cobaltstrike | 5046053cb4eb2abd02efa11f08e548060fa0a86c10b7ea1f55ad5e3b5b3f6316

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b54ee0638dd41e55897b53d2d9af5065
SHA1

3de9264c025730c639cc1f9a15e6ba3e458d8ccd
SHA256

5046053cb4eb2abd02efa11f08e548060fa0a86c10b7ea1f55ad5e3b5b3f6316
SHA512

90a5d39536cbfbf280464d7c070fdf3c8ed22693a475403b5470e07b2bbe5b5b4ec64131fc81cae2c72e8ddf52738bfd99830c9dccc381e351886f3f7a652ad7
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibj56utgpPFotBER/mQ32lU8

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023439-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-14.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-107.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343a-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-47.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2396-53-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp	xmrig
behavioral2/memory/4476-120-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	xmrig
behavioral2/memory/976-121-0x00007FF60E9D0000-0x00007FF60ED21000-memory.dmp	xmrig
behavioral2/memory/5040-122-0x00007FF6DDEF0000-0x00007FF6DE241000-memory.dmp	xmrig
behavioral2/memory/808-123-0x00007FF690090000-0x00007FF6903E1000-memory.dmp	xmrig
behavioral2/memory/3976-125-0x00007FF77ED40000-0x00007FF77F091000-memory.dmp	xmrig
behavioral2/memory/4952-127-0x00007FF7897E0000-0x00007FF789B31000-memory.dmp	xmrig
behavioral2/memory/4564-126-0x00007FF692700000-0x00007FF692A51000-memory.dmp	xmrig
behavioral2/memory/2776-124-0x00007FF686730000-0x00007FF686A81000-memory.dmp	xmrig
behavioral2/memory/3872-119-0x00007FF7ACA20000-0x00007FF7ACD71000-memory.dmp	xmrig
behavioral2/memory/4708-129-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	xmrig
behavioral2/memory/2972-128-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	xmrig
behavioral2/memory/2380-139-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp	xmrig
behavioral2/memory/4468-138-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp	xmrig
behavioral2/memory/5004-136-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp	xmrig
behavioral2/memory/1888-140-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp	xmrig
behavioral2/memory/1452-135-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp	xmrig
behavioral2/memory/3160-133-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp	xmrig
behavioral2/memory/2972-130-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	xmrig
behavioral2/memory/1720-142-0x00007FF774510000-0x00007FF774861000-memory.dmp	xmrig
behavioral2/memory/2028-145-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp	xmrig
behavioral2/memory/1276-147-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp	xmrig
behavioral2/memory/4128-146-0x00007FF7741D0000-0x00007FF774521000-memory.dmp	xmrig
behavioral2/memory/2972-154-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	xmrig
behavioral2/memory/4708-215-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	xmrig
behavioral2/memory/2380-217-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp	xmrig
behavioral2/memory/1888-220-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp	xmrig
behavioral2/memory/3160-221-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp	xmrig
behavioral2/memory/2396-223-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp	xmrig
behavioral2/memory/1452-225-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp	xmrig
behavioral2/memory/5004-227-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp	xmrig
behavioral2/memory/4476-229-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	xmrig
behavioral2/memory/3872-237-0x00007FF7ACA20000-0x00007FF7ACD71000-memory.dmp	xmrig
behavioral2/memory/4468-239-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp	xmrig
behavioral2/memory/1720-241-0x00007FF774510000-0x00007FF774861000-memory.dmp	xmrig
behavioral2/memory/1276-247-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp	xmrig
behavioral2/memory/4128-244-0x00007FF7741D0000-0x00007FF774521000-memory.dmp	xmrig
behavioral2/memory/2028-245-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp	xmrig
behavioral2/memory/976-251-0x00007FF60E9D0000-0x00007FF60ED21000-memory.dmp	xmrig
behavioral2/memory/3976-257-0x00007FF77ED40000-0x00007FF77F091000-memory.dmp	xmrig
behavioral2/memory/4564-259-0x00007FF692700000-0x00007FF692A51000-memory.dmp	xmrig
behavioral2/memory/808-255-0x00007FF690090000-0x00007FF6903E1000-memory.dmp	xmrig
behavioral2/memory/2776-254-0x00007FF686730000-0x00007FF686A81000-memory.dmp	xmrig
behavioral2/memory/5040-250-0x00007FF6DDEF0000-0x00007FF6DE241000-memory.dmp	xmrig
behavioral2/memory/4952-261-0x00007FF7897E0000-0x00007FF789B31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4708	wgRXajM.exe
2380	HhOpXZA.exe
3160	EOpwPqI.exe
1888	HXgNTcc.exe
1452	FTCsuQB.exe
5004	cQcTYcX.exe
2396	oSgjwWM.exe
4468	MOpgTGy.exe
3872	qKIlOms.exe
1720	EyYqzCB.exe
4476	hShceIV.exe
976	puSDCaG.exe
2028	bYPYkyT.exe
4128	oqIYJEr.exe
1276	UOnsmOS.exe
5040	WzuTmoM.exe
4952	AYPEfvX.exe
808	fyLmOyd.exe
2776	UhgkRqp.exe
3976	wZdXBQL.exe
4564	cFUNIek.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2972-0-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	upx
behavioral2/files/0x0008000000023439-4.dat	upx
behavioral2/memory/4708-7-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/files/0x000700000002343d-14.dat	upx
behavioral2/memory/2380-20-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp	upx
behavioral2/files/0x000700000002343e-24.dat	upx
