cobaltstrike | 3cc9dc2ce15b7107feec341facbda26ceef03460082e292155f4b1401d2cb175

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

08886a3a084693c9115640eecdc10646
SHA1

c55d81fd2d0857ccb4d2fa7c8ce6f6f18fe03d2c
SHA256

3cc9dc2ce15b7107feec341facbda26ceef03460082e292155f4b1401d2cb175
SHA512

7f1756c1261f225aa3f9ea1d48cc42bc813c2452276c9259892a4420b3842fe9d86675aa220b3678424f1ea0f7078d551273a71cd56cb0ebac985c1a37311a21
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibj56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b9e-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba3-11.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-29.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-38.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-47.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb1-105.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb0-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bae-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-78.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-65.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb2-116.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022a91-125.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022aaa-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1032-16-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	xmrig
behavioral2/memory/4796-85-0x00007FF741A30000-0x00007FF741D81000-memory.dmp	xmrig
behavioral2/memory/2180-88-0x00007FF723520000-0x00007FF723871000-memory.dmp	xmrig
behavioral2/memory/4136-107-0x00007FF602E90000-0x00007FF6031E1000-memory.dmp	xmrig
behavioral2/memory/1468-110-0x00007FF783A90000-0x00007FF783DE1000-memory.dmp	xmrig
behavioral2/memory/2588-109-0x00007FF7E0190000-0x00007FF7E04E1000-memory.dmp	xmrig
behavioral2/memory/2576-108-0x00007FF65CDA0000-0x00007FF65D0F1000-memory.dmp	xmrig
behavioral2/memory/2420-102-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	xmrig
behavioral2/memory/4152-98-0x00007FF7A6AA0000-0x00007FF7A6DF1000-memory.dmp	xmrig
behavioral2/memory/412-93-0x00007FF611FB0000-0x00007FF612301000-memory.dmp	xmrig
behavioral2/memory/8-35-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	xmrig
behavioral2/memory/2368-111-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp	xmrig
behavioral2/memory/1032-117-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	xmrig
behavioral2/memory/4436-119-0x00007FF6655D0000-0x00007FF665921000-memory.dmp	xmrig
behavioral2/memory/4292-124-0x00007FF740C30000-0x00007FF740F81000-memory.dmp	xmrig
behavioral2/memory/4420-123-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp	xmrig
behavioral2/memory/8-132-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	xmrig
behavioral2/memory/5036-133-0x00007FF605CB0000-0x00007FF606001000-memory.dmp	xmrig
behavioral2/memory/2420-134-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	xmrig
behavioral2/memory/2096-142-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp	xmrig
behavioral2/memory/4868-151-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp	xmrig
behavioral2/memory/440-143-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	xmrig
behavioral2/memory/2412-141-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp	xmrig
behavioral2/memory/3864-153-0x00007FF639150000-0x00007FF6394A1000-memory.dmp	xmrig
behavioral2/memory/4084-154-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	xmrig
behavioral2/memory/2420-158-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	xmrig
behavioral2/memory/2368-211-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp	xmrig
behavioral2/memory/1032-213-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	xmrig
behavioral2/memory/4420-215-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp	xmrig
behavioral2/memory/4292-217-0x00007FF740C30000-0x00007FF740F81000-memory.dmp	xmrig
behavioral2/memory/8-230-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	xmrig
behavioral2/memory/4868-232-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp	xmrig
behavioral2/memory/2412-234-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp	xmrig
behavioral2/memory/2096-236-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp	xmrig
behavioral2/memory/440-238-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	xmrig
behavioral2/memory/4796-246-0x00007FF741A30000-0x00007FF741D81000-memory.dmp	xmrig
behavioral2/memory/4152-249-0x00007FF7A6AA0000-0x00007FF7A6DF1000-memory.dmp	xmrig
behavioral2/memory/2576-250-0x00007FF65CDA0000-0x00007FF65D0F1000-memory.dmp	xmrig
behavioral2/memory/2588-252-0x00007FF7E0190000-0x00007FF7E04E1000-memory.dmp	xmrig
behavioral2/memory/2180-242-0x00007FF723520000-0x00007FF723871000-memory.dmp	xmrig
behavioral2/memory/412-241-0x00007FF611FB0000-0x00007FF612301000-memory.dmp	xmrig
behavioral2/memory/4136-244-0x00007FF602E90000-0x00007FF6031E1000-memory.dmp	xmrig
behavioral2/memory/3864-254-0x00007FF639150000-0x00007FF6394A1000-memory.dmp	xmrig
behavioral2/memory/1468-256-0x00007FF783A90000-0x00007FF783DE1000-memory.dmp	xmrig
behavioral2/memory/4436-260-0x00007FF6655D0000-0x00007FF665921000-memory.dmp	xmrig
behavioral2/memory/4084-263-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	xmrig
behavioral2/memory/5036-265-0x00007FF605CB0000-0x00007FF606001000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2368	uLnPTbz.exe
1032	sRlfiiP.exe
4420	VwnyQIT.exe
4292	oxBPKHR.exe
8	wRnTpMu.exe
4868	VXznlCl.exe
2412	SkoobZQ.exe
2096	atgIQnP.exe
440	pIxuUHx.exe
4796	yGmXBMA.exe
4136	rZXnAgu.exe
2180	apgtAiX.exe
412	TVVRzDc.exe
4152	rOliDYY.exe
2576	eXjAWbk.exe
2588	NLVBnCu.exe
1468	ZqLHpLL.exe
3864	QMSZrAp.exe
4436	LXVOEso.exe
4084	CpbSiNl.exe
