cobaltstrike | e65800bb18284bdb00cc599add54d0475bbc201cf326bed13384ea1003b357f5

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

10a8e01d3bee78abb96e5654a397f7f4
SHA1

e15e45c1eca19395944df45fdf352255651ed654
SHA256

e65800bb18284bdb00cc599add54d0475bbc201cf326bed13384ea1003b357f5
SHA512

8e34d9bfc7533a67888b870ffbe86fb3f70fd38053c56c3cf8a0ca8075e7443c5efa68ff7468ecdce34b56008f24d5711bf04b70aa1c2db642ac737c606c8c6d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ly:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002344f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-36.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-86.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-96.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023450-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3064-90-0x00007FF6AA480000-0x00007FF6AA7D1000-memory.dmp	xmrig
behavioral2/memory/5068-80-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	xmrig
behavioral2/memory/4224-93-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	xmrig
behavioral2/memory/4356-115-0x00007FF72A210000-0x00007FF72A561000-memory.dmp	xmrig
behavioral2/memory/4952-131-0x00007FF714230000-0x00007FF714581000-memory.dmp	xmrig
behavioral2/memory/4028-130-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp	xmrig
behavioral2/memory/3352-125-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp	xmrig
behavioral2/memory/3364-124-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp	xmrig
behavioral2/memory/1272-113-0x00007FF707FC0000-0x00007FF708311000-memory.dmp	xmrig
behavioral2/memory/2972-108-0x00007FF672010000-0x00007FF672361000-memory.dmp	xmrig
behavioral2/memory/5064-102-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp	xmrig
behavioral2/memory/2104-99-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp	xmrig
behavioral2/memory/4388-135-0x00007FF75F210000-0x00007FF75F561000-memory.dmp	xmrig
behavioral2/memory/4224-137-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	xmrig
behavioral2/memory/940-136-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp	xmrig
behavioral2/memory/3596-138-0x00007FF613FD0000-0x00007FF614321000-memory.dmp	xmrig
behavioral2/memory/3348-152-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp	xmrig
behavioral2/memory/3564-154-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp	xmrig
behavioral2/memory/4968-153-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp	xmrig
behavioral2/memory/1496-149-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp	xmrig
behavioral2/memory/3996-156-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp	xmrig
behavioral2/memory/4340-161-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp	xmrig
behavioral2/memory/3984-160-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp	xmrig
behavioral2/memory/4224-162-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	xmrig
behavioral2/memory/2104-213-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp	xmrig
behavioral2/memory/5064-215-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp	xmrig
behavioral2/memory/1272-228-0x00007FF707FC0000-0x00007FF708311000-memory.dmp	xmrig
behavioral2/memory/3364-230-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp	xmrig
behavioral2/memory/3352-232-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp	xmrig
behavioral2/memory/4028-234-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp	xmrig
behavioral2/memory/4388-236-0x00007FF75F210000-0x00007FF75F561000-memory.dmp	xmrig
behavioral2/memory/3564-240-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp	xmrig
behavioral2/memory/940-239-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp	xmrig
behavioral2/memory/3596-245-0x00007FF613FD0000-0x00007FF614321000-memory.dmp	xmrig
behavioral2/memory/5068-246-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	xmrig
behavioral2/memory/1496-243-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp	xmrig
behavioral2/memory/3348-248-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp	xmrig
behavioral2/memory/3064-250-0x00007FF6AA480000-0x00007FF6AA7D1000-memory.dmp	xmrig
behavioral2/memory/4968-252-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp	xmrig
behavioral2/memory/2972-259-0x00007FF672010000-0x00007FF672361000-memory.dmp	xmrig
behavioral2/memory/4356-261-0x00007FF72A210000-0x00007FF72A561000-memory.dmp	xmrig
behavioral2/memory/3996-263-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp	xmrig
behavioral2/memory/3984-266-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp	xmrig
behavioral2/memory/4952-267-0x00007FF714230000-0x00007FF714581000-memory.dmp	xmrig
behavioral2/memory/4340-269-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2104	miXePfR.exe
5064	TPtABZl.exe
1272	BoTgGGi.exe
3364	qGlpSTU.exe
3352	FFvNMqD.exe
4028	VsODnNo.exe
4388	FkAzlRT.exe
940	PppeDhE.exe
3564	LythCpE.exe
3596	TRMAmAA.exe
1496	JlOdExj.exe
5068	pVgmWRS.exe
3064	ZyJtSjV.exe
3348	lsErAop.exe
4968	xDxSzeo.exe
2972	zNEZOVH.exe
4356	BbOObes.exe
3996	gcjoHIC.exe
3984	JGwcawl.exe
4952	BZPxBKx.exe
4340	jdcVGNA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4224-0-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	upx
behavioral2/files/0x000800000002344f-5.dat	upx
behavioral2/memory/2104-8-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp	upx
behavioral2/files/0x0007000000023453-10.dat	upx
behavioral2/files/0x0007000000023455-20.dat	upx
behavioral2/memory/1272-23-0x00007FF707FC0000-0x00007FF708311000-memory.dmp	upx