behavioral2/memory/3160-34-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp	upx
behavioral2/files/0x0007000000023444-51.dat	upx
behavioral2/files/0x0007000000023445-52.dat	upx
behavioral2/files/0x0007000000023447-72.dat	upx
behavioral2/memory/4128-80-0x00007FF7741D0000-0x00007FF774521000-memory.dmp	upx
behavioral2/files/0x000700000002344c-101.dat	upx
behavioral2/files/0x000700000002344e-114.dat	upx
behavioral2/files/0x000700000002344f-116.dat	upx
behavioral2/files/0x000700000002344d-112.dat	upx
behavioral2/files/0x000700000002344b-107.dat	upx
behavioral2/files/0x000800000002343a-100.dat	upx
behavioral2/memory/1276-94-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp	upx
behavioral2/files/0x000700000002344a-86.dat	upx
behavioral2/files/0x0007000000023449-83.dat	upx
behavioral2/files/0x0007000000023448-81.dat	upx
behavioral2/memory/2028-78-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp	upx
behavioral2/memory/1720-77-0x00007FF774510000-0x00007FF774861000-memory.dmp	upx
behavioral2/memory/4468-69-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp	upx
behavioral2/files/0x0007000000023446-64.dat	upx
behavioral2/files/0x0007000000023443-57.dat	upx
behavioral2/memory/2396-53-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp	upx
behavioral2/files/0x0007000000023440-48.dat	upx
behavioral2/files/0x0007000000023442-43.dat	upx
behavioral2/memory/5004-41-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp	upx
behavioral2/files/0x0007000000023441-47.dat	upx
behavioral2/memory/1452-35-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp	upx
behavioral2/memory/1888-26-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp	upx
behavioral2/files/0x000700000002343f-30.dat	upx
behavioral2/memory/4476-120-0x00007FF63C200000-0x00007FF63C551000-memory.dmp	upx
behavioral2/memory/976-121-0x00007FF60E9D0000-0x00007FF60ED21000-memory.dmp	upx
behavioral2/memory/5040-122-0x00007FF6DDEF0000-0x00007FF6DE241000-memory.dmp	upx
behavioral2/memory/808-123-0x00007FF690090000-0x00007FF6903E1000-memory.dmp	upx
behavioral2/memory/3976-125-0x00007FF77ED40000-0x00007FF77F091000-memory.dmp	upx
behavioral2/memory/4952-127-0x00007FF7897E0000-0x00007FF789B31000-memory.dmp	upx
behavioral2/memory/4564-126-0x00007FF692700000-0x00007FF692A51000-memory.dmp	upx
behavioral2/memory/2776-124-0x00007FF686730000-0x00007FF686A81000-memory.dmp	upx
behavioral2/memory/3872-119-0x00007FF7ACA20000-0x00007FF7ACD71000-memory.dmp	upx
behavioral2/memory/4708-129-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/memory/2972-128-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	upx
behavioral2/memory/2380-139-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp	upx
behavioral2/memory/4468-138-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp	upx
behavioral2/memory/5004-136-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp	upx
behavioral2/memory/1888-140-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp	upx
behavioral2/memory/1452-135-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp	upx
behavioral2/memory/3160-133-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp	upx
behavioral2/memory/2972-130-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	upx
behavioral2/memory/1720-142-0x00007FF774510000-0x00007FF774861000-memory.dmp	upx
behavioral2/memory/2028-145-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp	upx
behavioral2/memory/1276-147-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp	upx
behavioral2/memory/4128-146-0x00007FF7741D0000-0x00007FF774521000-memory.dmp	upx
behavioral2/memory/2972-154-0x00007FF78B330000-0x00007FF78B681000-memory.dmp	upx
behavioral2/memory/4708-215-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp	upx
behavioral2/memory/2380-217-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp	upx
behavioral2/memory/1888-220-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp	upx
behavioral2/memory/3160-221-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp	upx
behavioral2/memory/2396-223-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp	upx
behavioral2/memory/1452-225-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp	upx
behavioral2/memory/5004-227-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oSgjwWM.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EyYqzCB.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\puSDCaG.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzuTmoM.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UhgkRqp.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wZdXBQL.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cQcTYcX.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOpgTGy.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HXgNTcc.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTCsuQB.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hShceIV.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYPYkyT.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqIYJEr.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UOnsmOS.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyLmOyd.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgRXajM.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HhOpXZA.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EOpwPqI.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qKIlOms.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AYPEfvX.