5036	wgtqNak.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2420-0-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	upx
behavioral2/files/0x000b000000023b9e-4.dat	upx
behavioral2/memory/2368-8-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-12.dat	upx
behavioral2/files/0x000a000000023ba3-11.dat	upx
behavioral2/memory/1032-16-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-23.dat	upx
behavioral2/files/0x000a000000023ba5-29.dat	upx
behavioral2/memory/4292-32-0x00007FF740C30000-0x00007FF740F81000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-38.dat	upx
behavioral2/files/0x000a000000023ba7-43.dat	upx
behavioral2/files/0x000a000000023ba8-47.dat	upx
behavioral2/files/0x000a000000023baa-61.dat	upx
behavioral2/files/0x000a000000023bac-80.dat	upx
behavioral2/memory/4796-85-0x00007FF741A30000-0x00007FF741D81000-memory.dmp	upx
behavioral2/memory/2180-88-0x00007FF723520000-0x00007FF723871000-memory.dmp	upx
behavioral2/memory/3864-101-0x00007FF639150000-0x00007FF6394A1000-memory.dmp	upx
behavioral2/memory/4136-107-0x00007FF602E90000-0x00007FF6031E1000-memory.dmp	upx
behavioral2/memory/1468-110-0x00007FF783A90000-0x00007FF783DE1000-memory.dmp	upx
behavioral2/memory/2588-109-0x00007FF7E0190000-0x00007FF7E04E1000-memory.dmp	upx
behavioral2/memory/2576-108-0x00007FF65CDA0000-0x00007FF65D0F1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-105.dat	upx
behavioral2/files/0x000a000000023bb0-103.dat	upx
behavioral2/memory/2420-102-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-99.dat	upx
behavioral2/memory/4152-98-0x00007FF7A6AA0000-0x00007FF7A6DF1000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-95.dat	upx
behavioral2/memory/412-93-0x00007FF611FB0000-0x00007FF612301000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-87.dat	upx
behavioral2/files/0x000a000000023bab-78.dat	upx
behavioral2/files/0x000a000000023ba9-65.dat	upx
behavioral2/memory/440-64-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9f-59.dat	upx
behavioral2/memory/2096-50-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp	upx
behavioral2/memory/2412-41-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp	upx
behavioral2/memory/4868-36-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp	upx
behavioral2/memory/8-35-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	upx
behavioral2/memory/4420-20-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp	upx
behavioral2/memory/2368-111-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp	upx
behavioral2/memory/1032-117-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	upx
behavioral2/memory/4436-119-0x00007FF6655D0000-0x00007FF665921000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-116.dat	upx
behavioral2/memory/4292-124-0x00007FF740C30000-0x00007FF740F81000-memory.dmp	upx
behavioral2/files/0x0003000000022a91-125.dat	upx
behavioral2/memory/4420-123-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp	upx
behavioral2/memory/8-132-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	upx
behavioral2/memory/4084-130-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	upx
behavioral2/files/0x0003000000022aaa-128.dat	upx
behavioral2/memory/5036-133-0x00007FF605CB0000-0x00007FF606001000-memory.dmp	upx
behavioral2/memory/2420-134-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	upx
behavioral2/memory/2096-142-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp	upx
behavioral2/memory/4868-151-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp	upx
behavioral2/memory/440-143-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp	upx
behavioral2/memory/2412-141-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp	upx
behavioral2/memory/3864-153-0x00007FF639150000-0x00007FF6394A1000-memory.dmp	upx
behavioral2/memory/4084-154-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp	upx
behavioral2/memory/2420-158-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp	upx
behavioral2/memory/2368-211-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp	upx
behavioral2/memory/1032-213-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp	upx
behavioral2/memory/4420-215-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp	upx
behavioral2/memory/4292-217-0x00007FF740C30000-0x00007FF740F81000-memory.dmp	upx
behavioral2/memory/8-230-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp	upx
behavioral2/memory/4868-232-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp	upx
behavioral2/memory/2412-234-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uLnPTbz.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SkoobZQ.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOliDYY.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpbSiNl.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRlfiiP.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxBPKHR.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wRnTpMu.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atgIQnP.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apgtAiX.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eXjAWbk.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QMSZrAp.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VXznlCl.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGmXBMA.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVVRzDc.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NLVBnCu.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZqLHpLL.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgtqNak.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VwnyQIT.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pIxuUHx.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZXnAgu.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LXVOEso.exe	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2368	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2420 wrote to memory of 2368	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2420 wrote to memory of 1032	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2420 wrote to memory of 1032	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2420 wrote to memory of 4420	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2420 wrote to memory of 4420	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2420 wrote to memory of 4292	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2420 wrote to memory of 4292	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2420 wrote to memory of 8	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2420 wrote to memory of 8	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2420 wrote to memory of 4868	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2420 wrote to memory of 4868	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2420 wrote to memory of 2412	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2420 wrote to memory of 2412	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2420 wrote to memory of 2096	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2420 wrote to memory of 2096	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2420 wrote to memory of 440	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2420 wrote to memory of 440	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2420 wrote to memory of 4796	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2420 wrote to memory of 4796	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2420 wrote to memory of 4136	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2420 wrote to memory of 4136	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2420 wrote to memory of 2180	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2420 wrote to memory of 2180	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2420 wrote to memory of 412	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2420 wrote to memory of 412	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2420 wrote to memory of 4152	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2420 wrote to memory of 4152	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2420 wrote to memory of 2576	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2420 wrote to memory of 2576	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2420 wrote to memory of 2588	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2420 wrote to memory of 2588	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2420 wrote to memory of 1468	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2420 wrote to memory of 1468	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2420 wrote to memory of 3864	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2420 wrote to memory of 3864	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2420 wrote to memory of 4436	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2420 wrote to memory of 4436	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2420 wrote to memory of 4084	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2420 wrote to memory of 4084	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2420 wrote to memory of 5036	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2420 wrote to memory of 5036	2420	2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_08886a3a084693c9115640eecdc10646_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System\uLnPTbz.exe
  C:\Windows\System\uLnPTbz.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\sRlfiiP.exe
  C:\Windows\System\sRlfiiP.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\VwnyQIT.exe
  C:\Windows\System\VwnyQIT.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\oxBPKHR.exe
  C:\Windows\System\oxBPKHR.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\wRnTpMu.exe
  C:\Windows\System\wRnTpMu.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\VXznlCl.exe
  C:\Windows\System\VXznlCl.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\SkoobZQ.exe
  C:\Windows\System\SkoobZQ.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\atgIQnP.exe
  C:\Windows\System\atgIQnP.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\pIxuUHx.exe
  C:\Windows\System\pIxuUHx.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\yGmXBMA.exe
  C:\Windows\System\yGmXBMA.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\rZXnAgu.exe
  C:\Windows\System\rZXnAgu.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\apgtAiX.exe
  C:\Windows\System\apgtAiX.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\TVVRzDc.exe
  C:\Windows\System\TVVRzDc.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\rOliDYY.exe
  C:\Windows\System\rOliDYY.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\eXjAWbk.exe
  C:\Windows\System\eXjAWbk.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\NLVBnCu.exe
  C:\Windows\System\NLVBnCu.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\ZqLHpLL.exe
  C:\Windows\System\ZqLHpLL.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\QMSZrAp.exe
  C:\Windows\System\QMSZrAp.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\LXVOEso.exe
  C:\Windows\System\LXVOEso.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\CpbSiNl.exe
  C:\Windows\System\CpbSiNl.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\wgtqNak.exe
  C:\Windows\System\wgtqNak.exe
  2⤵
  - Executes dropped EXE
  PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CpbSiNl.exe