behavioral2/memory/3364-26-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp	upx
behavioral2/files/0x0007000000023456-32.dat	upx
behavioral2/files/0x0007000000023458-34.dat	upx
behavioral2/files/0x0007000000023457-36.dat	upx
behavioral2/memory/4028-42-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp	upx
behavioral2/files/0x000700000002345a-46.dat	upx
behavioral2/memory/940-57-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp	upx
behavioral2/files/0x000700000002345f-77.dat	upx
behavioral2/memory/3348-84-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp	upx
behavioral2/memory/3064-90-0x00007FF6AA480000-0x00007FF6AA7D1000-memory.dmp	upx
behavioral2/files/0x0007000000023460-91.dat	upx
behavioral2/files/0x000700000002345e-86.dat	upx
behavioral2/memory/4968-85-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp	upx
behavioral2/memory/5068-80-0x00007FF65F000000-0x00007FF65F351000-memory.dmp	upx
behavioral2/memory/1496-79-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp	upx
behavioral2/files/0x000700000002345b-74.dat	upx
behavioral2/memory/3596-72-0x00007FF613FD0000-0x00007FF614321000-memory.dmp	upx
behavioral2/files/0x000700000002345d-70.dat	upx
behavioral2/memory/3564-66-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp	upx
behavioral2/files/0x000700000002345c-75.dat	upx
behavioral2/files/0x0007000000023459-54.dat	upx
behavioral2/memory/4388-49-0x00007FF75F210000-0x00007FF75F561000-memory.dmp	upx
behavioral2/memory/3352-38-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp	upx
behavioral2/files/0x0007000000023454-21.dat	upx
behavioral2/memory/5064-19-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp	upx
behavioral2/memory/4224-93-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	upx
behavioral2/files/0x0007000000023461-96.dat	upx
behavioral2/files/0x0008000000023450-103.dat	upx
behavioral2/files/0x0007000000023464-116.dat	upx
behavioral2/memory/4356-115-0x00007FF72A210000-0x00007FF72A561000-memory.dmp	upx
behavioral2/files/0x0007000000023465-127.dat	upx
behavioral2/memory/4952-131-0x00007FF714230000-0x00007FF714581000-memory.dmp	upx
behavioral2/memory/4028-130-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp	upx
behavioral2/memory/3352-125-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp	upx
behavioral2/memory/3364-124-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp	upx
behavioral2/memory/4340-134-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp	upx
behavioral2/files/0x0007000000023463-122.dat	upx
behavioral2/files/0x0007000000023462-119.dat	upx
behavioral2/memory/3984-118-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp	upx
behavioral2/memory/3996-117-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp	upx
behavioral2/memory/1272-113-0x00007FF707FC0000-0x00007FF708311000-memory.dmp	upx
behavioral2/memory/2972-108-0x00007FF672010000-0x00007FF672361000-memory.dmp	upx
behavioral2/memory/5064-102-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp	upx
behavioral2/memory/2104-99-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp	upx
behavioral2/memory/4388-135-0x00007FF75F210000-0x00007FF75F561000-memory.dmp	upx
behavioral2/memory/4224-137-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	upx
behavioral2/memory/940-136-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp	upx
behavioral2/memory/3596-138-0x00007FF613FD0000-0x00007FF614321000-memory.dmp	upx
behavioral2/memory/3348-152-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp	upx
behavioral2/memory/3564-154-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp	upx
behavioral2/memory/4968-153-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp	upx
behavioral2/memory/1496-149-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp	upx
behavioral2/memory/3996-156-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp	upx
behavioral2/memory/4340-161-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp	upx
behavioral2/memory/3984-160-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp	upx
behavioral2/memory/4224-162-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp	upx
behavioral2/memory/2104-213-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp	upx
behavioral2/memory/5064-215-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FFvNMqD.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LythCpE.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\miXePfR.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BoTgGGi.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JlOdExj.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lsErAop.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xDxSzeo.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jdcVGNA.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FkAzlRT.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TRMAmAA.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gcjoHIC.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZyJtSjV.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BbOObes.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VsODnNo.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PppeDhE.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pVgmWRS.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNEZOVH.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BZPxBKx.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JGwcawl.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPtABZl.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qGlpSTU.exe	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2104	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4224 wrote to memory of 2104	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4224 wrote to memory of 5064	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4224 wrote to memory of 5064	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4224 wrote to memory of 1272	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4224 wrote to memory of 1272	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4224 wrote to memory of 3364	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4224 wrote to memory of 3364	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4224 wrote to memory of 4028	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4224 wrote to memory of 4028	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4224 wrote to memory of 3352	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4224 wrote to memory of 3352	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4224 wrote to memory of 4388	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4224 wrote to memory of 4388	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4224 wrote to memory of 940	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4224 wrote to memory of 940	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4224 wrote to memory of 3564	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4224 wrote to memory of 3564	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4224 wrote to memory of 3596	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4224 wrote to memory of 3596	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4224 wrote to memory of 1496	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4224 wrote to memory of 1496	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4224 wrote to memory of 5068	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4224 wrote to memory of 5068	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4224 wrote to memory of 3064	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4224 wrote to memory of 3064	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4224 wrote to memory of 3348	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4224 wrote to memory of 3348	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4224 wrote to memory of 4968	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4224 wrote to memory of 4968	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4224 wrote to memory of 2972	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4224 wrote to memory of 2972	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4224 wrote to memory of 4356	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4224 wrote to memory of 4356	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4224 wrote to memory of 3996	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4224 wrote to memory of 3996	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4224 wrote to memory of 4952	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4224 wrote to memory of 4952	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4224 wrote to memory of 3984	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4224 wrote to memory of 3984	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4224 wrote to memory of 4340	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4224 wrote to memory of 4340	4224	2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_10a8e01d3bee78abb96e5654a397f7f4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\System\miXePfR.exe
  C:\Windows\System\miXePfR.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\TPtABZl.exe
  C:\Windows\System\TPtABZl.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\BoTgGGi.exe
  C:\Windows\System\BoTgGGi.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\qGlpSTU.exe
  C:\Windows\System\qGlpSTU.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\VsODnNo.exe
  C:\Windows\System\VsODnNo.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\FFvNMqD.exe
  C:\Windows\System\FFvNMqD.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\FkAzlRT.exe
  C:\Windows\System\FkAzlRT.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\PppeDhE.exe
  C:\Windows\System\PppeDhE.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\LythCpE.exe
  C:\Windows\System\LythCpE.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\TRMAmAA.exe
  C:\Windows\System\TRMAmAA.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\JlOdExj.exe
  C:\Windows\System\JlOdExj.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\pVgmWRS.exe
  C:\Windows\System\pVgmWRS.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\ZyJtSjV.exe
  C:\Windows\System\ZyJtSjV.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\lsErAop.exe
  C:\Windows\System\lsErAop.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\xDxSzeo.exe
  C:\Windows\System\xDxSzeo.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\zNEZOVH.exe
  C:\Windows\System\zNEZOVH.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\BbOObes.exe
  C:\Windows\System\BbOObes.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\gcjoHIC.exe
  C:\Windows\System\gcjoHIC.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\BZPxBKx.exe
  C:\Windows\System\BZPxBKx.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\JGwcawl.exe
  C:\Windows\System\JGwcawl.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\jdcVGNA.exe
  C:\Windows\System\jdcVGNA.exe
  2⤵
  - Executes dropped EXE
  PID:4340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BZPxBKx.exe