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cFUNIek.exe	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4708	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2972 wrote to memory of 4708	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2972 wrote to memory of 2380	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2972 wrote to memory of 2380	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2972 wrote to memory of 3160	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2972 wrote to memory of 3160	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2972 wrote to memory of 1888	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2972 wrote to memory of 1888	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2972 wrote to memory of 1452	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2972 wrote to memory of 1452	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2972 wrote to memory of 5004	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2972 wrote to memory of 5004	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2972 wrote to memory of 2396	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2972 wrote to memory of 2396	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2972 wrote to memory of 4468	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2972 wrote to memory of 4468	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2972 wrote to memory of 3872	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2972 wrote to memory of 3872	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2972 wrote to memory of 1720	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2972 wrote to memory of 1720	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2972 wrote to memory of 4476	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2972 wrote to memory of 4476	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2972 wrote to memory of 976	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2972 wrote to memory of 976	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2972 wrote to memory of 2028	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2972 wrote to memory of 2028	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2972 wrote to memory of 4128	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2972 wrote to memory of 4128	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2972 wrote to memory of 1276	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2972 wrote to memory of 1276	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2972 wrote to memory of 5040	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2972 wrote to memory of 5040	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2972 wrote to memory of 4952	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2972 wrote to memory of 4952	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2972 wrote to memory of 808	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2972 wrote to memory of 808	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2972 wrote to memory of 2776	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2972 wrote to memory of 2776	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2972 wrote to memory of 3976	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2972 wrote to memory of 3976	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2972 wrote to memory of 4564	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2972 wrote to memory of 4564	2972	2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_b54ee0638dd41e55897b53d2d9af5065_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System\wgRXajM.exe
  C:\Windows\System\wgRXajM.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\HhOpXZA.exe
  C:\Windows\System\HhOpXZA.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\EOpwPqI.exe
  C:\Windows\System\EOpwPqI.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\HXgNTcc.exe
  C:\Windows\System\HXgNTcc.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\FTCsuQB.exe
  C:\Windows\System\FTCsuQB.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\cQcTYcX.exe
  C:\Windows\System\cQcTYcX.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\oSgjwWM.exe
  C:\Windows\System\oSgjwWM.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\MOpgTGy.exe
  C:\Windows\System\MOpgTGy.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\qKIlOms.exe
  C:\Windows\System\qKIlOms.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\EyYqzCB.exe
  C:\Windows\System\EyYqzCB.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\hShceIV.exe
  C:\Windows\System\hShceIV.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\puSDCaG.exe
  C:\Windows\System\puSDCaG.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\bYPYkyT.exe
  C:\Windows\System\bYPYkyT.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\oqIYJEr.exe
  C:\Windows\System\oqIYJEr.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\UOnsmOS.exe
  C:\Windows\System\UOnsmOS.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\WzuTmoM.exe
  C:\Windows\System\WzuTmoM.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\AYPEfvX.exe
  C:\Windows\System\AYPEfvX.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\fyLmOyd.exe
  C:\Windows\System\fyLmOyd.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\UhgkRqp.exe
  C:\Windows\System\UhgkRqp.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\wZdXBQL.exe
  C:\Windows\System\wZdXBQL.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\cFUNIek.exe
  C:\Windows\System\cFUNIek.exe
  2⤵
  - Executes dropped EXE
  PID:4564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AYPEfvX.exe

