cobaltstrike | c05c2828bf15eeaee89e7c4f6a8c2268094f8c368d9a29c4a502f9fce62fd287

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

41408c47913631d5c2cc09d5e1f404c8
SHA1

e638d2d2bc475d08877517ae483cfeac346ac7fb
SHA256

c05c2828bf15eeaee89e7c4f6a8c2268094f8c368d9a29c4a502f9fce62fd287
SHA512

a1589e35ef01b2b2fb06cf286297a1b73a0864cc4644c1723cdac21678d90d5b0359bf47a63930983aa8454d75c5f831ba93a022bd97702b450a8e0fb655b994
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibd56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234fa-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023501-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023502-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023505-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023504-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023507-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023506-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023509-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350b-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350d-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350e-118.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234fe-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350c-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350a-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023508-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023503-39.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234fd-19.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/316-95-0x00007FF71B480000-0x00007FF71B7D1000-memory.dmp	xmrig
behavioral2/memory/5044-94-0x00007FF6F78E0000-0x00007FF6F7C31000-memory.dmp	xmrig
behavioral2/memory/4516-93-0x00007FF60E340000-0x00007FF60E691000-memory.dmp	xmrig
behavioral2/memory/4320-89-0x00007FF73F6E0000-0x00007FF73FA31000-memory.dmp	xmrig
behavioral2/memory/4952-86-0x00007FF6CBB40000-0x00007FF6CBE91000-memory.dmp	xmrig
behavioral2/memory/1384-85-0x00007FF7DA730000-0x00007FF7DAA81000-memory.dmp	xmrig
behavioral2/memory/3392-77-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp	xmrig
behavioral2/memory/2356-129-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp	xmrig
behavioral2/memory/1028-130-0x00007FF783600000-0x00007FF783951000-memory.dmp	xmrig
behavioral2/memory/1552-128-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp	xmrig
behavioral2/memory/3892-131-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	xmrig
behavioral2/memory/824-134-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp	xmrig
behavioral2/memory/1268-144-0x00007FF638F00000-0x00007FF639251000-memory.dmp	xmrig
behavioral2/memory/1388-141-0x00007FF74A000000-0x00007FF74A351000-memory.dmp	xmrig
behavioral2/memory/636-139-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp	xmrig
behavioral2/memory/4480-132-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp	xmrig
behavioral2/memory/4956-137-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp	xmrig
behavioral2/memory/544-148-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp	xmrig
behavioral2/memory/2632-149-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp	xmrig
behavioral2/memory/4932-147-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp	xmrig
behavioral2/memory/3496-146-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp	xmrig
behavioral2/memory/436-145-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp	xmrig
behavioral2/memory/1552-150-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp	xmrig
behavioral2/memory/2356-205-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp	xmrig
behavioral2/memory/1028-207-0x00007FF783600000-0x00007FF783951000-memory.dmp	xmrig
behavioral2/memory/4480-221-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp	xmrig
behavioral2/memory/3392-220-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp	xmrig
behavioral2/memory/3892-223-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	xmrig
behavioral2/memory/4320-227-0x00007FF73F6E0000-0x00007FF73FA31000-memory.dmp	xmrig
behavioral2/memory/1384-226-0x00007FF7DA730000-0x00007FF7DAA81000-memory.dmp	xmrig
behavioral2/memory/1388-235-0x00007FF74A000000-0x00007FF74A351000-memory.dmp	xmrig
behavioral2/memory/4952-240-0x00007FF6CBB40000-0x00007FF6CBE91000-memory.dmp	xmrig
behavioral2/memory/4516-241-0x00007FF60E340000-0x00007FF60E691000-memory.dmp	xmrig
behavioral2/memory/5044-243-0x00007FF6F78E0000-0x00007FF6F7C31000-memory.dmp	xmrig
behavioral2/memory/824-239-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp	xmrig
behavioral2/memory/4956-236-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp	xmrig
behavioral2/memory/636-231-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp	xmrig
behavioral2/memory/316-230-0x00007FF71B480000-0x00007FF71B7D1000-memory.dmp	xmrig
behavioral2/memory/544-247-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp	xmrig
behavioral2/memory/436-253-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp	xmrig
behavioral2/memory/1268-257-0x00007FF638F00000-0x00007FF639251000-memory.dmp	xmrig
behavioral2/memory/2632-255-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp	xmrig
behavioral2/memory/4932-249-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp	xmrig
behavioral2/memory/3496-252-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2356	xXfXpEp.exe
1028	TPwlvUI.exe
3892	FBwpgXz.exe
4480	WkJqVIw.exe
3392	XoIeOmN.exe
1384	SZFHlIx.exe
824	bitJEKM.exe
4952	TPtbjHh.exe
4956	WzuvQQm.exe
4320	vdwewGY.exe
636	MDcYifv.exe
4516	NwbZjHd.exe
1388	jvcvxHF.exe
316	ayeYrNi.exe
5044	sVmPdIJ.exe
1268	qvIkekP.exe
436	dhhkGJB.exe
3496	LjfXJdw.exe
4932	pAUdicc.exe
544	ELXtYub.exe
