cobaltstrike | 8b557eab81e908ecc90a0ff27ac6cd4b346ba72cd3591f9ffde5c19479f172d2

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f7abce7e19b841350e4fc57f8bc85e9d
SHA1

049d33aced3977775fe2ee3ce445e9d7e1056bac
SHA256

8b557eab81e908ecc90a0ff27ac6cd4b346ba72cd3591f9ffde5c19479f172d2
SHA512

bc2aded90793ab838b37191cb2d88be5c6ebcabf82533c7ceedcbd6d050500d5b0dec11cb7635d363bb8d483cb37c0807e9a2fe81df3548a2ea215448ef969e5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233c8-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023427-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-21.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-72.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023428-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-128.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-124.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-111.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3612-76-0x00007FF72E380000-0x00007FF72E6D1000-memory.dmp	xmrig
behavioral2/memory/1180-70-0x00007FF7C2410000-0x00007FF7C2761000-memory.dmp	xmrig
behavioral2/memory/4464-87-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	xmrig
behavioral2/memory/1476-96-0x00007FF643EC0000-0x00007FF644211000-memory.dmp	xmrig
behavioral2/memory/2768-131-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp	xmrig
behavioral2/memory/324-118-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp	xmrig
behavioral2/memory/4012-107-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp	xmrig
behavioral2/memory/4040-100-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp	xmrig
behavioral2/memory/548-93-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp	xmrig
behavioral2/memory/4464-134-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	xmrig
behavioral2/memory/2828-133-0x00007FF647150000-0x00007FF6474A1000-memory.dmp	xmrig
behavioral2/memory/4860-143-0x00007FF7CDF50000-0x00007FF7CE2A1000-memory.dmp	xmrig
behavioral2/memory/2088-142-0x00007FF73D130000-0x00007FF73D481000-memory.dmp	xmrig
behavioral2/memory/3528-141-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp	xmrig
behavioral2/memory/2820-140-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp	xmrig
behavioral2/memory/348-149-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp	xmrig
behavioral2/memory/1228-151-0x00007FF703350000-0x00007FF7036A1000-memory.dmp	xmrig
behavioral2/memory/2536-150-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp	xmrig
behavioral2/memory/1344-154-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp	xmrig
behavioral2/memory/4136-158-0x00007FF755130000-0x00007FF755481000-memory.dmp	xmrig
behavioral2/memory/3892-160-0x00007FF694320000-0x00007FF694671000-memory.dmp	xmrig
behavioral2/memory/4984-159-0x00007FF662F40000-0x00007FF663291000-memory.dmp	xmrig
behavioral2/memory/632-156-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp	xmrig
behavioral2/memory/4464-161-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	xmrig
behavioral2/memory/548-213-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp	xmrig
behavioral2/memory/4040-215-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp	xmrig
behavioral2/memory/4012-217-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp	xmrig
behavioral2/memory/324-221-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp	xmrig
behavioral2/memory/2768-220-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp	xmrig
behavioral2/memory/2820-231-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp	xmrig
behavioral2/memory/2828-233-0x00007FF647150000-0x00007FF6474A1000-memory.dmp	xmrig
behavioral2/memory/1180-235-0x00007FF7C2410000-0x00007FF7C2761000-memory.dmp	xmrig
behavioral2/memory/2088-237-0x00007FF73D130000-0x00007FF73D481000-memory.dmp	xmrig
behavioral2/memory/3528-239-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp	xmrig
behavioral2/memory/3612-241-0x00007FF72E380000-0x00007FF72E6D1000-memory.dmp	xmrig
behavioral2/memory/2536-245-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp	xmrig
behavioral2/memory/1228-244-0x00007FF703350000-0x00007FF7036A1000-memory.dmp	xmrig
behavioral2/memory/348-247-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp	xmrig
behavioral2/memory/1476-256-0x00007FF643EC0000-0x00007FF644211000-memory.dmp	xmrig
behavioral2/memory/1344-258-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp	xmrig
behavioral2/memory/4984-260-0x00007FF662F40000-0x00007FF663291000-memory.dmp	xmrig
behavioral2/memory/632-263-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp	xmrig
behavioral2/memory/4860-264-0x00007FF7CDF50000-0x00007FF7CE2A1000-memory.dmp	xmrig
behavioral2/memory/3892-266-0x00007FF694320000-0x00007FF694671000-memory.dmp	xmrig
behavioral2/memory/4136-268-0x00007FF755130000-0x00007FF755481000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
548	rLfPrtg.exe
4040	nsiwxmM.exe
4012	HSiPIBU.exe
324	jckOoWZ.exe
2768	YPWbNPE.exe
2820	hxDYTXd.exe
2828	mxoFJSt.exe
2088	KGwhMvs.exe
3528	EjSKsnw.exe
1180	qdHHDoT.exe
3612	cuMzHzM.exe
348	piXILOo.exe
2536	JnheYZE.exe
1228	KnmCEJm.exe
1476	RBHCYzC.exe
4984	LQQxwTK.exe
1344	NgdddWN.exe
3892	YYNEbNh.exe
632	pRHgjLJ.exe
4860	EdMLWAY.exe
4136	QCgiynU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4464-0-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	upx
behavioral2/files/0x00090000000233c8-4.dat	upx
behavioral2/memory/548-8-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp	upx
behavioral2/files/0x0008000000023427-11.dat	upx
behavioral2/memory/4040-12-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp	upx