Filesize
5.2MB

MD5
5d277a20c115d33c6584c3d8c31f084e

SHA1
29099aa8495216492dbfc703cc94680946b7eebb

SHA256
c089f397764e48abdbb2b7a735864b8000d2e9a0449ad7bfbc40174ff804ec3d

SHA512
a98b69d4320786e8e6191c7a30ae952b8df0e4504fd3ff657b34afe35f2a9e50d342ba412f1d887501a350574776105471e204db68e4dbe6e166b863a6aac6c1

Download Submit
C:\Windows\System\EOpwPqI.exe

Filesize
5.2MB

MD5
e72ba58db8853fff108fe838578b6ce1

SHA1
ce97706facc6df37210c61a92c99673e084cba72

SHA256
82de6b9fda66bc9caa70c5a763b985b594090e0dc6f25f67f727c2d3c78ce4a7

SHA512
4cfb00cde9fa6c508cd6517033ef9c707a1c47a26b7d67cde796b96ac7bef9a80caa45ce7d927206c133b93c0db1a1d23cccf81aad4d633cfe0d005911003043

Download Submit
C:\Windows\System\EyYqzCB.exe

Filesize
5.2MB

MD5
d6abb264b1298403f53273c5742327b0

SHA1
49934bb6b6f7064e195fc431df4cb022fb6aa138

SHA256
040120f75ddf1024fe1162c740227606ffbb27a2a266e5df129e1a75c50f6d32

SHA512
fedb56fd90eda5016258146397a4bd64e3fb46d9dd530193f430e6f0151a2aed81651e364a609ce3664d3f18dd8ba5dd0e50883beba73ae4cf37635954f14b26

Download Submit
C:\Windows\System\FTCsuQB.exe

Filesize
5.2MB

MD5
c645915135dbc68dc44409db7fdf2146

SHA1
f91fc096aefb4f530f24ae3b62f811861490edcf

SHA256
89b172363d221e8e47f5e1a5ffe2682d27ce078e4558271c2682082349cf8e4a

SHA512
4a1714c14e8051800d4c4eae330e3d38c8a8d048d09a60847ec85787a1c8b86d0697b21cf2251a4337d5193e02516b78a54e9072d7c8e7c4712b22b892c5ebe5

Download Submit
C:\Windows\System\HXgNTcc.exe

Filesize
5.2MB

MD5
f6932c02bf7e0e1b43bf64570e3a3c3a

SHA1
12ca2ca93d4995dcfb6fb930a5445f41f916e11a

SHA256
f633c2b91907306804134326fbfd05f2d42b5da4010220b061134ecd494e7bb5

SHA512
ecada1f3b3c4bf11d36aac165abdc861b2e3038f30b428d42923fe67301956ba339f6fd0f19d59d83aabf2ff02a1431ec4c8f238551d0cdcedea3bb19699deaa

Download Submit
C:\Windows\System\HhOpXZA.exe

Filesize
5.2MB

MD5
bbe3c3f92c79ba92f589a1433792edcf

SHA1
efbffd74e840c53a2216f13ebbceda905bd82d3b

SHA256
e19fca96af735bbc63599dc341f3a64ed03371aa2b24458b2a7e293c77e945c5

SHA512
7471046ba894565e6ffd1eba4535af7edd8a21c26364235272c0c4a967ca2e50b421ff953f4975feeb4ee297ba64c9407a193e022a61d38f868a9e9b08e91d52

Download Submit
C:\Windows\System\MOpgTGy.exe

Filesize
5.2MB

MD5
af3701a91d93b25c087555e8d21e9e07

SHA1
ee99bf7321fc6ced245a426d70145c961fa854f2

SHA256
a79a8e6932d0999e6db4aec22899a65ae84dffe564a33d65cf40a14a25e26c35

SHA512
73e1d8bb099376a0c2b321be242764d87623e80555ce42b011c03934243c79dc77a3ae6d42a4e123da0abd64e505d1e14d78f8a521be1192be30740eaf8124b5