2632	iHqIlgD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1552-0-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp	upx
behavioral2/files/0x00080000000234fa-5.dat	upx
behavioral2/memory/2356-8-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp	upx
behavioral2/files/0x0007000000023501-17.dat	upx
behavioral2/files/0x0007000000023502-18.dat	upx
behavioral2/files/0x0007000000023505-33.dat	upx
behavioral2/files/0x0007000000023504-34.dat	upx
behavioral2/files/0x0007000000023507-45.dat	upx
behavioral2/files/0x0007000000023506-57.dat	upx
behavioral2/memory/636-68-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp	upx
behavioral2/files/0x0007000000023509-73.dat	upx
behavioral2/files/0x000700000002350b-79.dat	upx
behavioral2/files/0x000700000002350d-91.dat	upx
behavioral2/memory/316-95-0x00007FF71B480000-0x00007FF71B7D1000-memory.dmp	upx
behavioral2/files/0x0007000000023510-108.dat	upx
behavioral2/memory/4932-116-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp	upx
behavioral2/files/0x0007000000023512-124.dat	upx
behavioral2/files/0x0007000000023513-126.dat	upx
behavioral2/files/0x0007000000023511-122.dat	upx
behavioral2/files/0x000700000002350e-118.dat	upx
behavioral2/memory/2632-117-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp	upx
behavioral2/memory/544-115-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp	upx
behavioral2/memory/3496-113-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp	upx
behavioral2/memory/436-109-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp	upx
behavioral2/memory/1268-98-0x00007FF638F00000-0x00007FF639251000-memory.dmp	upx
behavioral2/files/0x00080000000234fe-96.dat	upx
behavioral2/memory/5044-94-0x00007FF6F78E0000-0x00007FF6F7C31000-memory.dmp	upx
behavioral2/memory/4516-93-0x00007FF60E340000-0x00007FF60E691000-memory.dmp	upx
behavioral2/memory/4320-89-0x00007FF73F6E0000-0x00007FF73FA31000-memory.dmp	upx
behavioral2/memory/4952-86-0x00007FF6CBB40000-0x00007FF6CBE91000-memory.dmp	upx
behavioral2/memory/1384-85-0x00007FF7DA730000-0x00007FF7DAA81000-memory.dmp	upx
behavioral2/files/0x000700000002350c-82.dat	upx
behavioral2/memory/3392-77-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp	upx
behavioral2/memory/1388-69-0x00007FF74A000000-0x00007FF74A351000-memory.dmp	upx
behavioral2/files/0x000700000002350a-64.dat	upx
behavioral2/memory/4956-61-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp	upx
behavioral2/files/0x0007000000023508-51.dat	upx
behavioral2/memory/824-46-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp	upx
behavioral2/memory/4480-35-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp	upx
behavioral2/files/0x0007000000023503-39.dat	upx
behavioral2/memory/3892-30-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	upx
behavioral2/files/0x00080000000234fd-19.dat	upx
behavioral2/memory/1028-16-0x00007FF783600000-0x00007FF783951000-memory.dmp	upx
behavioral2/memory/2356-129-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp	upx
behavioral2/memory/1028-130-0x00007FF783600000-0x00007FF783951000-memory.dmp	upx
behavioral2/memory/1552-128-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp	upx
behavioral2/memory/3892-131-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	upx
behavioral2/memory/824-134-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp	upx
behavioral2/memory/1268-144-0x00007FF638F00000-0x00007FF639251000-memory.dmp	upx
behavioral2/memory/1388-141-0x00007FF74A000000-0x00007FF74A351000-memory.dmp	upx
behavioral2/memory/636-139-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp	upx
behavioral2/memory/4480-132-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp	upx
behavioral2/memory/4956-137-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp	upx
behavioral2/memory/544-148-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp	upx
behavioral2/memory/2632-149-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp	upx
behavioral2/memory/4932-147-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp	upx
behavioral2/memory/3496-146-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp	upx
behavioral2/memory/436-145-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp	upx
behavioral2/memory/1552-150-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp	upx
behavioral2/memory/2356-205-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp	upx
behavioral2/memory/1028-207-0x00007FF783600000-0x00007FF783951000-memory.dmp	upx
behavioral2/memory/4480-221-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp	upx
behavioral2/memory/3392-220-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp	upx
behavioral2/memory/3892-223-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sVmPdIJ.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dhhkGJB.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iHqIlgD.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZFHlIx.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MDcYifv.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwbZjHd.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jvcvxHF.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBwpgXz.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WkJqVIw.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ayeYrNi.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjfXJdw.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pAUdicc.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ELXtYub.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXfXpEp.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPtbjHh.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bitJEKM.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzuvQQm.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vdwewGY.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvIkekP.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPwlvUI.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XoIeOmN.exe	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2356	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1552 wrote to memory of 2356	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1552 wrote to memory of 1028	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1552 wrote to memory of 1028	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1552 wrote to memory of 3892	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1552 wrote to memory of 3892	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1552 wrote to memory of 4480	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1552 wrote to memory of 4480	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1552 wrote to memory of 3392	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1552 wrote to memory of 3392	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1552 wrote to memory of 824	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1552 wrote to memory of 824	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1552 wrote to memory of 1384	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1552 wrote to memory of 1384	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1552 wrote to memory of 4952	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1552 wrote to memory of 4952	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1552 wrote to memory of 4956	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1552 wrote to memory of 4956	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1552 wrote to memory of 4320	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1552 wrote to memory of 4320	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1552 wrote to memory of 636	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1552 wrote to memory of 636	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1552 wrote to memory of 4516	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1552 wrote to memory of 4516	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1552 wrote to memory of 1388	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1552 wrote to memory of 1388	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1552 wrote to memory of 316	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1552 wrote to memory of 316	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1552 wrote to memory of 5044	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1552 wrote to memory of 5044	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1552 wrote to memory of 1268	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1552 wrote to memory of 1268	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1552 wrote to memory of 436	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1552 wrote to memory of 436	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1552 wrote to memory of 3496	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1552 wrote to memory of 3496	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1552 wrote to memory of 4932	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1552 wrote to memory of 4932	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1552 wrote to memory of 544	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1552 wrote to memory of 544	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1552 wrote to memory of 2632	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1552 wrote to memory of 2632	1552	2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-24_41408c47913631d5c2cc09d5e1f404c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\System\xXfXpEp.exe
  C:\Windows\System\xXfXpEp.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\TPwlvUI.exe
  C:\Windows\System\TPwlvUI.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\FBwpgXz.exe
  C:\Windows\System\FBwpgXz.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\WkJqVIw.exe
  C:\Windows\System\WkJqVIw.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\XoIeOmN.exe
  C:\Windows\System\XoIeOmN.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\bitJEKM.exe
  C:\Windows\System\bitJEKM.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\SZFHlIx.exe
  C:\Windows\System\SZFHlIx.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\TPtbjHh.exe
  C:\Windows\System\TPtbjHh.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\WzuvQQm.exe
  C:\Windows\System\WzuvQQm.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\vdwewGY.exe
  C:\Windows\System\vdwewGY.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\MDcYifv.exe
  C:\Windows\System\MDcYifv.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\NwbZjHd.exe
  C:\Windows\System\NwbZjHd.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\jvcvxHF.exe
  C:\Windows\System\jvcvxHF.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\ayeYrNi.exe
  C:\Windows\System\ayeYrNi.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\sVmPdIJ.exe
  C:\Windows\System\sVmPdIJ.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\qvIkekP.exe
  C:\Windows\System\qvIkekP.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\dhhkGJB.exe
  C:\Windows\System\dhhkGJB.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\LjfXJdw.exe
  C:\Windows\System\LjfXJdw.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\pAUdicc.exe
  C:\Windows\System\pAUdicc.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\ELXtYub.exe
  C:\Windows\System\ELXtYub.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\iHqIlgD.exe
  C:\Windows\System\iHqIlgD.exe
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ELXtYub.exe