Filesize
5.2MB

MD5
9d10959a3bf9cea4d748a3d61646e83b

SHA1
714578a44932aafe3e74017b1e1d48c9cbf93f2d

SHA256
dc2754488e3c20d29b3cf3bd7175e51a11ff58aee37a18bef0cea168852f7bfd

SHA512
b9bcf43dd1262644f6a5e69558cd2124e7bba921d3baefa6ed062ea130aa78faf19fc3e488ff7ab03de1f3edaf2d4bcb18f8b9acf3ddeeab6879d80a46bf298d

Download Submit
C:\Windows\System\LXVOEso.exe

Filesize
5.2MB

MD5
1011327322a49e7a297f8f1d2d976aa4

SHA1
3549d24dc69dd9fa277bf4e3e86ba4a2087696a9

SHA256
d8c66dbba3d64781e913e5877de1460967c7865e3add7f6e4f7d537a58de6f66

SHA512
28be02a9dd245e38da211839b3a97760152fb0fca09cb6d5323facbc93c21a77ccffeab6825d23fc6c26dc1d42f1a9fd9af0b6037d037998829865aac22429df

Download Submit
C:\Windows\System\NLVBnCu.exe

Filesize
5.2MB

MD5
97409e28027da93f39b132956876f9a2

SHA1
9b1b86106032237d4ac36d3465628c4d32bb8fb8

SHA256
809a43f9a3f3d73b0fef5e2547684c476e49783353b14d33184cb151bcaadd94

SHA512
7989fc05fd5ea05d317e0d7c40692852548c16e9bf29e9e468bb7ddcb63368ee3674167c44ced4fbd308e389c444e724eb0707c459a8dfc4eec7b93a6752b64e

Download Submit
C:\Windows\System\QMSZrAp.exe

Filesize
5.2MB

MD5
7a573e018831390d21f657ee868b2404

SHA1
27cff5b3cd7dddd1c65792672ab85b6baba7dc02

SHA256
42118ba45c121016d87caa22ab6750290d5e5e94cff2dd2a62403d049901661c

SHA512
261447c979d3444f521b9351d03eea55b6f90874c774ff2df2fe3c6638f32cbed7b52e01ea8782cf896a5ecbf0caf9409818d7c68f2e51c374305ada873808b0

Download Submit
C:\Windows\System\SkoobZQ.exe

Filesize
5.2MB

MD5
8b33dda6a1a9ca454c97d33888e7e994

SHA1
3d1e13ce38aa56e0dd390a6b3f856b665555d03d

SHA256
050f6e24a803cc451802df7a4161747d3c5507619eb481a6cdf76d7e3a8a892e

SHA512
c4f0be52d267c44db5eb61046722b6dd5321fb4daa5fb6982cc1bbd1c6467d282b3a12988cca56a27175342584ae556026dfc8518e34ded0255968694a674811

Download Submit
C:\Windows\System\TVVRzDc.exe

Filesize
5.2MB

MD5
2e843ee8d9e9bb37f2ade714529b8720

SHA1
10844e08798c46eba4a4e93c4b4af5d42fbd0824

SHA256
a406a31f2ad13f673d1cd828ca0f923b6376968ac7097f76cdddf33293aca3bc

SHA512
ad38856b6f4d16c63452d7e6130ac1475d2674ccb02797b99ac04d17d43c8780677440fc17e4cb7df0876f45d3d36334f9764a10e585036272fc8e343d2a21b3

