cobaltstrike | d0b1ced72dd74838406ba4724862fea8cd006b4d3a7cfb18fa97a930fd49e731

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

9a8d2d46d6a411513fc76b2522c1b1db
SHA1

ab809d70f7d98cac0fc1eb310b648ed3cc693fa5
SHA256

d0b1ced72dd74838406ba4724862fea8cd006b4d3a7cfb18fa97a930fd49e731
SHA512

bd41d6b5445fab879555efc5070cf6af5d132273260eb9c22db90d1a8044e6a63f6d8d7e64a1e73f82ba6fd004a33a53ccddab4d354d9179f35f766dddb0133e
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibj56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023416-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-7.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-26.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-53.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023417-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-133.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-117.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3168-60-0x00007FF706A00000-0x00007FF706D51000-memory.dmp	xmrig
behavioral2/memory/2480-62-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp	xmrig
behavioral2/memory/1056-57-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp	xmrig
behavioral2/memory/4220-56-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	xmrig
behavioral2/memory/1404-125-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp	xmrig
behavioral2/memory/3764-103-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp	xmrig
behavioral2/memory/3288-102-0x00007FF635210000-0x00007FF635561000-memory.dmp	xmrig
behavioral2/memory/2148-87-0x00007FF78D320000-0x00007FF78D671000-memory.dmp	xmrig
behavioral2/memory/1668-84-0x00007FF606460000-0x00007FF6067B1000-memory.dmp	xmrig
behavioral2/memory/3424-69-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	xmrig
behavioral2/memory/1432-72-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	xmrig
behavioral2/memory/4220-136-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	xmrig
behavioral2/memory/3968-143-0x00007FF60AD10000-0x00007FF60B061000-memory.dmp	xmrig
behavioral2/memory/1672-146-0x00007FF711400000-0x00007FF711751000-memory.dmp	xmrig
behavioral2/memory/2052-149-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp	xmrig
behavioral2/memory/1060-150-0x00007FF722090000-0x00007FF7223E1000-memory.dmp	xmrig
behavioral2/memory/1848-154-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp	xmrig
behavioral2/memory/3696-157-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp	xmrig
behavioral2/memory/1984-160-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp	xmrig
behavioral2/memory/4688-159-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp	xmrig
behavioral2/memory/5052-156-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp	xmrig
behavioral2/memory/3228-155-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp	xmrig
behavioral2/memory/4796-153-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp	xmrig
behavioral2/memory/4220-161-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	xmrig
behavioral2/memory/1056-215-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp	xmrig
behavioral2/memory/2480-217-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp	xmrig
behavioral2/memory/3424-219-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	xmrig
behavioral2/memory/1432-221-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	xmrig
behavioral2/memory/3288-225-0x00007FF635210000-0x00007FF635561000-memory.dmp	xmrig
behavioral2/memory/2148-224-0x00007FF78D320000-0x00007FF78D671000-memory.dmp	xmrig
behavioral2/memory/3764-229-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp	xmrig
behavioral2/memory/1404-228-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp	xmrig
behavioral2/memory/3168-234-0x00007FF706A00000-0x00007FF706D51000-memory.dmp	xmrig
behavioral2/memory/1672-236-0x00007FF711400000-0x00007FF711751000-memory.dmp	xmrig
behavioral2/memory/1668-248-0x00007FF606460000-0x00007FF6067B1000-memory.dmp	xmrig
behavioral2/memory/2052-250-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp	xmrig
behavioral2/memory/1060-252-0x00007FF722090000-0x00007FF7223E1000-memory.dmp	xmrig
behavioral2/memory/1848-254-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp	xmrig
behavioral2/memory/4796-257-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp	xmrig
behavioral2/memory/3228-258-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp	xmrig
behavioral2/memory/5052-260-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp	xmrig
behavioral2/memory/4688-263-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp	xmrig
behavioral2/memory/3968-266-0x00007FF60AD10000-0x00007FF60B061000-memory.dmp	xmrig
behavioral2/memory/3696-265-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp	xmrig
behavioral2/memory/1984-268-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1056	DGLKAyq.exe
2480	GslfWOC.exe
3424	qSNBHjM.exe
1432	qBrDwAk.exe
2148	KrgVBfr.exe
3288	muHPpUy.exe
3764	AHEOxsw.exe
1404	glhpXSD.exe
3168	VEHoUIg.exe
1672	xxIbLaz.exe
2052	dVimehr.exe
1668	YHLiGIu.exe
1060	LjKBPCi.exe
4796	fglgJwZ.exe
1848	RoHRyJI.exe
3228	FYZIRTY.exe
5052	daXlxYq.exe
3696	SKmHJNg.exe
3968	TwKewFv.exe
4688	hQUGdbm.exe
1984	AGWyIfb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4220-0-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	upx
behavioral2/files/0x0009000000023416-5.dat	upx
behavioral2/files/0x000700000002341b-7.dat	upx
behavioral2/files/0x000700000002341d-26.dat	upx
behavioral2/memory/3288-37-0x00007FF635210000-0x00007FF635561000-memory.dmp	upx
behavioral2/files/0x000700000002341e-40.dat	upx