Filesize
5.2MB

MD5
f26920063a3a3da983a8686244dd0f98

SHA1
30b2ca78603f641aac65c9756ea923d499a9aa2e

SHA256
2c376a4ef69a8bea55069107e334c9920ae180b59ffd9e5948dc5e27d147c9e6

SHA512
8d12f7fbd43950a85c47b2bb247d597f03f1aecd2ca5987fe612981c2b8bfb33f1f52e8aedaab829a36131e97d15f6a6715eeef39660a6279800b1e27af23889

Download Submit
C:\Windows\System\BbOObes.exe

Filesize
5.2MB

MD5
627f13861f8786cfb2084e38da89949b

SHA1
6dc115be0409db5887c4f99d813b7cbda68bc32f

SHA256
126e855e3f6ac748ca34545f1d2a73c190ae945d91a7188db86a4c15ffdf87d2

SHA512
20c75c31cdf8b24783ecabe4a317eef4ea31a9ddf9fc8a24403826e1cd54ba4c7e8f126c76e720775be0566f9eb6a1064ef307666666e16543680a116942f029

Download Submit
C:\Windows\System\BoTgGGi.exe

Filesize
5.2MB

MD5
734845b535f1d24cab6c9e1064a167e5

SHA1
18c3f803a70002e0593fd51fc530472bfb5909e9

SHA256
6d4ff03cc857b107a9cb1ae56221df8b34244a8beaca8306d8b48f773af53598

SHA512
f46c4367a11d7856d184ed0cf4cfddf4fe4c5675884234431dbe39cb4d85e36e86e9e56692acdb6683be5e7e8d86898ddd41b506435d87c6b4830c0735ffa997

Download Submit
C:\Windows\System\FFvNMqD.exe

Filesize
5.2MB

MD5
1003f205279d184d410bcfd1ce8485a8

SHA1
526d83d0e63bcbda3fc5790ed82b5c715fc55150

SHA256
4bfd6874f92dd96297ba175aff822113051b975f1772ffcc529403d39bfe6d19

SHA512
7c7134e27867aa20257dbb2ef944030825f48b9db3c6f96525c09e1c83c10f08fb2a5719bf9722deb5fe930d99561da1d01e34a5b22fd1f6190f8699ede562a6

Download Submit
C:\Windows\System\FkAzlRT.exe

Filesize
5.2MB

MD5
bc44c9f60f28e64e8a8a10dfa28bfe70

SHA1
e77a625492e413d557416328c762d161c74dc4df

SHA256
d629f416f5106cabace9cdac58a36efd89bc82c989db5bc3e5fc9780585a713e

SHA512
85d3a61cac432de3e68ab99163c6ca1e61faa39de871820d2e54d56f90a061e0fa0d78a4fac40d624c9e1c77b95bda4daf5caea4f382e714bedb945485b5be0e

Download Submit
C:\Windows\System\JGwcawl.exe

Filesize
5.2MB

MD5
bbb0a4793b88679a1278b25db88e56cc

SHA1
dadd9369d43035718e642f051e0841f602ea3de1

SHA256
b239e14481ae49f7b0b1ed1224dcd2a81f68512c2da74c1610ea8febe52c0941

SHA512
5cb407cc505fe90892defbd5578bf47b260edebbb7f31e4e1fb5af90fef5db62d9f480852b8b9245cfc8ada531120c7d626361bcf746a6987c02ffb2efac1586

Download Submit
C:\Windows\System\JlOdExj.exe

Filesize
5.2MB

MD5
df1f11ac99789f584339aa9494e1ce57

SHA1
98bbb0340ac205fc27468a202179127203e5441c

SHA256
f392796aad9258f457f092703f719eb177b90a76de480f1b0aa3b0f64aa43ed0

SHA512
50c3058b1adfdfde1b024532e70a1967f7c68ba629033cef9ad2048bfc6d8b9fe7d33bb073620b99bc7f7b898b1e85abd0271a410f91ab36a1b42aaa29333b5a

Download Submit
C:\Windows\System\LythCpE.exe

Filesize
5.2MB

MD5
c5d6d8c06ca31c98ad6cb31beaa38fe9

SHA1
52468e7c037a1491e599f0c440aeef5e763bbc8a

SHA256
e297372472f968c508d2fce89068695cc03debcd514121849610d2c6a6899665

SHA512
ba94dde796ea8180977aeb5b2461517d641f025ae5e6d8585c64721b40c81c58644e4fe89488863346eda382042eece001daea525c956731754ea49358a1d44c