Download Submit
C:\Windows\System\VXznlCl.exe

Filesize
5.2MB

MD5
ffb9fb82bd791669d4e95db21ec8f3e8

SHA1
6ae928b0fc73fedf6c3e64104116ff6a2f7dcece

SHA256
9527367db1c09e46033f0bdbedc2ffe2545226dbb94bf06098bd3a27cb702fdc

SHA512
10c9abe22727af21904084b514ca8cfffca089bb0a45352b8609a74430b74757abf4a7455d87ecf7f066c379c9cf970aade6174d5106f80394840dbf5627420e

Download Submit
C:\Windows\System\VwnyQIT.exe

Filesize
5.2MB

MD5
fa2bcb43092d670499962aa35bcee1f9

SHA1
2dcda1e5de6f8af93b7b1879197d8fb1b4ea6400

SHA256
a5401e3bfa6359f255f88d9ba6d1325759fcd9dab4a425772bbbd2b432cee2a5

SHA512
5091653a8ddfc4f2ea78805d79563d42d58b937876498fbcaa3169063d3c4617b27e2206718a84bc9e7e1983861d87918706a7f78692ded8ca59f66d0325f66b

Download Submit
C:\Windows\System\ZqLHpLL.exe

Filesize
5.2MB

MD5
f27a4b86ac7c11af72bbdc8970c63981

SHA1
cd3b14bbfb89660587e10aef1790cdf91a8b1367

SHA256
694346223bfbba486302e9a72cf3a5106074d090a2f3e419db7c73245689e581

SHA512
f676a99899aaadb78f4de01f8f3e9f7aa92e67237bcdc88cba6c6b11c81889d6aa29fb0cb1f5025e4c0107f070bbe61b116f44cd2741201d63986b212a07c26d

Download Submit
C:\Windows\System\apgtAiX.exe

Filesize
5.2MB

MD5
3427b815d854f9e99b55aa628720ad86

SHA1
579f9d891d8d0ee517dfcfb2568f478b77b44818

SHA256
aa2ea330188fbe639553e5130f92c379128af185006b9bf434fbe27865efe063

SHA512
268f0ee3f1f78ac06c583f447c4d7a415bc7790b8a06ef41701e5ba0a4abee626c59a488fb3b2679ff617a102140e317d91caa2da107779e2280f26bd7250bdf

Download Submit
C:\Windows\System\atgIQnP.exe

Filesize
5.2MB

MD5
41fc3d3efd2b5d8606d9dd9d7d10445d

SHA1
97d13005f90bad049aac14117eba08f263d3a443

SHA256
277d3c9c5541a3450fcb4ddde310620bfbf24d5b62198520b727e747bb48eecd

SHA512
a68b52452c4d7ce7a40a9e91047ba4a22275bf34e58fe56738cce4aa797f048c73e2772c0345cc306f5ba316ac119707f9f9d237c30520159010f4112baeb052

Download Submit
C:\Windows\System\eXjAWbk.exe

Filesize
5.2MB

MD5
34dc0ef21765eff481c246d6ce86be44

SHA1
a8389cb29c8b29c7b137e0f8c66ce654b1316670

SHA256
75c5c95c3209150a7dd5b116578d822bce504a21623c47ff26558a1717f745fa

SHA512
9e9a0df8eb3c632f4025c7a4b0edf3167c3eaaa5f59425e862ff7e973359ab26f15afbb5a90830c290fec88fc13cba13f36d41619122ba5337ab32ea3286ffd8

Download Submit
C:\Windows\System\oxBPKHR.exe

Filesize
5.2MB

MD5
13b5c1e98f300f29434974d00f3f887c

SHA1
5805610fbdf6a406648681555df9f3e72d2f85c6

SHA256
6174ecb12280298b3e18636e1e76488cbfe7c903e89c8bbb4815f7ec45f98146

SHA512
21c69e2428a172a96a3660960829040ccd6e96fa48e9ea35e690858978cd7c2d623b34fe8c22d3671c35329ab3dbb7b451ac2bba767d9c40af8a047a585ce2ff