behavioral2/memory/3764-44-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp	upx
behavioral2/files/0x0007000000023420-48.dat	upx
behavioral2/files/0x000700000002341f-46.dat	upx
behavioral2/memory/1404-45-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp	upx
behavioral2/files/0x000700000002341c-29.dat	upx
behavioral2/memory/2148-28-0x00007FF78D320000-0x00007FF78D671000-memory.dmp	upx
behavioral2/memory/1432-27-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	upx
behavioral2/files/0x000700000002341a-19.dat	upx
behavioral2/memory/3424-16-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	upx
behavioral2/memory/2480-11-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp	upx
behavioral2/memory/1056-10-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp	upx
behavioral2/files/0x0007000000023421-53.dat	upx
behavioral2/memory/3168-60-0x00007FF706A00000-0x00007FF706D51000-memory.dmp	upx
behavioral2/memory/2480-62-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp	upx
behavioral2/files/0x0008000000023417-64.dat	upx
behavioral2/memory/1672-63-0x00007FF711400000-0x00007FF711751000-memory.dmp	upx
behavioral2/memory/1056-57-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp	upx
behavioral2/memory/4220-56-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	upx
behavioral2/files/0x0007000000023422-67.dat	upx
behavioral2/files/0x0007000000023424-74.dat	upx
behavioral2/files/0x0007000000023425-79.dat	upx
behavioral2/files/0x0007000000023426-85.dat	upx
behavioral2/files/0x0007000000023429-99.dat	upx
behavioral2/files/0x0007000000023428-98.dat	upx
behavioral2/files/0x0007000000023427-105.dat	upx
behavioral2/files/0x000700000002342c-118.dat	upx
behavioral2/files/0x000700000002342a-130.dat	upx
behavioral2/memory/4688-131-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp	upx
behavioral2/files/0x000700000002342d-133.dat	upx
behavioral2/memory/3696-127-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp	upx
behavioral2/memory/1404-125-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp	upx
behavioral2/memory/3228-121-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp	upx
behavioral2/files/0x000700000002342b-117.dat	upx
behavioral2/memory/5052-114-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp	upx
behavioral2/memory/1848-104-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp	upx
behavioral2/memory/3764-103-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp	upx
behavioral2/memory/3288-102-0x00007FF635210000-0x00007FF635561000-memory.dmp	upx
behavioral2/memory/4796-95-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp	upx
behavioral2/memory/2148-87-0x00007FF78D320000-0x00007FF78D671000-memory.dmp	upx
behavioral2/memory/1060-86-0x00007FF722090000-0x00007FF7223E1000-memory.dmp	upx
behavioral2/memory/1668-84-0x00007FF606460000-0x00007FF6067B1000-memory.dmp	upx
behavioral2/memory/2052-81-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp	upx
behavioral2/memory/3424-69-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp	upx
behavioral2/memory/1432-72-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp	upx
behavioral2/memory/1984-135-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp	upx
behavioral2/memory/4220-136-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	upx
behavioral2/memory/3968-143-0x00007FF60AD10000-0x00007FF60B061000-memory.dmp	upx
behavioral2/memory/1672-146-0x00007FF711400000-0x00007FF711751000-memory.dmp	upx
behavioral2/memory/2052-149-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp	upx
behavioral2/memory/1060-150-0x00007FF722090000-0x00007FF7223E1000-memory.dmp	upx
behavioral2/memory/1848-154-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp	upx
behavioral2/memory/3696-157-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp	upx
behavioral2/memory/1984-160-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp	upx
behavioral2/memory/4688-159-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp	upx
behavioral2/memory/5052-156-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp	upx
behavioral2/memory/3228-155-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp	upx
behavioral2/memory/4796-153-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp	upx
behavioral2/memory/4220-161-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dVimehr.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RoHRyJI.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daXlxYq.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\muHPpUy.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AHEOxsw.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xxIbLaz.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LjKBPCi.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SKmHJNg.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TwKewFv.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGWyIfb.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GslfWOC.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qSNBHjM.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\glhpXSD.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEHoUIg.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fglgJwZ.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQUGdbm.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGLKAyq.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBrDwAk.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KrgVBfr.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YHLiGIu.