Download Submit
C:\Windows\System\PppeDhE.exe

Filesize
5.2MB

MD5
a9138009b5a60e53a518bd5d92f497b3

SHA1
70bae1f7b04b8f4f8d903c79bab49e5df18f12f4

SHA256
9a0adb64e03e6c059d75fe56b4afc7f3becea14b5d8e9370025839a0aeef03ab

SHA512
93d41e8d504fdc7774596117a89786d9e45c0e07ef5caddc83e4b807e52374022bdcca3ce2676d1632d9e40eda51c2cb3310587e8ec7d487b89a3e26a240f53f

Download Submit
C:\Windows\System\TPtABZl.exe

Filesize
5.2MB

MD5
86fca413275965c9d0365836fc29d172

SHA1
5a8bfa07ceec2bad504ee7507256d01c0ba4e228

SHA256
c646c2db122f3cc87b1ee5c9c3330dadce926cf8adbc7ea2e9414b0908522747

SHA512
d4663a4c0aef29dffb0e3afeccf4a0f3edf672d545f873630c13428f2bbe502146b25519f088f720778529de9420ab424a4c4f4cf0cefb7611f37818b21f2150

Download Submit
C:\Windows\System\TRMAmAA.exe

Filesize
5.2MB

MD5
14209819d2811c0c1f86bdcf06e0e410

SHA1
cd48ee7fbe551c8e8ef68d8b68833d20480fdcc6

SHA256
d1ae931afea1d388f9e7a8f945c5901f42ac74a6b2457470e01bcae4d09d81b8

SHA512
1f08e94372956e3adf1732b5e4c62e725af4c2a7b70a4b65eaf132485e9ad0cf33d9e2c91aef37f39e82d91ac55fe9b68544add659fc3fdb3b7b230241e58959

Download Submit
C:\Windows\System\VsODnNo.exe

Filesize
5.2MB

MD5
8a11b0ebab544e87f5f83c2d71de63fb

SHA1
35c3b7deb4e0b9899946748140f426861dbee346

SHA256
f32449c16ff4416a1f8df2f543a707beed479fc5f2aa82af0110fca0f86ffe63

SHA512
c91dc209da16b6ea0c533653e5c4accfb6dc959b67f39ddd7bd875bde78540331fb46ad7ba21798bff3360784cabb374611ad8b87f1c1bd168decb3efbfecc8c

Download Submit
C:\Windows\System\ZyJtSjV.exe

Filesize
5.2MB

MD5
cf3539ed50e1844c1b209d2e2d3b98ac

SHA1
cc0ee9255827be696c8e361ac395e3f5e6c11671

SHA256
2d362c8c8e2376bd7197db4830cfdbe80f5dd21af56becf98f2e62dd933f1789

SHA512
fab283c8527cbb3cd343bbc8ef15ce8ef136288eacab32b633cd2bf03af9f85f0c601fe93b228d1e60c9e1dbfda5747785d0cfb17dbdd8ddaf5caafb091af337

Download Submit
C:\Windows\System\gcjoHIC.exe

Filesize
5.2MB

MD5
11f2558dc8ce87dbd9fe5cadfbbfde9d

SHA1
98af8dc102a47d5275146d3a702fb59d525485d1

SHA256
e8e5df84d121e5ab05516ec4361d482adf47de211ce331fe668fb8b3e091a5de

SHA512
26222f0483fce7cdd7ceb3637af0ba975c03d8a918a941e6dfa62e36e4317cb0d89bd4d93e5d6b34ebec35fe7b5dfdf8fc5e6a114992101818ba489a19307d97

Download Submit
C:\Windows\System\jdcVGNA.exe

Filesize
5.2MB

MD5
792e91b0bb51b61e4499059a655fb466

SHA1
94577dca1e100571d710f78250fa6da02d712769

SHA256
e7b9edf784a32a3e5881bb45161c2f7eb8cf7b5a85c1262fa7b20d4af3b4fe87

SHA512
b635e07cfc4a8341750a2d64bc23228226b3dc3676aa6433bc2c70ef6c8a66bbedf81c01945d7eb65f4dd0e3d238a07c0a18a245858af7adc1b8f7320a05954c