Download Submit
C:\Windows\System\pIxuUHx.exe

Filesize
5.2MB

MD5
0bac0966c9534ec791cd8f8add53e603

SHA1
78ef63b22312de60f35fd3bf3cc1768320c93699

SHA256
530933603a2af509d35d1b264798daef7f1be3e18fcf1ac6436e13971adce887

SHA512
b8f1d4218769ac645934c5faddaf198f328e83c2a97c321fc7b759dc146c2ce4dacc7a4db82647139edd2018ea6ab95203162355b79dff0b084d489678494b91

Download Submit
C:\Windows\System\rOliDYY.exe

Filesize
5.2MB

MD5
4d59479ffff14a8c9b2dfb43dcd5775d

SHA1
5086596e5d78141d51fe9e340b2c260be8b9bd41

SHA256
212f2d3938b77cae044c368a7568a290b55c5be0edd8960ace11efa608211f9f

SHA512
d9908b7761088684e3799fb83edcd80142a3cd96ee3721190035ead2ac0eb0f4116d22ccfa4266269998dde4430162c55072d1a5a6a801e5b997dbeb8f78a57f

Download Submit
C:\Windows\System\rZXnAgu.exe

Filesize
5.2MB

MD5
56d052bb50e55ef054988472cc6bcf31

SHA1
3cdde8133c34b4467c62af90399a7f484f283ab2

SHA256
f394a22923651b20ee8438b8bffc480d7f08853615f869d43c4b1d2d0bf63ed0

SHA512
01889de9cd33acaf628120064dc01c12868765a0f6a5146a09d80d1ea2a89be929b5038d3ac355f41731bfb0c93e2daf921c65f3246821c0fda5b39b95613454

Download Submit
C:\Windows\System\sRlfiiP.exe

Filesize
5.2MB

MD5
52b28165d161e19eb8c7eb353c64780c

SHA1
c8b78cb7add90eb03cc7ed7ef8a4e3732f52ebe5

SHA256
0dde677483d3079d0e193f683dbd2d77bef4d6206dcc83a62feca5d7cc84baf8

SHA512
9d8fe93bb2cd87cabe55fb36a114bbc7c6175d71c3fef48ddb8c34c3d4e3bc459b9fa5c963b51a19b3a75f59f04ce93bf2b991d4b1002db664ce48f5e7008772

Download Submit
C:\Windows\System\uLnPTbz.exe

Filesize
5.2MB

MD5
1a2ab4b0a8f6522665d7930f5e8e06e5

SHA1
df64bb4f9832a8a5d8deffe164fe7540c4c776c8

SHA256
a3d8f27670df513255bee8b6e84d97c9e9b2232e77d36188ab05d8dc8dc0a53f

SHA512
1e1883357173faddbff89e8b51093c552006bc69ba3b1ab9730a377d9551ae514311c1f3e77028dc9da8d1e5751d47fb3e0401b3fcf97b16a925340fa2edb883

Download Submit
C:\Windows\System\wRnTpMu.exe

Filesize
5.2MB

MD5
ee455b771937d89807ef20c1d23f48c8

SHA1
321a7c721c52465ce8e092a8bda1aa0b362ae43c

SHA256
a3fecbe9ef9e5ae8a17d5f9c57ce7280e01702cf402ef7ec906a8f4b11f5d9db

SHA512
673acf44e3a80240865ab9a5a805317229902bc2eb67be97bab94e4a50f5f7456004cc236ec46fdbafd721bfe6643d46bf7abeb69a4c8b7cf36905446f958a71

Download Submit
C:\Windows\System\wgtqNak.exe

Filesize
5.2MB

MD5
51c9cc96ced9e193c02d2a70b6401366

SHA1
ac4e793cea1ad26d22ed8b0c8c6ae64a09b551ba

SHA256
1c202e590dc5fd71f3a362cf9ffcc1d2227da2365237f76affba52891e1b8904

SHA512
329a7fcb822ac87fc17a2deb3d83625f07e2ff0fa41049865d1ff094808e77888ac7d775552b7f89686d2d93a1a5d91b29292dcc6b3ed80ef076c73f2760c4b1

Download Submit
C:\Windows\System\yGmXBMA.exe

Filesize
5.2MB

MD5
e187e3e4e30649c5300c2541ecbb2465

SHA1
e551c332d3f5d46ff99e95df3954695ea84d7b2c

SHA256
9b9ad5a0864abe698ec002ceaa94d59bb5d425a181ff0c3a377624d77c83f68c

SHA512
41ccea38b20ed91cb320dd0dcd794e30baff4ed261fab0d132b64c94f438cf11e70074b67a65fcd51ff345eea2bb345428c0c60853a75f02f947a6bbd4f1435b