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYZIRTY.exe	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1056	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4220 wrote to memory of 1056	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4220 wrote to memory of 2480	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4220 wrote to memory of 2480	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4220 wrote to memory of 3424	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4220 wrote to memory of 3424	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4220 wrote to memory of 1432	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4220 wrote to memory of 1432	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4220 wrote to memory of 2148	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4220 wrote to memory of 2148	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4220 wrote to memory of 3288	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4220 wrote to memory of 3288	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4220 wrote to memory of 3764	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4220 wrote to memory of 3764	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4220 wrote to memory of 1404	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4220 wrote to memory of 1404	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4220 wrote to memory of 3168	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4220 wrote to memory of 3168	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4220 wrote to memory of 1672	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4220 wrote to memory of 1672	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4220 wrote to memory of 2052	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4220 wrote to memory of 2052	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4220 wrote to memory of 1668	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4220 wrote to memory of 1668	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4220 wrote to memory of 1060	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4220 wrote to memory of 1060	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4220 wrote to memory of 4796	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4220 wrote to memory of 4796	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4220 wrote to memory of 1848	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4220 wrote to memory of 1848	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4220 wrote to memory of 3228	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4220 wrote to memory of 3228	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4220 wrote to memory of 5052	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4220 wrote to memory of 5052	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4220 wrote to memory of 3696	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4220 wrote to memory of 3696	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4220 wrote to memory of 3968	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4220 wrote to memory of 3968	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4220 wrote to memory of 4688	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4220 wrote to memory of 4688	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4220 wrote to memory of 1984	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4220 wrote to memory of 1984	4220	2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_9a8d2d46d6a411513fc76b2522c1b1db_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\System\DGLKAyq.exe
  C:\Windows\System\DGLKAyq.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\GslfWOC.exe
  C:\Windows\System\GslfWOC.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\qSNBHjM.exe
  C:\Windows\System\qSNBHjM.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\qBrDwAk.exe
  C:\Windows\System\qBrDwAk.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\KrgVBfr.exe
  C:\Windows\System\KrgVBfr.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\muHPpUy.exe
  C:\Windows\System\muHPpUy.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\AHEOxsw.exe
  C:\Windows\System\AHEOxsw.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\glhpXSD.exe
  C:\Windows\System\glhpXSD.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\VEHoUIg.exe
  C:\Windows\System\VEHoUIg.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\xxIbLaz.exe
  C:\Windows\System\xxIbLaz.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\dVimehr.exe
  C:\Windows\System\dVimehr.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\YHLiGIu.exe
  C:\Windows\System\YHLiGIu.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\LjKBPCi.exe
  C:\Windows\System\LjKBPCi.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\fglgJwZ.exe
  C:\Windows\System\fglgJwZ.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\RoHRyJI.exe
  C:\Windows\System\RoHRyJI.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\FYZIRTY.exe
  C:\Windows\System\FYZIRTY.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\daXlxYq.exe
  C:\Windows\System\daXlxYq.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\SKmHJNg.exe
  C:\Windows\System\SKmHJNg.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\TwKewFv.exe
  C:\Windows\System\TwKewFv.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\hQUGdbm.exe
  C:\Windows\System\hQUGdbm.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\AGWyIfb.exe
  C:\Windows\System\AGWyIfb.exe
  2⤵
  - Executes dropped EXE
  PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGWyIfb.exe