Download Submit
C:\Windows\System\UOnsmOS.exe

Filesize
5.2MB

MD5
1e4a649ec28ff7107e7f8ca45f9cb727

SHA1
db4bff6a80afbf3694aa6582a1b5ffee32d7e241

SHA256
baabd2de81a953d443e0cef55ccff69b8cf765ebcedfbc1c7121d5eab1560630

SHA512
10ebb03b85ed82b1821ed2151d67f8a9f5794c3764020583c62df9de052c97de2825da9c4535bad5779b8f746e14cd7418bda726038ac070ab141200716f225f

Download Submit
C:\Windows\System\UhgkRqp.exe

Filesize
5.2MB

MD5
abd9fbd24a2fae8bd39008424fa2961a

SHA1
9ee90d726220793bc378cd38538e7f6b0ee93f10

SHA256
8f5f472a047138fb43f8361035935210204c78270fba74222939bb034163e9d0

SHA512
c4a7f06db9af6d6572e2d3840d2be0a81932210284a36bab6b8bc018945b921bc895b9d32b58ee9fc4bb11e4dfc4805312f8ebdc30a85ca75616582ab3cf598f

Download Submit
C:\Windows\System\WzuTmoM.exe

Filesize
5.2MB

MD5
172337364adf2cf91b4568b7ed009fcb

SHA1
81ba51a204a86a3e09cee82337af7a7ed7721b40

SHA256
7ce7e5ace55a6eeb33cc4eadfc6b9207a4b252825a3d4f2f4066dd17646d2577

SHA512
053a1c1dab4048ff4f619b7596c0b832e17aaee2357d1a04459db54ec09f054d3298f1fd90fd7495344ce0b57aa67b5b660604ea1f229050134d84efddc1d461

Download Submit
C:\Windows\System\bYPYkyT.exe

Filesize
5.2MB

MD5
15d471a3a10c0b93b78ea011215a69c7

SHA1
0e68c220fc38424f5f176edc9058f9a9a1352e05

SHA256
f20eb12a684639794a768216e253f631c98fee0d8293cf4f1b8cab7d15945477

SHA512
67800807e96eefd4f0b3e69875117f7fe8dd3b745a369eda97e870d57b3eb06165c2faefbc878048e30e5359faf90eb8f3cb52f2b8ed0c312df1f87ca51cefce

Download Submit
C:\Windows\System\cFUNIek.exe

Filesize
5.2MB

MD5
e6720d5f075c25cce608dfe099f3a947

SHA1
2e7c821b37610690b7adcef23009e58fca782533

SHA256
617a4567f66deee415ffe5c6b3c0d5a5c1fed3d776d04247d93d7bc106dd3ed0

SHA512
1d226e4cb546243b4052c24ac9275cc5f948c0a8c1bdf9d61f456f9c5a19a9fb91daec72c0a87be7e0069c44e580f832477306d208deed0ec7b60baa3061ee96

Download Submit
C:\Windows\System\cQcTYcX.exe

Filesize
5.2MB

MD5
9c7ebdbcf49b21e3d5dbb75f00d3c572

SHA1
7b7524d647c1385ad4128751d82860b192ca45f1

SHA256
0900f49e40d50570d5460858e34f5ad1f7184d891497e25519e859095711106f

SHA512
15886431edcb05bf4427a05b2887e9a66f88b678512ff50d9a0d0acb25f21d73ce0b0c89d2a2187fcf422e17128b3efbe87df79758f7ecbf2746aea16dbda58d

Download Submit
C:\Windows\System\fyLmOyd.exe

Filesize
5.2MB

MD5
b35850147ddfe221e591ce14cb1a072e

SHA1
beb875c4d26340ec67a825496d47f7e18d4db6c8

SHA256
39a3f9b04661a59e90463c516f2047b514fbcb4532f251bd875645660a87bf20

SHA512
079704159c5f9b58bc45d9057e956c508c5927d029802a874d5b64ac2d3af170bf223cd7630e562b494cec4f2c27d644e8705198401d5455577c012cc0c3e2e1

Download Submit
C:\Windows\System\hShceIV.exe

Filesize
5.2MB

MD5
5d60e7fbf608578aa760ab1ba8a060df

SHA1
3af88bb18f289683984b84514a27d122df36be6e

SHA256
0d4abad3079356b826302297c5d9ffa6ac0efe5c0be841fdccf4ef2a1a0fe4dc

SHA512
5d09ec452c0e5118eec4c80d58b1e9bba1153dbac54329de1d6348cc484171a2a8ab228e449de4b48567ed39c41f5462edc8e3aa2f5c9eca51a90d97cf74379a