Download Submit
memory/8-230-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp

Filesize
3.3MB

Download
memory/8-132-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp

Filesize
3.3MB

Download
memory/8-35-0x00007FF7FA470000-0x00007FF7FA7C1000-memory.dmp

Filesize
3.3MB

Download
memory/412-93-0x00007FF611FB0000-0x00007FF612301000-memory.dmp

Filesize
3.3MB

Download
memory/412-241-0x00007FF611FB0000-0x00007FF612301000-memory.dmp

Filesize
3.3MB

Download
memory/440-238-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/440-64-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/440-143-0x00007FF693D60000-0x00007FF6940B1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-213-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-16-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-117-0x00007FF7E7B80000-0x00007FF7E7ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-110-0x00007FF783A90000-0x00007FF783DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-256-0x00007FF783A90000-0x00007FF783DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-142-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-236-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-50-0x00007FF70D050000-0x00007FF70D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-242-0x00007FF723520000-0x00007FF723871000-memory.dmp

Filesize
3.3MB

Download
memory/2180-88-0x00007FF723520000-0x00007FF723871000-memory.dmp

Filesize
3.3MB

Download
memory/2368-111-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-8-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-211-0x00007FF61BE50000-0x00007FF61C1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-141-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-41-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-234-0x00007FF799D80000-0x00007FF79A0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-158-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-0-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-1-0x00000155F7B30000-0x00000155F7B40000-memory.dmp

Filesize
64KB

Download
memory/2420-134-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-102-0x00007FF64C940000-0x00007FF64CC91000-memory.dmp

Filesize
3.3MB

Download
memory/2576-250-0x00007FF65CDA0000-0x00007FF65D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-108-0x00007FF65CDA0000-0x00007FF65D0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-252-0x00007FF7E0190000-0x00007FF7E04E1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-109-0x00007FF7E0190000-0x00007FF7E04E1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-254-0x00007FF639150000-0x00007FF6394A1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-153-0x00007FF639150000-0x00007FF6394A1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-101-0x00007FF639150000-0x00007FF6394A1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-263-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-154-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-130-0x00007FF7EA190000-0x00007FF7EA4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-107-0x00007FF602E90000-0x00007FF6031E1000-memory.dmp

Filesize
3.3MB

Download
memory/4136-244-0x00007FF602E90000-0x00007FF6031E1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-98-0x00007FF7A6AA0000-0x00007FF7A6DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-249-0x00007FF7A6AA0000-0x00007FF7A6DF1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-217-0x00007FF740C30000-0x00007FF740F81000-memory.dmp

Filesize
3.3MB

Download
memory/4292-32-0x00007FF740C30000-0x00007FF740F81000-memory.dmp

Filesize
3.3MB

Download
memory/4292-124-0x00007FF740C30000-0x00007FF740F81000-memory.dmp

Filesize
3.3MB

Download
memory/4420-215-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4420-20-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4420-123-0x00007FF65DD60000-0x00007FF65E0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4436-119-0x00007FF6655D0000-0x00007FF665921000-memory.dmp

Filesize
3.3MB

Download
memory/4436-260-0x00007FF6655D0000-0x00007FF665921000-memory.dmp

Filesize
3.3MB

Download
memory/4796-85-0x00007FF741A30000-0x00007FF741D81000-memory.dmp

Filesize
3.3MB

Download
memory/4796-246-0x00007FF741A30000-0x00007FF741D81000-memory.dmp

Filesize
3.3MB

Download
memory/4868-232-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp

Filesize
3.3MB

Download
memory/4868-151-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp

Filesize
3.3MB

Download
memory/4868-36-0x00007FF7E9DB0000-0x00007FF7EA101000-memory.dmp

Filesize
3.3MB

Download
memory/5036-133-0x00007FF605CB0000-0x00007FF606001000-memory.dmp

Filesize
3.3MB

Download
memory/5036-265-0x00007FF605CB0000-0x00007FF606001000-memory.dmp

Filesize
3.3MB

Download