Filesize
5.2MB

MD5
2dd62c402637845da8432084dddd43b7

SHA1
5febe759b215769647f330d76c5842dac0a03a20

SHA256
ad43c9b38e27473000b37e9e7bb515d82e6291f9a10e8ee108200cc26096d9a7

SHA512
53df62217d180be3912c2ba56462fc26cf8913e2a5b1b7757459c3ba0de2daf254ea7feac68a2e875f96b34a56a773ed6c07061263e246e8cc23ba4207767ee3

Download Submit
C:\Windows\System\AHEOxsw.exe

Filesize
5.2MB

MD5
e539b3f5c2872ceaa5a5b50d556c7336

SHA1
0d51e2d5bb58b947131623187e4ca577ccabd6f3

SHA256
b92b4744eb9d3121c6340262b9a9fd1dd64ecc586becfde93c04bdbf0b6bda5d

SHA512
0cbe39cb5b5848f96d9038b66ea23167514e1db602512d4117b45e749b5534376a5a3310556518794bafe360bad9220ee58427b91a57f09f4fd305a4a1abd36c

Download Submit
C:\Windows\System\DGLKAyq.exe

Filesize
5.2MB

MD5
37fb92b7fb0300c409b3aba7b32e769c

SHA1
c2489f3e3da367c6a7a720899f9578a8360f85e1

SHA256
def3396d9e1cd73fc622e3c4e6d440d5a3c84ab10b4e74f4130578fab39422a8

SHA512
e083176613559e3becef14149e9f9f1d1ee9d70c7f67c07168f8e58985820fc52e04605e0f3d7afd98ebafbf8ce0fa6ba1e33e554ed6d465e927e80c59111a80

Download Submit
C:\Windows\System\FYZIRTY.exe

Filesize
5.2MB

MD5
ec8ffe0153e50c451be92cc6ffd2474e

SHA1
1759af7263c6981ec49ec9bbef8359ffdef231b1

SHA256
10a96baac2b2142ed09fe59f34f0daca0d51ba135294b5f20744406d6150d1ae

SHA512
bac93c71026f51729214e1cf8e97866d8c0d2c2fae2889cbc754a63da4e3c969220d1ff7f702a8121f1ef5dc1f08e924e4a6ad794a34dab8245c906c9757f00a

Download Submit
C:\Windows\System\GslfWOC.exe

Filesize
5.2MB

MD5
0103e354eafacf346dbf34f3224f2fef

SHA1
1bb21a1aecb5c5015a5c83106a90ebd3ca28da71

SHA256
f0eb61621abe618911057c05e1a4b564ebcc915c5b2a8f43357bb25f26b47904

SHA512
b7cb976a9e2f4a0727e76d1f67e7a713406506d51efddc634931b137fec22d15d2667705fd4014127f5abe53a9d82e67e412b11e8e7ac401c3ce3981f3c7ed87

Download Submit
C:\Windows\System\KrgVBfr.exe

Filesize
5.2MB

MD5
9986f83adebe4f3e6b86bc10658e3107

SHA1
49649b20e98fd0a9c2142d2b08179c5de9b375fb

SHA256
4d1ef6bec7ba46cf66eb7b600dc89c5f78a65f6d5e7c53b70026ab4e02fa9e72

SHA512
4daaadd54b80d017bd61d01efc201d8647a5db38673a3db33dddc987104f6aa9377ff51795d4ba1a9ccca59c2e631cc6ece9edc5f89d08077ceb18c4220d29bf

Download Submit
C:\Windows\System\LjKBPCi.exe

Filesize
5.2MB

MD5
b57a761960366b8a8d9d68384dfc5ba7

SHA1
665f58745eebfa292399324171fe5e0a3dae7612

SHA256
faa4771766b2d570cc0a98a0f66b7d3b2369419601c0109dab1ef31f6df6d80d

SHA512
e5c41f0d0710804459a01e2d4b395b9e27a3ab7a9827d67506030d1069f4b925f0c8cbb066d6433285982256a8659a6e19a6a3a036b3586862f94a34e9d89feb

Download Submit
C:\Windows\System\RoHRyJI.exe

Filesize
5.2MB

MD5
5a51b580403e8d3f436b036817b6b9ce

SHA1
e31bc8f6d228046703737880623b8d46b95d3b07

SHA256
6b434743f633928780d43ddb07305faecaa02ed3f661c3f12af41c4c65d47f22

SHA512
afaabfcd1e42076fc5a84972adbd5d608051a025e48c23d9dd817a7da0d03ade152c4d7271057ecb8aa0d14da0b295c7852b8301f0f8efeb00f7ad11bfdd151a