behavioral2/files/0x000700000002342c-21.dat	upx
behavioral2/files/0x000700000002342b-22.dat	upx
behavioral2/files/0x000700000002342d-31.dat	upx
behavioral2/memory/2768-30-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp	upx
behavioral2/memory/324-26-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp	upx
behavioral2/memory/4012-20-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-37.dat	upx
behavioral2/files/0x0007000000023430-40.dat	upx
behavioral2/memory/2820-41-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp	upx
behavioral2/files/0x0007000000023431-47.dat	upx
behavioral2/files/0x0007000000023435-75.dat	upx
behavioral2/memory/2536-80-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp	upx
behavioral2/files/0x0007000000023436-84.dat	upx
behavioral2/memory/1228-83-0x00007FF703350000-0x00007FF7036A1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-78.dat	upx
behavioral2/memory/3612-76-0x00007FF72E380000-0x00007FF72E6D1000-memory.dmp	upx
behavioral2/files/0x0007000000023433-72.dat	upx
behavioral2/memory/348-71-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp	upx
behavioral2/memory/1180-70-0x00007FF7C2410000-0x00007FF7C2761000-memory.dmp	upx
behavioral2/memory/2088-67-0x00007FF73D130000-0x00007FF73D481000-memory.dmp	upx
behavioral2/files/0x0008000000023428-62.dat	upx
behavioral2/files/0x0007000000023432-59.dat	upx
behavioral2/memory/3528-58-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp	upx
behavioral2/memory/2828-50-0x00007FF647150000-0x00007FF6474A1000-memory.dmp	upx
behavioral2/memory/4464-87-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	upx
behavioral2/memory/1476-96-0x00007FF643EC0000-0x00007FF644211000-memory.dmp	upx
behavioral2/files/0x0007000000023437-91.dat	upx
behavioral2/files/0x0007000000023439-97.dat	upx
behavioral2/memory/4984-101-0x00007FF662F40000-0x00007FF663291000-memory.dmp	upx
behavioral2/files/0x000700000002343b-106.dat	upx
behavioral2/files/0x000700000002343c-113.dat	upx
behavioral2/memory/4136-129-0x00007FF755130000-0x00007FF755481000-memory.dmp	upx
behavioral2/memory/2768-131-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp	upx
behavioral2/files/0x000700000002343e-128.dat	upx
behavioral2/memory/632-126-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp	upx
behavioral2/files/0x000700000002343d-124.dat	upx
behavioral2/memory/324-118-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp	upx
behavioral2/memory/3892-117-0x00007FF694320000-0x00007FF694671000-memory.dmp	upx
behavioral2/files/0x000700000002343a-111.dat	upx
behavioral2/memory/4012-107-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp	upx
behavioral2/memory/1344-110-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp	upx
behavioral2/memory/4040-100-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp	upx
behavioral2/memory/548-93-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp	upx
behavioral2/memory/4464-134-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	upx
behavioral2/memory/2828-133-0x00007FF647150000-0x00007FF6474A1000-memory.dmp	upx
behavioral2/memory/4860-143-0x00007FF7CDF50000-0x00007FF7CE2A1000-memory.dmp	upx
behavioral2/memory/2088-142-0x00007FF73D130000-0x00007FF73D481000-memory.dmp	upx
behavioral2/memory/3528-141-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp	upx
behavioral2/memory/2820-140-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp	upx
behavioral2/memory/348-149-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp	upx
behavioral2/memory/1228-151-0x00007FF703350000-0x00007FF7036A1000-memory.dmp	upx
behavioral2/memory/2536-150-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp	upx
behavioral2/memory/1344-154-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp	upx
behavioral2/memory/4136-158-0x00007FF755130000-0x00007FF755481000-memory.dmp	upx
behavioral2/memory/3892-160-0x00007FF694320000-0x00007FF694671000-memory.dmp	upx
behavioral2/memory/4984-159-0x00007FF662F40000-0x00007FF663291000-memory.dmp	upx
behavioral2/memory/632-156-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp	upx
behavioral2/memory/4464-161-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp	upx
behavioral2/memory/548-213-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YYNEbNh.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EdMLWAY.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YPWbNPE.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGwhMvs.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxoFJSt.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EjSKsnw.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cuMzHzM.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KnmCEJm.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCgiynU.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsiwxmM.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSiPIBU.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JnheYZE.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQQxwTK.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NgdddWN.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pRHgjLJ.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxDYTXd.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qdHHDoT.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piXILOo.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBHCYzC.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLfPrtg.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jckOoWZ.exe	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 548	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4464 wrote to memory of 548	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4464 wrote to memory of 4040	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4464 wrote to memory of 4040	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4464 wrote to memory of 4012	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4464 wrote to memory of 4012	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4464 wrote to memory of 324	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4464 wrote to memory of 324	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4464 wrote to memory of 2768	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4464 wrote to memory of 2768	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4464 wrote to memory of 2820	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4464 wrote to memory of 2820	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4464 wrote to memory of 2828	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4464 wrote to memory of 2828	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4464 wrote to memory of 2088	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4464 wrote to memory of 2088	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4464 wrote to memory of 3528	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4464 wrote to memory of 3528	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4464 wrote to memory of 1180	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4464 wrote to memory of 1180	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4464 wrote to memory of 3612	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4464 wrote to memory of 3612	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4464 wrote to memory of 348	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4464 wrote to memory of 348	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4464 wrote to memory of 2536	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4464 wrote to memory of 2536	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4464 wrote to memory of 1228	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4464 wrote to memory of 1228	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4464 wrote to memory of 1476	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4464 wrote to memory of 1476	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4464 wrote to memory of 4984	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4464 wrote to memory of 4984	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4464 wrote to memory of 1344	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4464 wrote to memory of 1344	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4464 wrote to memory of 3892	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4464 wrote to memory of 3892	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4464 wrote to memory of 632	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4464 wrote to memory of 632	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4464 wrote to memory of 4860	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4464 wrote to memory of 4860	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4464 wrote to memory of 4136	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4464 wrote to memory of 4136	4464	2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-04_f7abce7e19b841350e4fc57f8bc85e9d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\System\rLfPrtg.exe
  C:\Windows\System\rLfPrtg.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\nsiwxmM.exe
  C:\Windows\System\nsiwxmM.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\HSiPIBU.exe
  C:\Windows\System\HSiPIBU.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\jckOoWZ.exe
  C:\Windows\System\jckOoWZ.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\YPWbNPE.exe
  C:\Windows\System\YPWbNPE.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\hxDYTXd.exe
  C:\Windows\System\hxDYTXd.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\mxoFJSt.exe
  C:\Windows\System\mxoFJSt.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\KGwhMvs.exe
  C:\Windows\System\KGwhMvs.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\EjSKsnw.exe
  C:\Windows\System\EjSKsnw.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\qdHHDoT.exe
  C:\Windows\System\qdHHDoT.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\cuMzHzM.exe
  C:\Windows\System\cuMzHzM.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\piXILOo.exe
  C:\Windows\System\piXILOo.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\JnheYZE.exe
  C:\Windows\System\JnheYZE.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\KnmCEJm.exe
  C:\Windows\System\KnmCEJm.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\RBHCYzC.exe
  C:\Windows\System\RBHCYzC.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\LQQxwTK.exe
  C:\Windows\System\LQQxwTK.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\NgdddWN.exe
  C:\Windows\System\NgdddWN.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\YYNEbNh.exe
  C:\Windows\System\YYNEbNh.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\pRHgjLJ.exe
  C:\Windows\System\pRHgjLJ.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\EdMLWAY.exe
  C:\Windows\System\EdMLWAY.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\QCgiynU.exe
  C:\Windows\System\QCgiynU.exe
  2⤵
  - Executes dropped EXE
  PID:4136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EdMLWAY.exe