Filesize
5.2MB

MD5
3e04113a4458475c6beddba38048151d

SHA1
63ab0348ba1b3e4ca8d4a3dd118ae28044a1ba82

SHA256
40f8ddd5d89ecad02bbc1658d6dd5af24a92ae600861298574f65e353b251d69

SHA512
74701eae5963ede71ce9ce79f4620dbb63d28fbc953b18e92f0e19a55ecad44dfe2bbe8dacd347e55dc1d239fb284d82cc388e22adae4f3cd2d19d49a75e7069

Download Submit
C:\Windows\System\FBwpgXz.exe

Filesize
5.2MB

MD5
e1c3839644d10d634d009a32122af8d9

SHA1
6f8f28a95b125a62753eda0dfa7af72285738e79

SHA256
316f634bfd19a32833bfee38d2e7da06b52e8c519d09c405bf993abaf7282f0f

SHA512
1ad29d578a501095688914aae8a7beac8ffac598f3b1e9d9412a5924dcfc5f942cf28593e8e76b838aabf34fada85b6f984828800fb09c7bd0c0c7be37799dd4

Download Submit
C:\Windows\System\LjfXJdw.exe

Filesize
5.2MB

MD5
8d59e7539f672a50c1aa93e6e71dd922

SHA1
02e90e44d62d0565c307defafa669f2f706e2e4a

SHA256
8bc7105139c69ea10772037ee3e33e8bd9a4013da8033486f52b486848f7e8c2

SHA512
ca58de4ac59caf0bb1a4d1a381970898c0859a93b56693fe5219e79d510c3aa055d79386393b1d164396df8099fd8806a56d7b9c03ba8343d22240a8df75ba04

Download Submit
C:\Windows\System\MDcYifv.exe

Filesize
5.2MB

MD5
adef04b9bef48292eb13fe6dfe458f35

SHA1
da4b936fe5f9285a06f647a336cfa57e66244b2a

SHA256
9b571d3d3ba2b90c17ae599de4a38f8ad722b3b409b49cb62c0e5cc4c21f0d71

SHA512
5203018837c42e92cba0d16511e4076478f740f62c71437c0eaf28918c5b53817c7a221bcd3de52dd7a3d15d26c101cc847e098280f53b8647950edee8fabb2d

Download Submit
C:\Windows\System\NwbZjHd.exe

Filesize
5.2MB

MD5
6ed1975e3881cd0723ed7ace0012af35

SHA1
00a8b85b7e60ebd72ad2fa6d119274f74ecc53f5

SHA256
2b5395d2a520682cc6a0de3528c4e1b49850f60a55c65e7c5f014c7bbae997be

SHA512
39ae26c48b3e6cb360dceb34633acfed5f7d0addd477faef5e6446c2b73cd0a4b03ee22adbabb0d4c06a781827daab20d7f85418957f306637d2bf4f6742f4f0

Download Submit
C:\Windows\System\SZFHlIx.exe

Filesize
5.2MB

MD5
e2cebd32362310e5edd3b18d5880c7d8

SHA1
d7a15edf764d8a190c15be8aa3e2236e3e5fab90

SHA256
0d73f8c9a7325b580cacdfede3c22381fed06d2770488102eaca96519d456474

SHA512
6a82172214007327ebe5f983421556438aa7ebaa34fc1ca444d247c49e5c74fc6db82284f73f312641ad8b59691f4a31add4ee24e209b83ef479efdc866ef5cf

Download Submit
C:\Windows\System\TPtbjHh.exe

Filesize
5.2MB

MD5
5af7b172ef6df729a75900d4e7766df6

SHA1
64ce0b71a147777caf9c3bb137a9c30ad430a5d1

SHA256
71310f16b9b06cd5b924d2b6cf12881bea7d46d6d5a0281d88b9699479e162d4

SHA512
e10631dab40ea9fe413721626b2f68605f627c6dbc696f1aab714b2a50cf5d65215e020ec982fb2abe4e59c72ea74b06539b0570affa874c95557bd941285164

Download Submit
C:\Windows\System\TPwlvUI.exe

Filesize
5.2MB

MD5
0a7d4984aae44a788051bc5ef833b5f6

SHA1
b49ddfdd4a2430610dab01734591bd531baf936f

SHA256
9ba8aa5b404a35524ad55864c5b262413efbf16e7f5087f99d27cf0882b04137

SHA512
8b1e1f5e52dce33b1a79a337b72cf4f8c71727d787d934c6f782219ec3c4ad32a908e58415c5812f6e234e442c075101cf27bf2d514f40d8c1721b62b52cbc86