Download Submit
C:\Windows\System\SKmHJNg.exe

Filesize
5.2MB

MD5
acb5ef302e5325b28d62bd0f66826df6

SHA1
6cd6952f4b5092358a7382ad60940a03f94b36d8

SHA256
2205f1c57bcf3897462e2c9c3395b242b928a6aaae08943c7ad7f434798c95c7

SHA512
12e965d72c6b3b4338944febb827403a1f6c6f3c8ebc36565d1198da658f7ea304b85d992452666b1da829c23951a9cfd597bb62f3f01085c1045e38dd10d94e

Download Submit
C:\Windows\System\TwKewFv.exe

Filesize
5.2MB

MD5
0bc9b18dd4678fba7e53d85d7ffd5257

SHA1
7366a45282911aa8cc9cf52558d8d0b8cb85c2c1

SHA256
72f8be256ad48d6b3e9b5ee88131c4c4301c14fb312ca445c07894dd0fae6e86

SHA512
3aa84a15f953631a8f82b6524bd458a7f739255d693d9cb4cb86dc78a9c5b9e22147b032e006ea29f357cfe9443303bc5158b944b99768eee2e3213bed23882d

Download Submit
C:\Windows\System\VEHoUIg.exe

Filesize
5.2MB

MD5
231e9540d50b4aed8b7b044218f83f69

SHA1
0b95d6f05bc90f80d7fe496a67660e60d457bce5

SHA256
c02d372875a2e2d38d097e0d69111dc4cd1565f42aa356c05a9bb5c739c48ff4

SHA512
9d5cf9821eb5a78af13886361cfd5452e1c78fc46920052c2cfb7fd9b559b7062b71be9dea264399708665207979b16d3f1c59ca68a05c5cbb46aeda3586c817

Download Submit
C:\Windows\System\YHLiGIu.exe

Filesize
5.2MB

MD5
7ddd6c616ad21aacb5a0cdd4e8b6a2ff

SHA1
d3b1da9c1e71fbfa2d35ac30ee64f0051f773faf

SHA256
9347eb9d8a8e04fbc29dd0fb9fbaff7ee9b6b97364487932f8708e97b561bf54

SHA512
57dd057b1812b377b43bff0336fd0e62fb7a9f844f871550d00943c19772f11ca26954225120b6e3af7d49022c36cb1a8da1d654851f62d96fe40c8bfa0022b8

Download Submit
C:\Windows\System\dVimehr.exe

Filesize
5.2MB

MD5
2c84fce85cc563747610ac0927bc83c7

SHA1
8877510b4baf387870df90363fafb0c179eed813

SHA256
5659a1bc5ddbe9cf984cf1106c2bf28141ae8145b61d462d000f038141deb0b4

SHA512
963e2bce9428b4b273701089f5a82b5dfd42d157bd3642bff15fe7b676f9dd4b07dc0fdd1ba5ba85eb7a40f518ca8cbf8d743bdb29a7d9fa50c775393c69f182

Download Submit
C:\Windows\System\daXlxYq.exe

Filesize
5.2MB

MD5
091d9f821307ad8e94a85c3ebc3ca2af

SHA1
53f1450eca0836ea973d1f467bdc9367b568027a

SHA256
5ad1757fa42ec5d1f3038cc29308ced0e42780d77776c4b89fd71e9e86e90fbe

SHA512
c198dbc56f63d080b49d17360636009003f168b98b367c84c1df97a1b84c139dd270fba82a8dfe8e9283d76b1af739a23e4aecb953594e5cb87c539761d72093

Download Submit
C:\Windows\System\fglgJwZ.exe

Filesize
5.2MB

MD5
feb7e0f0642a31db036cccbd06644d8c

SHA1
0388aac64ce76c785d0ae98f7b61dd7df0bf9e59

SHA256
adc0e0fa57e6f4a9e7e68bcc02d59361e85bd69ea2544c6fae404c91ae44a0df

SHA512
a6c1c1041e0d704f96271458c12bf51cf71a574115fb5139d801c835808ccaa51830d6b3c9068469889f2b8e05c4f378f6bce4893099ae04c0d41bc69214813b