Download Submit
C:\Windows\System\oSgjwWM.exe

Filesize
5.2MB

MD5
085eae30678d69153f04ed5a882b8f0b

SHA1
1c52b59f874fde14702f60bcb703a93f930759ad

SHA256
21b2afa4b2bd3f12516c92481ce12afbe01ccfcee230ca79bf013300c1f269e5

SHA512
3aeee3596fa3a58390ebd1380f587b83af299031565d05275a66292c35d299492f2d8fbbb5a305a98d94a77c3904c9b80399cf2a52f34ae1b1d171539b3bb9a1

Download Submit
C:\Windows\System\oqIYJEr.exe

Filesize
5.2MB

MD5
223f80305aedc8153b34270245f2091e

SHA1
66698248cbc0f06ede6de1a77375c16a69eee9e4

SHA256
49cafadf76d157eaaac003cb39d87dd3fca726a9285ca95c5bc325a539e91c15

SHA512
e78d0b7af6d19b233283a430101abeb0c8e84c279b441f984f6fb6ab214de80e976c1c42ef6ac9c3278eea8e739d1b1088eb20dc3e06cc84f1cf7e099a264db1

Download Submit
C:\Windows\System\puSDCaG.exe

Filesize
5.2MB

MD5
06a5b094023e73e2f2a9548f0befd8a7

SHA1
186f83f7ebf38ca146567aeea8250df12dc05556

SHA256
9636041be7120cc57e79be98cc3572be8116361f2d64b89fbf9da8cddda16f1d

SHA512
d7be5f7bd981a13a8ef5666f68009ede029b5c90eaac3d9c5100bf3e12fc81d9584b9312a8e16ebfbd79a5cc983caadc31bdf11f658d18076f25c9a8516e8107

Download Submit
C:\Windows\System\qKIlOms.exe

Filesize
5.2MB

MD5
2aa4bb5f154fdd3692122cb62536093d

SHA1
db5e14d7b9418419d22715b08b5829b60448c929

SHA256
5eda30204481754fb8109dc4c634ad9cb5b92a55a056a4e8fb76c452d8b70591

SHA512
31244990b909a5275f8bdd9190f9e1484ad487aef4c7f82a2332fd20eb9430f9efc65e65ad795ac29e716117503060a921e63da1b1b5b43db0fe67f4f1c01246

Download Submit
C:\Windows\System\wZdXBQL.exe

Filesize
5.2MB

MD5
fc2f8e9527a8df14eb418a1e7148c021

SHA1
ae6437779bbf3f8133ad9a654d06191141600ade

SHA256
f0821f01abead069e54e0e3c0ba63486c18c2aad604944654aaac0abd72cc45b

SHA512
d01183cb984a68f422b5f734781ff513264f4de4581f75b592dcb25804c2d3d9e6cb81349f645b71cc91313d9af8ab3813758e0e80c4c7d9093b2c4f5a7e5ae2

Download Submit
C:\Windows\System\wgRXajM.exe

Filesize
5.2MB

MD5
c5e43a13d9fe96aeb093ce69eaa2e85a

SHA1
9d91f00f4b571f4bfc03ae8a773e878928f84e16

SHA256
2948057e4355a12a3ca7112a9067bfb5418c7e3e4c32d37f309af31e96387cb0

SHA512
94e7c652c7f3ccb92e933c48424e5a7219a10ef1a2a3856001f49e76fecfb01fec1f245e22752f7c4a5fa9adb467affe708249365147cd6466a15f2a13e3b983

Download Submit
memory/808-255-0x00007FF690090000-0x00007FF6903E1000-memory.dmp

Filesize
3.3MB

Download
memory/808-123-0x00007FF690090000-0x00007FF6903E1000-memory.dmp

Filesize
3.3MB

Download
memory/976-251-0x00007FF60E9D0000-0x00007FF60ED21000-memory.dmp

Filesize
3.3MB

Download
memory/976-121-0x00007FF60E9D0000-0x00007FF60ED21000-memory.dmp

Filesize
3.3MB

Download
memory/1276-147-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp

Filesize
3.3MB

Download
memory/1276-94-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp

Filesize
3.3MB

Download
memory/1276-247-0x00007FF7F87F0000-0x00007FF7F8B41000-memory.dmp

Filesize
3.3MB

Download
memory/1452-225-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-135-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-35-0x00007FF6A7180000-0x00007FF6A74D1000-memory.dmp