Filesize
5.2MB

MD5
d666202250c41cc1b911875ab3272ac6

SHA1
61f821efc7e57fb95b48af554c02fad2c2949c04

SHA256
f6ba4cf1253181098bf337ee32543ee760f0b633d1d34b247f7d8b3fade8e959

SHA512
b4ad386835bc36cda45e5aeaf1512aef62ab7ffe7a2860e7c1a5b20250ba11a18f389e92a66cfcc54a41937466b8b128402d2b7e9e32cbb02f9dab531fc9fc55

Download Submit
C:\Windows\System\EjSKsnw.exe

Filesize
5.2MB

MD5
4cd6b67baf5049aafd5c8e4dfeda8b13

SHA1
bac6754bb41c979eb398d000be86241f51bb4a10

SHA256
c59ca16a9a05aab09730e83b5ecf93718dea2d052c6756f0e651aa7e485a70a1

SHA512
baca3d087da1ef4c5cce499129d50adb7359ab10669bfc6af4b23a50cb025ce6e83a21be4bc32a88dbab60f8b2b907f5cd2c18a861c240372092ef5c82f048fd

Download Submit
C:\Windows\System\HSiPIBU.exe

Filesize
5.2MB

MD5
953a913b066c45b2f300fbc6d0a30ba6

SHA1
e7cb6bec9d202c3fdcdc2775ded686e7cd55e7f3

SHA256
ae99efb591453c022fb86b88a71ece0a50ea4bbddc552b55b7f52896536ffa2a

SHA512
1f64ab5c158dcef3f91b13b989c0b4d595ce8f8780132bdbecda04dc8bfa2c70c1036b0cb932413d75bb64a9cbfa6906a77de317d6ee05d3c21bfb0a9296d47a

Download Submit
C:\Windows\System\JnheYZE.exe

Filesize
5.2MB

MD5
00ba64275b70f6fa438140997d8ada9a

SHA1
50a35918eb039eb6867f8a9edb97dc1ce9d4dc85

SHA256
a16dc170ae0a4b90f317d0e0be87c628e492b8f7dd6d4c501dddb8b422d2204d

SHA512
7a5b506ed2aa195274f9f4e917bccd3c1f3c4acaac96ac04ecf1714018c82d4a86f8c8840190c1337131d8217eb962abbba0a685a52bb66ecfbbe9e73a48f3da

Download Submit
C:\Windows\System\KGwhMvs.exe

Filesize
5.2MB

MD5
5c9f12eb260acfc6dad86fe7851127dd

SHA1
61c6c96b3f9627ed08b2ca4599f1cb74706d35b3

SHA256
68c1e0828f5fdadfe97ba94a1ccaae85685e3aebda5cac1efa813d1deb74797a

SHA512
8f29a749211200e079842a76b9ef27ce08f41a48c0a307dd1dab8dcf4ae50571d5d22e7b1fc10a8a58e4a6a9f10d5c2afa731f7b9676b6292d42ed2bb8922d95

Download Submit
C:\Windows\System\KnmCEJm.exe

Filesize
5.2MB

MD5
8c4c03fcb35da43dd0bc417e9f0096c0

SHA1
2775c310486d28ff9c468262e3207e3ab5e6cdd3

SHA256
1698d0947aa15af1d4fbf5170be787b227a1198b5bb70673a9bc22715611361c

SHA512
0acb4986ac087739647c954377021150c90bb9a19fdb2027b6933b66a4ef6d6a3ef93c4d8ac64cdf13ffcb0971a2720f265e0be37ba88f5b6841e9f499bb2078

Download Submit
C:\Windows\System\LQQxwTK.exe

Filesize
5.2MB

MD5
e178d976ad5927a92b3edcd42e49412f

SHA1
40c77b81e73f5c674a340e5fa456c5369c1f5faa

SHA256
49ee9bab68934680506df782256937f141272896927f74f2a60288da43ccd1ba

SHA512
f60de4ed95ac3db07e29c2731df3bf76860cb8567bb66fa8b5663606205be2f17bd3118b24cd23c88607e2db4afbfcb886069e8c5a256d3aa8c32ef0e3dc9181