Download Submit
C:\Windows\System\glhpXSD.exe

Filesize
5.2MB

MD5
d7ea5f4f16af3dd93b4d9262da325f6d

SHA1
23ad9619cba3aacd16d33cea3a11092c4a1702d9

SHA256
5370c892f95952e09d07686dba17c3ae6b2f44ce762a833b6552c2d6159c8cc7

SHA512
695466d10d443ab5c1a06d3c6a4cbcd4245436a6f0637b97f27c61455eac7cebf60c418de850a923e23209aced2785a6e0d883da9d2ed272d17731cfb9a6c8fc

Download Submit
C:\Windows\System\hQUGdbm.exe

Filesize
5.2MB

MD5
77bcc13c5f3785559c32b44110294aa4

SHA1
3043673522531b089a1cc65742e74067436de37a

SHA256
e8d23c5f32e5dc7a61b10cf21258d006955a935e2bf7fc47f07f5bfaac574fe9

SHA512
685906c8565cf22fdce43bb7cc7cdc31e62e281b8abb71f58d76419075b5271a521cf57cc1d2d7d30490020a185223dff411a4ce4f199a928b5fc02714445e76

Download Submit
C:\Windows\System\muHPpUy.exe

Filesize
5.2MB

MD5
b79bc3138a99beef36e33a6a6148e178

SHA1
3af9b16a780fe421b0df440206580dc33e802264

SHA256
71e3f7d6c649a6925a4b3875dc1e036bc82160cbe4aed910e6dbe3b5b2c4cc18

SHA512
02fab4560ec5e40bb9b6f61d2dcaa4622e30eca3b870bf70160cce294e59546f22a08593d973bd5c14a0833b210a678dc41b599bb2d7bffc19d7a4bce857f9e9

Download Submit
C:\Windows\System\qBrDwAk.exe

Filesize
5.2MB

MD5
83a8fca6f0e044f134ed1f26be46c6b8

SHA1
baf72824a3c402841204eeb386f06eed7f6cea43

SHA256
814e6e470a28a0791dcec050fe14364b63cf37dd860968cef26b05b122a2d2b7

SHA512
91da95a06437d8e52e2604f1c90e3f6c5dd8d1ac25268d29e6df446ee58d0aa4cb92a48f59768cd9f1aca8ff31b8f6a28fb3ca593e5a294b4ace24b6fb9801d0

Download Submit
C:\Windows\System\qSNBHjM.exe

Filesize
5.2MB

MD5
21f137f338f661eb30de169d6827245c

SHA1
cb0d0fc070c41ff5812fec8d76873a8cd04a5741

SHA256
bfa69c0d2b1f848a1f1ec7f26f51c703511d0fa90078dbd9fa844d49a9edaac5

SHA512
6878d596a1c852d5ee3af62d77dc1bdcf09e450bd1e4441567b083efd503a894f03aba12a4bd5910f2ed6738d0ad8c048e21016605270269762ef7d1858350fc

Download Submit
C:\Windows\System\xxIbLaz.exe

Filesize
5.2MB

MD5
a95502e08b61ec09dd9ae6e14e3e8556

SHA1
e1c1daf051e984afc1358ac117c852b4da2ea55f

SHA256
4ba2dedc21e0f802bec0292e37f00baa1d9309d4384be3fa8e3a853d7aa9214f

SHA512
4fa8c74816051b3238fcd46871e41182d004f62c6a4a57b4d09a9e3286b3b1f8bacf81120aec9b1864a47fa1d88cd50fe9821fbb00169f9ef98b680ba6c05038

Download Submit
memory/1056-10-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp

Filesize
3.3MB

Download
memory/1056-215-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp

Filesize
3.3MB

Download
memory/1056-57-0x00007FF64AB10000-0x00007FF64AE61000-memory.dmp

Filesize
3.3MB

Download
memory/1060-252-0x00007FF722090000-0x00007FF7223E1000-memory.dmp

Filesize
3.3MB

Download
memory/1060-150-0x00007FF722090000-0x00007FF7223E1000-memory.dmp

Filesize
3.3MB

Download
memory/1060-86-0x00007FF722090000-0x00007FF7223E1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-45-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-125-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-228-0x00007FF6AEB60000-0x00007FF6AEEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-221-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/1432-72-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/1432-27-0x00007FF74D9F0000-0x00007FF74DD41000-memory.dmp