Download Submit
C:\Windows\System\WkJqVIw.exe

Filesize
5.2MB

MD5
a8c809f309a28681353db1f635163ffd

SHA1
161ef6342b0014bd9967b11a9926f9ae9fceac54

SHA256
044acbbf332e9ba06f17578ec9611972c95991b14f804674df31c34f6e5b4f7e

SHA512
acc3fe7b9a547f0d36d6d1a783b98c9793e0fd53fd86b6d2bcc45557ef25994ab55aea0b5b9b3f32ffd635d8b13b03ce3975ce59762a4a3b7f8e09fc690f2997

Download Submit
C:\Windows\System\WzuvQQm.exe

Filesize
5.2MB

MD5
7df9bca7bd54b218c6ceec32feae491b

SHA1
fd1aff18e8bc1c83ccd004fe33603b82f0831bdb

SHA256
19f60940cbe7ec87084dfd25de70549d323f3475ccb786f6033674273a32afa4

SHA512
ab6128332646ca195a8b3d9957a87d910d1b00ebf2efca4a2433529dd97b7149411b59994d26e797893626d254519cf2fb07595726f0c02ef6313ee0bea91afa

Download Submit
C:\Windows\System\XoIeOmN.exe

Filesize
5.2MB

MD5
fa4061d0deefa2d059fc6b66fcd6fa5c

SHA1
a82b093667b1d6cd9340821dd9cbf883c61a5926

SHA256
f4fc258daa59415ea0ac865cb11e92db27bb654d89cbfe60b4749fae51a2c286

SHA512
22410b201d54a2860a402633e5eb8912d99d8f985034605aa391d58c9b4b086ef8d628083bb6450931e109187f8dee4e23f61c65f8ecaa8f1a2dd264929a4873

Download Submit
C:\Windows\System\ayeYrNi.exe

Filesize
5.2MB

MD5
092862a871cff01ab7f8e0bae26d3375

SHA1
0ab4d2c8a39bd8b5d045f6f82ba8c50bc153824b

SHA256
276c1dfabdf684b43a0ebe3d7eec6115c6e1b08d127a09de51b6a0038dc7020a

SHA512
7a5abae893a30db01667f36e1dc37a6533a768d31b6596af8ad5ac13b41b1ec5ac7a40e4eaaddb9ce7fc7d10dd52119246683f55bcd599399b695c0dfe14a6c8

Download Submit
C:\Windows\System\bitJEKM.exe

Filesize
5.2MB

MD5
d5c1edf82d44a3a9533c57e3926faee0

SHA1
fd842d72e7b42684a24bc9ef52dfbec0e0ee86f4

SHA256
2cbe1274a90983c9d9e1211d770e63f87474ea293f98a9bd49d8734ae5d1f6c7

SHA512
9e179b190950cea4db5cfbbba11bb23edae2607c43181126e8df1cc76401a49c20c119af5240617111853d235e2a70d8b61ab79d9b4fa30408eb97e4e00945d8

Download Submit
C:\Windows\System\dhhkGJB.exe

Filesize
5.2MB

MD5
d142c71524986c5247cb6474c7da45ab

SHA1
7e1ac6e20faef7d785d7cc9a44776e8045b82288

SHA256
6725a96520e9510f3d815d047e08376616b8a9bf4a938b9117bc2bc888ec230a

SHA512
f3c8135cc0f4c4a3c9e3345859390f27f7f2773207c9d449b667279e47929f3731a2d2d4cc772ef1b387e65aa73caf58dd54b6a1f4509993acc670bf252daa81

Download Submit
C:\Windows\System\iHqIlgD.exe

Filesize
5.2MB

MD5
9f42f880854e5e7802be926163d10e54

SHA1
ff3d4b8e467a5524d36ba01036a5993085106720

SHA256
c5a92c1ecd3e394dbe344dc48992a8d6352683b36567d807df55d0dcc0555641

SHA512
8d0375a9389d18ccbf09d47035cd869170e352d74d29fc64839f2e552177bd1656f27dae7cdca35a62fce5c50c6dc36327b02abdccf9c70a217747c30ca557dc