Download Submit
C:\Windows\System\NgdddWN.exe

Filesize
5.2MB

MD5
7ba25a1397f087808617567d9d8a4641

SHA1
c23ac22f9fd388fae082a024a2aee3e5b87b950e

SHA256
6268018486f2ed2406c2638d13c8664f31678dfd43663b936f938329b6bf930d

SHA512
059538251581b14acc18739eff4b52df4762b106b4f7395dcf051a69ac78056d7a7c2cf29e37cb6ae061c9080673c9c1c1cf261dacd914f9c55f7d0dcb72586c

Download Submit
C:\Windows\System\QCgiynU.exe

Filesize
5.2MB

MD5
2df68cff7ee870ff0d0bd9188996f177

SHA1
dd89e3dde7c7f40194f92dd5f26ae9f6cfacd430

SHA256
5890230231e27b315c5928b4605c23c1e6176100989ed3fd70b093033eda95cb

SHA512
0f15e39311eb11d3a5d6c0ed3654ac6ff0f894df925e5d92bd1c393c0e3dffe66d41205ad459feb4068fcaa939da14e1bef49556dbd4b499d3381798012013fb

Download Submit
C:\Windows\System\RBHCYzC.exe

Filesize
5.2MB

MD5
34450d91e6c30605bc026298f19bb0f5

SHA1
2858aeee57d5c8cd3e88dab16ac2512930712b36

SHA256
febf4a867d34066cd3e93b61a5883a88232745ac8a4965145c5035a4e5033f2e

SHA512
3899d611c8e5c109dda1d7d8472067858bd0d07ea9c13ee4822f9efb4704adb1827714aa754d83acf510dcc3e59b0e762e7273ff1fa4a5f03242ce31c884b982

Download Submit
C:\Windows\System\YPWbNPE.exe

Filesize
5.2MB

MD5
9438a66812703fda383b4188a4cb6a21

SHA1
3a5958a5d8e7dc3aeb6a2174dc218d3b9f5cb765

SHA256
34e6f04b816fa03806246c83984bfca3a1251b0623df9a1da2640186b5c0d333

SHA512
77111129064d006a5bb525fa123407203cbcc6edaec105d708fbc90ed5f9c6cc866bc939fa8a0b36c588f3f0df15ed8bd5d6be402d09ea8625b58a61ef6d09fd

Download Submit
C:\Windows\System\YYNEbNh.exe

Filesize
5.2MB

MD5
55df110cc6bd12b473f26f119227d214

SHA1
3db65d0670a401005ab8675ecff461f6655da7ab

SHA256
767b01efdcc9768c9c9bb3c131c6ed88d20d957fbfeef69988eea87478b30216

SHA512
4c3b23cbcc0aa5eab5f2ef16de92928697ddc089b58a1cfb9679d17f2b654d18422f13bae7ccbeaa930fb5b44887f9cc378261be45e59c4b6219542702fe0f52

Download Submit
C:\Windows\System\cuMzHzM.exe

Filesize
5.2MB

MD5
0ab4c981b74c4a3cc876257b6c3d1869

SHA1
925d3716a6d95966d26cbe42350747a17d2bc0be

SHA256
51a976b51c98fbac01a6719f2ffc9c9c14a95fd9b011c765dd1da8b55a92280f

SHA512
a96b166c27a14239544afb58a2c677f058b736dfe70dd62e0a32d490b299eba5148d90061e79328e9a5fec342fa610ac31e523d69de13be788e3d64414fdc2bf

Download Submit
C:\Windows\System\hxDYTXd.exe

Filesize
5.2MB

MD5
a109fb1266c3d10c3e398dec9d94f0a9

SHA1
df7f3e5ac92560f26ee34ba84e367ef4d85bcc0c

SHA256
bf925af824437f31cb19f22756dc6191235c1d2a5cc1538d6d3246d2890bce59

SHA512
aadd2400944aaa6c8b991ad4410524b55c8f06dd19e4cc581aece2d53494e083d39d6f7c9e5899efaae5c78ebf7e00e01c923a68c4cc1665485089ce0709ebc7