Filesize
3.3MB

Download
memory/1668-248-0x00007FF606460000-0x00007FF6067B1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-84-0x00007FF606460000-0x00007FF6067B1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-146-0x00007FF711400000-0x00007FF711751000-memory.dmp

Filesize
3.3MB

Download
memory/1672-236-0x00007FF711400000-0x00007FF711751000-memory.dmp

Filesize
3.3MB

Download
memory/1672-63-0x00007FF711400000-0x00007FF711751000-memory.dmp

Filesize
3.3MB

Download
memory/1848-104-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp

Filesize
3.3MB

Download
memory/1848-254-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp

Filesize
3.3MB

Download
memory/1848-154-0x00007FF6C30B0000-0x00007FF6C3401000-memory.dmp

Filesize
3.3MB

Download
memory/1984-135-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-268-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1984-160-0x00007FF658A90000-0x00007FF658DE1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-250-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp

Filesize
3.3MB

Download
memory/2052-81-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp

Filesize
3.3MB

Download
memory/2052-149-0x00007FF60FDC0000-0x00007FF610111000-memory.dmp

Filesize
3.3MB

Download
memory/2148-224-0x00007FF78D320000-0x00007FF78D671000-memory.dmp

Filesize
3.3MB

Download
memory/2148-87-0x00007FF78D320000-0x00007FF78D671000-memory.dmp

Filesize
3.3MB

Download
memory/2148-28-0x00007FF78D320000-0x00007FF78D671000-memory.dmp

Filesize
3.3MB

Download
memory/2480-11-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-217-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-62-0x00007FF6E7750000-0x00007FF6E7AA1000-memory.dmp

Filesize
3.3MB

Download
memory/3168-60-0x00007FF706A00000-0x00007FF706D51000-memory.dmp

Filesize
3.3MB

Download
memory/3168-234-0x00007FF706A00000-0x00007FF706D51000-memory.dmp

Filesize
3.3MB

Download
memory/3228-258-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp

Filesize
3.3MB

Download
memory/3228-121-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp

Filesize
3.3MB

Download
memory/3228-155-0x00007FF76DA10000-0x00007FF76DD61000-memory.dmp

Filesize
3.3MB

Download
memory/3288-102-0x00007FF635210000-0x00007FF635561000-memory.dmp

Filesize
3.3MB

Download
memory/3288-37-0x00007FF635210000-0x00007FF635561000-memory.dmp

Filesize
3.3MB

Download
memory/3288-225-0x00007FF635210000-0x00007FF635561000-memory.dmp

Filesize
3.3MB

Download
memory/3424-219-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-16-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-69-0x00007FF75BF80000-0x00007FF75C2D1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-265-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-127-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-157-0x00007FF632E50000-0x00007FF6331A1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-229-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3764-103-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3764-44-0x00007FF71D710000-0x00007FF71DA61000-memory.dmp

Filesize
3.3MB

Download
memory/3968-266-0x00007FF60AD10000-0x00007FF60B061000-memory.dmp

Filesize
3.3MB

Download
memory/3968-143-0x00007FF60AD10000-0x00007FF60B061000-memory.dmp

Filesize
3.3MB

Download
memory/4220-56-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp

Filesize
3.3MB

Download
memory/4220-1-0x0000014553390000-0x00000145533A0000-memory.dmp

Filesize
64KB

Download
memory/4220-161-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp

Filesize
3.3MB

Download
memory/4220-0-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp

Filesize
3.3MB

Download
memory/4220-136-0x00007FF6F7610000-0x00007FF6F7961000-memory.dmp

Filesize
3.3MB

Download
memory/4688-263-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-131-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4688-159-0x00007FF69E480000-0x00007FF69E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-95-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-257-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/4796-153-0x00007FF6E63A0000-0x00007FF6E66F1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-260-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp

Filesize
3.3MB

Download
memory/5052-156-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp

Filesize
3.3MB

Download
memory/5052-114-0x00007FF78CC30000-0x00007FF78CF81000-memory.dmp

Filesize
3.3MB

Download