Download Submit
C:\Windows\System\lsErAop.exe

Filesize
5.2MB

MD5
c88a2136782e6d7d327be788bdeb9f4b

SHA1
ca81bb4934c9800f15ce8aa947ecd7abfe039d4c

SHA256
37ade9bc5b22930e4f4ea7f3ab64e61db363393316cabd31a2ca5ca530779309

SHA512
acef0de2c81cb5cd4c1885f9d29e54dcb75985bee1bcf282eece2c283367b23ffa5a5bcd2c90d1a6321ba691edee4cb8848c4c9a3f7ea0e0f63a67a8604f805b

Download Submit
C:\Windows\System\miXePfR.exe

Filesize
5.2MB

MD5
e26948d1119785fb65448bbaedef187d

SHA1
9ba2c6a4ff385349934cbd6bd3672511fbb69572

SHA256
50ff7b6d8e07e3d6967bb1dd3f8f2c86405a7e2c35eabcb68c26e0adb34aa906

SHA512
ba63b9286c7862f7714afa724026e9278b2ad08d8b8dc8d800603dccbe546c356b1fad8e3dfb4607ec995da6f16c378dd9e80396626540d2f6db368b9f62a43f

Download Submit
C:\Windows\System\pVgmWRS.exe

Filesize
5.2MB

MD5
22e41fc250ebb20d73620d56e92006b1

SHA1
79d14e089347b1288ee32f8dd8659ddd193a1ae7

SHA256
d3670dde6daf3f350f3d5543670ea46a03389339985302ab5abf87cd4d87954c

SHA512
55984b574bfc2d1a8daf33964cab89e4dabd135f8556dab57a66a929996c4de5682227259e2bcb31283dc1faad229f390f7cc27a0e4ede5405f1327fb4576f09

Download Submit
C:\Windows\System\qGlpSTU.exe

Filesize
5.2MB

MD5
972f66052c5b95e526b13df9150c8d3c

SHA1
3af9bfbfa51a9836a420a417461201aaf4c44322

SHA256
b5b489d873d179af6f9bc102187cba5b829eaa4b0c470f378fa397253db95bde

SHA512
cf3d74057fb0c4d2f51083c211b392980dea698bf66aa8632e493ea85d5cb6b450b2dd04b9e76f58244a0ff2d86ee92986bba4032ccd8bdd961e804cb7907720

Download Submit
C:\Windows\System\xDxSzeo.exe

Filesize
5.2MB

MD5
ffdb59ddb21432df4ff61b24d9a7c781

SHA1
e712d7df91e180ae00d4122885fb3fb17d6f343c

SHA256
0fffc3fde72e496d059414bcd5c5cc5e28a90930e64ebed8188fd6a84c9af0fd

SHA512
6cac468db23d62e6e54d552ebae281fc92bc1c4f8e0605c7d77a66ff042b6ee289c40dc162dda3d746a1f24d4712858b925f167eefdc48ae5a2ce72b9212a2d4

Download Submit
C:\Windows\System\zNEZOVH.exe

Filesize
5.2MB

MD5
6c4542dc327c75944e3ec2724ec6f4c4

SHA1
7c79fa283542b11d1925d702328eb77b6a4504c0

SHA256
e25bb041250a1dbb67e4092f25fec4a8ef9f3faac09ca89ab80da61bf898603b

SHA512
441e960be05f3cd7d7ee71a80d3b589f00c81865b28f8016106d868639b86713c498974452c113aa13f0c200847a1f2c83418f97ff5ce06735c0dce292f46add

Download Submit
memory/940-57-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp

Filesize
3.3MB

Download
memory/940-239-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp

Filesize
3.3MB

Download
memory/940-136-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp

Filesize
3.3MB

Download
memory/1272-23-0x00007FF707FC0000-0x00007FF708311000-memory.dmp

Filesize
3.3MB

Download
memory/1272-228-0x00007FF707FC0000-0x00007FF708311000-memory.dmp

Filesize
3.3MB

Download
memory/1272-113-0x00007FF707FC0000-0x00007FF708311000-memory.dmp

Filesize
3.3MB

Download
memory/1496-243-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-79-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-149-0x00007FF674B70000-0x00007FF674EC1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-99-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp

Filesize
3.3MB

Download
memory/2104-8-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp

Filesize
3.3MB

Download
memory/2104-213-0x00007FF6BA510000-0x00007FF6BA861000-memory.dmp

Filesize
3.3MB

Download
memory/2972-108-0x00007FF672010000-0x00007FF672361000-memory.dmp

Filesize
3.3MB

Download
memory/2972-259-0x00007FF672010000-0x00007FF672361000-memory.dmp

Filesize
3.3MB

Download
memory/3064-90-0x00007FF6AA480000-0x00007FF6AA7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-250-0x00007FF6AA480000-0x00007FF6AA7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-84-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-248-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3348-152-0x00007FF7BBC80000-0x00007FF7BBFD1000-memory.dmp

Filesize
3.3MB

Download
memory/3352-125-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp

Filesize
3.3MB

Download
memory/3352-38-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp

Filesize
3.3MB

Download
memory/3352-232-0x00007FF7D9CD0000-0x00007FF7DA021000-memory.dmp

Filesize
3.3MB

Download
memory/3364-124-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp

Filesize
3.3MB

Download
memory/3364-26-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp

Filesize
3.3MB

Download
memory/3364-230-0x00007FF7A0D00000-0x00007FF7A1051000-memory.dmp

Filesize
3.3MB

Download
memory/3564-154-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp

Filesize
3.3MB

Download
memory/3564-240-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp

Filesize
3.3MB

Download
memory/3564-66-0x00007FF6597E0000-0x00007FF659B31000-memory.dmp

Filesize
3.3MB

Download
memory/3596-72-0x00007FF613FD0000-0x00007FF614321000-memory.dmp

Filesize
3.3MB

Download
memory/3596-245-0x00007FF613FD0000-0x00007FF614321000-memory.dmp

Filesize
3.3MB

Download
memory/3596-138-0x00007FF613FD0000-0x00007FF614321000-memory.dmp

Filesize
3.3MB

Download
memory/3984-118-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp

Filesize
3.3MB

Download
memory/3984-160-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp

Filesize
3.3MB

Download
memory/3984-266-0x00007FF7B7180000-0x00007FF7B74D1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-117-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-156-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-263-0x00007FF66C880000-0x00007FF66CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4028-234-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp

Filesize
3.3MB

Download
memory/4028-42-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp

Filesize
3.3MB

Download
memory/4028-130-0x00007FF7AD3C0000-0x00007FF7AD711000-memory.dmp

Filesize
3.3MB

Download
memory/4224-137-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-0-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-93-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-162-0x00007FF67EC80000-0x00007FF67EFD1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-1-0x000001C7CBAE0000-0x000001C7CBAF0000-memory.dmp

Filesize
64KB

Download
memory/4340-161-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp

Filesize
3.3MB

Download
memory/4340-134-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp

Filesize
3.3MB

Download
memory/4340-269-0x00007FF6F64C0000-0x00007FF6F6811000-memory.dmp

Filesize
3.3MB

Download
memory/4356-261-0x00007FF72A210000-0x00007FF72A561000-memory.dmp

Filesize
3.3MB

Download
memory/4356-115-0x00007FF72A210000-0x00007FF72A561000-memory.dmp

Filesize
3.3MB

Download
memory/4388-135-0x00007FF75F210000-0x00007FF75F561000-memory.dmp

Filesize
3.3MB

Download
memory/4388-236-0x00007FF75F210000-0x00007FF75F561000-memory.dmp

Filesize
3.3MB

Download
memory/4388-49-0x00007FF75F210000-0x00007FF75F561000-memory.dmp

Filesize
3.3MB

Download
memory/4952-131-0x00007FF714230000-0x00007FF714581000-memory.dmp

Filesize
3.3MB

Download
memory/4952-267-0x00007FF714230000-0x00007FF714581000-memory.dmp

Filesize
3.3MB

Download
memory/4968-85-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-252-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp

Filesize
3.3MB

Download
memory/4968-153-0x00007FF754E60000-0x00007FF7551B1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-215-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp

Filesize
3.3MB

Download
memory/5064-19-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp

Filesize
3.3MB

Download
memory/5064-102-0x00007FF6C65E0000-0x00007FF6C6931000-memory.dmp

Filesize
3.3MB

Download
memory/5068-246-0x00007FF65F000000-0x00007FF65F351000-memory.dmp

Filesize
3.3MB

Download
memory/5068-80-0x00007FF65F000000-0x00007FF65F351000-memory.dmp

Filesize
3.3MB

Download