Download Submit
C:\Windows\System\jvcvxHF.exe

Filesize
5.2MB

MD5
0a60616641d11b698d391fd1189fa237

SHA1
c57734a4d142ae6e35f851181e9642ab7cc07528

SHA256
c80bc3c17da9d90b7320291a01ecf9c901ee01ae3294ed34067e443d53b0390e

SHA512
3c977d04e6367fb8cc94235584baf4f28c8ba91312c672c03cd057968b7e85bbad06cb8371bdaa4baf12804d578365002f9e1d3be68e1615b96de35917939f01

Download Submit
C:\Windows\System\pAUdicc.exe

Filesize
5.2MB

MD5
4a551992821e05fa083f38370de6adf5

SHA1
3e337141e3e2a2ad0bf4251b2be6b78e0a34b524

SHA256
9c59ecc9a07045edf7245cb5d3477bb348188202cf2d15070d4a58e0ba979fc3

SHA512
cab6ebe23e4db858d0a951525b61ff54f1ca756ff65fa28a898f9f5f45151693323b3858909a4ee8baa4be1c4f1718796385e5ab61393ca78766281d1ebdb4fd

Download Submit
C:\Windows\System\qvIkekP.exe

Filesize
5.2MB

MD5
c6c05eb280ce3515dc1bad7dfdd897c8

SHA1
7c3b700dad4af2fdfdaafc3763f4f28266c7053f

SHA256
01b098a9637dae605fe891b8031e8ef7b229e71b6efbe30b432ec8c81674f205

SHA512
85ac0bf6ae4a9d673d0d45a9b1d25ff530c4bbb5dc71b4614519d895bdc0dd0c152217acc77da45bd4c2ed297293abc66266e4e3cf619ee0d7787fe55857ea66

Download Submit
C:\Windows\System\sVmPdIJ.exe

Filesize
5.2MB

MD5
b21532fe3f103d611feaa2aa64d5d902

SHA1
38f02ed752b3b91d2418529ab16dd0e57ec6d7aa

SHA256
1508a66bb3c33f48c9e4556c266117ee50e82c576415129db2d1fcfc075bdf34

SHA512
ad9b3e0c4a2cf551c7b4cb3e161d05ea55970e415d2d92f0030a45c3d8b505920aeac42c8219ea590a4761cc7b274d451bd87b89f7be6895fe31d3405370633b

Download Submit
C:\Windows\System\vdwewGY.exe

Filesize
5.2MB

MD5
33f13d21ef523f726b2536be591b1cda

SHA1
4861c2d8b02b6f600a5809787ef43cd0c6a4b045

SHA256
a919e42a3d5f4986ab0f90f5d6a60fc4c9182de183411ccfce4c45c659f9979a

SHA512
36ed8405e71b271f5a4a81a69e4f3d9f5a7b74892852133dad8530a18340c138966ec216cac61336607ef60a4efbee2c9ce75c2b5e5ec590d2db6ed32e91c6ac

Download Submit
C:\Windows\System\xXfXpEp.exe

Filesize
5.2MB

MD5
4ecf89eb77f21b157fcf0f130839d558

SHA1
9e202f1ff7c156c01c39b7405eb77b0235970eec

SHA256
43b95156516a3b7a98d75f709b5de7be7cac4cf7f0be15c678736af69b247a84

SHA512
ec07bbb9477f7bf8885c0bb818e899d723bdeae187335bf84347a3192054a70848e345afd548fac37ca29aa139b7c650096885c41f113e7c1fdccaeb8d5fdb78

Download Submit
memory/316-95-0x00007FF71B480000-0x00007FF71B7D1000-memory.dmp

Filesize
3.3MB

Download
memory/316-230-0x00007FF71B480000-0x00007FF71B7D1000-memory.dmp

Filesize
3.3MB

Download
memory/436-145-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp

Filesize
3.3MB

Download
memory/436-109-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp

Filesize
3.3MB

Download
memory/436-253-0x00007FF71BE70000-0x00007FF71C1C1000-memory.dmp

Filesize
3.3MB

Download
memory/544-148-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp

Filesize
3.3MB

Download
memory/544-247-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp

Filesize
3.3MB

Download
memory/544-115-0x00007FF69E800000-0x00007FF69EB51000-memory.dmp

Filesize
3.3MB

Download
memory/636-139-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp

Filesize
3.3MB

Download
memory/636-231-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp

Filesize
3.3MB

Download
memory/636-68-0x00007FF703E50000-0x00007FF7041A1000-memory.dmp

Filesize
3.3MB

Download
memory/824-239-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp

Filesize
3.3MB

Download
memory/824-46-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp

Filesize
3.3MB

Download
memory/824-134-0x00007FF7A7280000-0x00007FF7A75D1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-207-0x00007FF783600000-0x00007FF783951000-memory.dmp

