544cf60f7c8ab58e1111422

SHA1
26654a180cfd3acb103a20819bc77dcc48c67811

SHA256
fef56d7adcd95487b37a9a5227646e458dd5555e04b1bb9984790c463a55d3f4

SHA512
8798c9130494950a4e0b3cba803e0e368267b9c2402262527cd201987bfe1c9c1fadbc22d5a8ca90d3acd578119b22e3952e504c8a0a272b0575248a63ed6a46

Download Submit
C:\Windows\System\yUVkgIG.exe

Filesize
5.2MB

MD5
129047bdffe9736f6570b3cf5ac50e12

SHA1
0971092cb249081efa6c3409d48a1d22bd5c66cb

SHA256
bee5258553652ef3917ee829458fda663924332e28483c38eebba6b8c1cad4cb

SHA512
7be34bfcbd5594a2e7b78c635ebb498d319e7d29b183fca6eb6456047791c31f76e7a8348b18dffb5b2331c0ff8ffb8cfb66b050b469b0d53fdd94d65d000131

Download Submit
memory/628-233-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp

Filesize
3.3MB

Download
memory/628-135-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp

Filesize
3.3MB

Download
memory/628-52-0x00007FF74B930000-0x00007FF74BC81000-memory.dmp

Filesize
3.3MB

Download
memory/1212-211-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp

Filesize
3.3MB

Download
memory/1212-68-0x00007FF7F7080000-0x00007FF7F73D1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-129-0x00007FF763370000-0x00007FF7636C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-207-0x00007FF763370000-0x00007FF7636C1000-memory.dmp

Filesize
3.3MB

Download
memory/1460-6-0x00007FF763370000-0x00007FF7636C1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-230-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-73-0x00007FF787DA0000-0x00007FF7880F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-137-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-61-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-234-0x00007FF61A270000-0x00007FF61A5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-213-0x00007FF7485E0000-0x00007FF748931000-memory.dmp

Filesize
3.3MB

Download
memory/1564-131-0x00007FF7485E0000-0x00007FF748931000-memory.dmp

Filesize
3.3MB

Download
memory/1564-32-0x00007FF7485E0000-0x00007FF748931000-memory.dmp

Filesize
3.3MB

Download
memory/1728-122-0x00007FF6C4610000-0x00007FF6C4961000-memory.dmp

Filesize
3.3MB

Download
memory/1728-254-0x00007FF6C4610000-0x00007FF6C4961000-memory.dmp

Filesize
3.3MB

Download
memory/1752-248-0x00007FF6E21A0000-0x00007FF6E24F1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-126-0x00007FF6E21A0000-0x00007FF6E24F1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-244-0x00007FF6C22D0000-0x00007FF6C2621000-memory.dmp

Filesize
3.3MB

Download
memory/1912-124-0x00007FF6C22D0000-0x00007FF6C2621000-memory.dmp

Filesize
3.3MB

Download
memory/1940-79-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp

Filesize
3.3MB

Download
memory/1940-236-0x00007FF65AAB0000-0x00007FF65AE01000-memory.dmp

Filesize
3.3MB

Download
memory/2408-250-0x00007FF7852E0000-0x00007FF785631000-memory.dmp

Filesize
3.3MB

Download
memory/2408-121-0x00007FF7852E0000-0x00007FF785631000-memory.dmp

Filesize
3.3MB

Download
memory/3080-93-0x00007FF684970000-0x00007FF684CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-238-0x00007FF684970000-0x00007FF684CC1000-memory.dmp

Filesize
3.3MB

Download
memory/3112-123-0x00007FF7E0B20000-0x00007FF7E0E71000-memory.dmp

Filesize
3.3MB

Download
memory/3112-242-0x00007FF7E0B20000-0x00007FF7E0E71000-memory.dmp

Filesize
3.3MB

Download
memory/3508-78-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp

Filesize
3.3MB

Download
memory/3508-228-0x00007FF6712A0000-0x00007FF6715F1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-257-0x00007FF7686C0000-0x00007FF768A11000-memory.dmp

Filesize
3.3MB

Download
memory/3628-127-0x00007FF7686C0000-0x00007FF768A11000-memory.dmp

Filesize
3.3MB

Download
memory/4372-240-0x00007FF6EA1D0000-0x00007FF6EA521000-memory.dmp

Filesize
3.3MB

Download
memory/4372-98-0x00007FF6EA1D0000-0x00007FF6EA521000-memory.dmp

Filesize
3.3MB

Download
memory/4716-105-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp

Filesize
3.3MB

Download
memory/4716-143-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp

Filesize
3.3MB

Download
memory/4716-246-0x00007FF7F7320000-0x00007FF7F7671000-memory.dmp

Filesize
3.3MB

Download
memory/4760-130-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-209-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-25-0x00007FF62F050000-0x00007FF62F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-151-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-0-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-1-0x0000027BD3B80000-0x0000027BD3B90000-memory.dmp

Filesize
64KB

Download
memory/4792-150-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-128-0x00007FF6AB1A0000-0x00007FF6AB4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-106-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-145-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4844-258-0x00007FF74ADA0000-0x00007FF74B0F1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-252-0x00007FF7AC490000-0x00007FF7AC7E1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-125-0x00007FF7AC490000-0x00007FF7AC7E1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-218-0x00007FF701430000-0x00007FF701781000-memory.dmp

Filesize
3.3MB

Download
memory/5100-133-0x00007FF701430000-0x00007FF701781000-memory.dmp

Filesize
3.3MB

Download
memory/5100-42-0x00007FF701430000-0x00007FF701781000-memory.dmp

Filesize
3.3MB

Download