Filesize
3.3MB

Download
memory/1720-77-0x00007FF774510000-0x00007FF774861000-memory.dmp

Filesize
3.3MB

Download
memory/1720-241-0x00007FF774510000-0x00007FF774861000-memory.dmp

Filesize
3.3MB

Download
memory/1720-142-0x00007FF774510000-0x00007FF774861000-memory.dmp

Filesize
3.3MB

Download
memory/1888-140-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-26-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-220-0x00007FF65EA50000-0x00007FF65EDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-245-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-145-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-78-0x00007FF6A6B70000-0x00007FF6A6EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-20-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp

Filesize
3.3MB

Download
memory/2380-217-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp

Filesize
3.3MB

Download
memory/2380-139-0x00007FF6B4010000-0x00007FF6B4361000-memory.dmp

Filesize
3.3MB

Download
memory/2396-223-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-53-0x00007FF676B70000-0x00007FF676EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-254-0x00007FF686730000-0x00007FF686A81000-memory.dmp

Filesize
3.3MB

Download
memory/2776-124-0x00007FF686730000-0x00007FF686A81000-memory.dmp

Filesize
3.3MB

Download
memory/2972-128-0x00007FF78B330000-0x00007FF78B681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-0-0x00007FF78B330000-0x00007FF78B681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-1-0x00000293327E0000-0x00000293327F0000-memory.dmp

Filesize
64KB

Download
memory/2972-154-0x00007FF78B330000-0x00007FF78B681000-memory.dmp

Filesize
3.3MB

Download
memory/2972-130-0x00007FF78B330000-0x00007FF78B681000-memory.dmp

Filesize
3.3MB

Download
memory/3160-133-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp

Filesize
3.3MB

Download
memory/3160-221-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp

Filesize
3.3MB

Download
memory/3160-34-0x00007FF6EA6D0000-0x00007FF6EAA21000-memory.dmp

Filesize
3.3MB

Download
memory/3872-237-0x00007FF7ACA20000-0x00007FF7ACD71000-memory.dmp

Filesize
3.3MB

Download
memory/3872-119-0x00007FF7ACA20000-0x00007FF7ACD71000-memory.dmp

Filesize
3.3MB

Download
memory/3976-125-0x00007FF77ED40000-0x00007FF77F091000-memory.dmp

Filesize
3.3MB

Download
memory/3976-257-0x00007FF77ED40000-0x00007FF77F091000-memory.dmp

Filesize
3.3MB

Download
memory/4128-146-0x00007FF7741D0000-0x00007FF774521000-memory.dmp

Filesize
3.3MB

Download
memory/4128-80-0x00007FF7741D0000-0x00007FF774521000-memory.dmp

Filesize
3.3MB

Download
memory/4128-244-0x00007FF7741D0000-0x00007FF774521000-memory.dmp

Filesize
3.3MB

Download
memory/4468-239-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-138-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-69-0x00007FF695F80000-0x00007FF6962D1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-229-0x00007FF63C200000-0x00007FF63C551000-memory.dmp

Filesize
3.3MB

Download
memory/4476-120-0x00007FF63C200000-0x00007FF63C551000-memory.dmp

Filesize
3.3MB

Download
memory/4564-126-0x00007FF692700000-0x00007FF692A51000-memory.dmp

Filesize
3.3MB

Download
memory/4564-259-0x00007FF692700000-0x00007FF692A51000-memory.dmp

Filesize
3.3MB

Download
memory/4708-215-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-129-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-7-0x00007FF66A970000-0x00007FF66ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-127-0x00007FF7897E0000-0x00007FF789B31000-memory.dmp

Filesize
3.3MB

Download
memory/4952-261-0x00007FF7897E0000-0x00007FF789B31000-memory.dmp

Filesize
3.3MB

Download
memory/5004-227-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp

Filesize
3.3MB

Download
memory/5004-41-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp

Filesize
3.3MB

Download
memory/5004-136-0x00007FF62E3F0000-0x00007FF62E741000-memory.dmp

Filesize
3.3MB

Download
memory/5040-122-0x00007FF6DDEF0000-0x00007FF6DE241000-memory.dmp

Filesize
3.3MB

Download
memory/5040-250-0x00007FF6DDEF0000-0x00007FF6DE241000-memory.dmp

Filesize
3.3MB

Download