Filesize
3.3MB

Download
memory/1028-16-0x00007FF783600000-0x00007FF783951000-memory.dmp

Filesize
3.3MB

Download
memory/1028-130-0x00007FF783600000-0x00007FF783951000-memory.dmp

Filesize
3.3MB

Download
memory/1268-257-0x00007FF638F00000-0x00007FF639251000-memory.dmp

Filesize
3.3MB

Download
memory/1268-144-0x00007FF638F00000-0x00007FF639251000-memory.dmp

Filesize
3.3MB

Download
memory/1268-98-0x00007FF638F00000-0x00007FF639251000-memory.dmp

Filesize
3.3MB

Download
memory/1384-226-0x00007FF7DA730000-0x00007FF7DAA81000-memory.dmp

Filesize
3.3MB

Download
memory/1384-85-0x00007FF7DA730000-0x00007FF7DAA81000-memory.dmp

Filesize
3.3MB

Download
memory/1388-141-0x00007FF74A000000-0x00007FF74A351000-memory.dmp

Filesize
3.3MB

Download
memory/1388-69-0x00007FF74A000000-0x00007FF74A351000-memory.dmp

Filesize
3.3MB

Download
memory/1388-235-0x00007FF74A000000-0x00007FF74A351000-memory.dmp

Filesize
3.3MB

Download
memory/1552-150-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-0-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-128-0x00007FF691EA0000-0x00007FF6921F1000-memory.dmp

Filesize
3.3MB

Download
memory/1552-1-0x000001D61CC40000-0x000001D61CC50000-memory.dmp

Filesize
64KB

Download
memory/2356-129-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp

Filesize
3.3MB

Download
memory/2356-8-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp

Filesize
3.3MB

Download
memory/2356-205-0x00007FF7279F0000-0x00007FF727D41000-memory.dmp

Filesize
3.3MB

Download
memory/2632-255-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp

Filesize
3.3MB

Download
memory/2632-117-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp

Filesize
3.3MB

Download
memory/2632-149-0x00007FF7A6FC0000-0x00007FF7A7311000-memory.dmp

Filesize
3.3MB

Download
memory/3392-220-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp

Filesize
3.3MB

Download
memory/3392-77-0x00007FF6A3C30000-0x00007FF6A3F81000-memory.dmp

Filesize
3.3MB

Download
memory/3496-146-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-252-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-113-0x00007FF7CED60000-0x00007FF7CF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-30-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp

Filesize
3.3MB

Download
memory/3892-131-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp

Filesize
3.3MB

Download
memory/3892-223-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp

Filesize
3.3MB

Download
memory/4320-227-0x00007FF73F6E0000-0x00007FF73FA31000-memory.dmp

Filesize
3.3MB

Download
memory/4320-89-0x00007FF73F6E0000-0x00007FF73FA31000-memory.dmp

Filesize
3.3MB

Download
memory/4480-35-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-221-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-132-0x00007FF6CE780000-0x00007FF6CEAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4516-241-0x00007FF60E340000-0x00007FF60E691000-memory.dmp

Filesize
3.3MB

Download
memory/4516-93-0x00007FF60E340000-0x00007FF60E691000-memory.dmp

Filesize
3.3MB

Download
memory/4932-116-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp

Filesize
3.3MB

Download
memory/4932-249-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp

Filesize
3.3MB

Download
memory/4932-147-0x00007FF79DEC0000-0x00007FF79E211000-memory.dmp

Filesize
3.3MB

Download
memory/4952-240-0x00007FF6CBB40000-0x00007FF6CBE91000-memory.dmp

Filesize
3.3MB

Download
memory/4952-86-0x00007FF6CBB40000-0x00007FF6CBE91000-memory.dmp

Filesize
3.3MB

Download
memory/4956-236-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-137-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp

Filesize
3.3MB

Download
memory/4956-61-0x00007FF6C6E70000-0x00007FF6C71C1000-memory.dmp

Filesize
3.3MB

Download
memory/5044-243-0x00007FF6F78E0000-0x00007FF6F7C31000-memory.dmp

Filesize
3.3MB

Download
memory/5044-94-0x00007FF6F78E0000-0x00007FF6F7C31000-memory.dmp

Filesize
3.3MB

Download