Download Submit
C:\Windows\System\jckOoWZ.exe

Filesize
5.2MB

MD5
dd34db1abfe6a3a8dc5d43006c0cc612

SHA1
3a8a384e1be31902bbf5c30239584850b7a3975d

SHA256
735d5aa289bfe85377def1e24dce0045b898134f7cff0c0dc7592c2444a7cbb2

SHA512
56ff7a7f275e9ff24d099f5937b3f59efa758fa8bcccfb21667a2a0d06cab5343ba62a67c20450c079d37944dc4c7069669bc3495c4fbbdd71a642ffae79a08f

Download Submit
C:\Windows\System\mxoFJSt.exe

Filesize
5.2MB

MD5
c4add4005a12ebe53a81b47287d97b19

SHA1
845388e58ce3985797d65a8abecda338244cff77

SHA256
a35375941f718091646bd8bd1f5e2fa8898080048d0f95b84148e8020cf63edb

SHA512
75b3351d5cb4f778c88e2adb21e4e2390bf5dd336352cb7cd9e8116b4b3e620e148b6700a3bafe511731f77a10db4f5c9bba38539f899d407c02585667833796

Download Submit
C:\Windows\System\nsiwxmM.exe

Filesize
5.2MB

MD5
8682e06286775107da63bc509a49cb34

SHA1
457fa41c9a7043237750de43ce53464324d03e72

SHA256
a7209845b26d96120e6eef8cf2ab1d35ac84315b8675dce67dea183afa3adf7d

SHA512
463bbba7ced95b16ce927d33a2cccf10923aa3946598bfab3d790c666b8b6fd7d9c0c0b229bb3a5b7f9965379ad356f3e4e66ea5ea99b758f96c3f40c88859a8

Download Submit
C:\Windows\System\pRHgjLJ.exe

Filesize
5.2MB

MD5
af1eeb619d23b7419bcd564d7a171281

SHA1
e7963b5709dfd835f4859a446058deb0baebc230

SHA256
6ed9c3609d47ceac925c6cdd49be0c3aee4c095581254bdd9d673fdc46f78c6f

SHA512
d5fb15ccc04523be82c485d221b177f470e41d7e5cc6abd107d9dc37c41aee2b2f501bd0b0afb29f3a19e3dee1489a0f9455dbccfb03a4fdc4d1aee70c21aac3

Download Submit
C:\Windows\System\piXILOo.exe

Filesize
5.2MB

MD5
5b15e0a7ec9a03c13ee44600116f0ea2

SHA1
c94d637143dc696bc560005386344eeacc04f6ce

SHA256
bf3565545dd549fb1865801c95b69b72874520c10dc306991201e34ffac487b6

SHA512
83d59647460d3aec2e536e45b54121b63dec69a30d41268d88134c03499832071af813dfe3e718e11d48c0af4b30ca8759089b0820074d9c512e31e34e0e03ac

Download Submit
C:\Windows\System\qdHHDoT.exe

Filesize
5.2MB

MD5
8907615c8617a4140086c138d62088e5

SHA1
91cf00a29037722ee3fe61fe15610cec667ddd6c

SHA256
5e696766f65a09d16f19224cb05972114bcf51cc8ff46caa27498549af2bf02c

SHA512
3bfd726715c96e54b0a644f69098c37abc898ce301013dd51e653d88f0b4237cce3ba01203deef3aca9a205edfe5f39b64a586895072a1ab99ecdbee16efcab1

Download Submit
C:\Windows\System\rLfPrtg.exe

Filesize
5.2MB

MD5
cef4314a3b1cb3332246a4bb5edaf43c

SHA1
78d9369b7f0c59f9789f87b7e072cf886071def4

SHA256
60d9c14a2a7bc637b9aae3242da98a6500349cb63ab4583100620fe3e3a3620e

SHA512
3f684a2e6d25f7c65b4af0e6d05954253a3abdfc82a97acd0f8feaf7fa442eaa29385dcea11c4f04fd321d5eb0945e03147a2414e79bf874601f0d08b3a0b610

Download Submit
memory/324-118-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp

Filesize
3.3MB

Download
memory/324-221-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp

Filesize
3.3MB

Download
memory/324-26-0x00007FF75AF40000-0x00007FF75B291000-memory.dmp

Filesize
3.3MB

Download
memory/348-247-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp

Filesize
3.3MB

Download
memory/348-71-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp

Filesize
3.3MB

Download
memory/348-149-0x00007FF6AA8C0000-0x00007FF6AAC11000-memory.dmp

Filesize
3.3MB

Download
memory/548-93-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp

Filesize
3.3MB

Download
memory/548-8-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp

Filesize
3.3MB

Download
memory/548-213-0x00007FF73EBB0000-0x00007FF73EF01000-memory.dmp

Filesize
3.3MB

Download
memory/632-126-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp

Filesize
3.3MB

Download
memory/632-263-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp

Filesize
3.3MB

Download
memory/632-156-0x00007FF7B9260000-0x00007FF7B95B1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-70-0x00007FF7C2410000-0x00007FF7C2761000-memory.dmp

Filesize
3.3MB

Download
memory/1180-235-0x00007FF7C2410000-0x00007FF7C2761000-memory.dmp

Filesize
3.3MB

Download
memory/1228-244-0x00007FF703350000-0x00007FF7036A1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-151-0x00007FF703350000-0x00007FF7036A1000-memory.dmp

Filesize
3.3MB

Download
memory/1228-83-0x00007FF703350000-0x00007FF7036A1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-154-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp

Filesize
3.3MB

Download
memory/1344-258-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp

Filesize
3.3MB

Download
memory/1344-110-0x00007FF6B17E0000-0x00007FF6B1B31000-memory.dmp

Filesize
3.3MB

Download
memory/1476-96-0x00007FF643EC0000-0x00007FF644211000-memory.dmp

Filesize
3.3MB

Download
memory/1476-256-0x00007FF643EC0000-0x00007FF644211000-memory.dmp

Filesize
3.3MB

Download
memory/2088-142-0x00007FF73D130000-0x00007FF73D481000-memory.dmp

Filesize
3.3MB

Download
memory/2088-237-0x00007FF73D130000-0x00007FF73D481000-memory.dmp

Filesize
3.3MB

Download
memory/2088-67-0x00007FF73D130000-0x00007FF73D481000-memory.dmp

Filesize
3.3MB

Download
memory/2536-80-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp

Filesize
3.3MB

Download
memory/2536-150-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp

Filesize
3.3MB

Download
memory/2536-245-0x00007FF7EDE20000-0x00007FF7EE171000-memory.dmp

Filesize
3.3MB

Download
memory/2768-220-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-131-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-30-0x00007FF6F6FA0000-0x00007FF6F72F1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-231-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-140-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-41-0x00007FF6828A0000-0x00007FF682BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-133-0x00007FF647150000-0x00007FF6474A1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-50-0x00007FF647150000-0x00007FF6474A1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-233-0x00007FF647150000-0x00007FF6474A1000-memory.dmp

Filesize
3.3MB

Download
memory/3528-141-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp

Filesize
3.3MB

Download
memory/3528-239-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp

Filesize
3.3MB

Download
memory/3528-58-0x00007FF68A5F0000-0x00007FF68A941000-memory.dmp

Filesize
3.3MB

Download
memory/3612-241-0x00007FF72E380000-0x00007FF72E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3612-76-0x00007FF72E380000-0x00007FF72E6D1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-117-0x00007FF694320000-0x00007FF694671000-memory.dmp

Filesize
3.3MB

Download
memory/3892-266-0x00007FF694320000-0x00007FF694671000-memory.dmp

Filesize
3.3MB

Download
memory/3892-160-0x00007FF694320000-0x00007FF694671000-memory.dmp

Filesize
3.3MB

Download
memory/4012-20-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-217-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-107-0x00007FF779D90000-0x00007FF77A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-215-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp

Filesize
3.3MB

Download
memory/4040-12-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp

Filesize
3.3MB

Download
memory/4040-100-0x00007FF7A23B0000-0x00007FF7A2701000-memory.dmp

Filesize
3.3MB

Download
memory/4136-268-0x00007FF755130000-0x00007FF755481000-memory.dmp

Filesize
3.3MB

Download
memory/4136-129-0x00007FF755130000-0x00007FF755481000-memory.dmp

Filesize
3.3MB

Download
memory/4136-158-0x00007FF755130000-0x00007FF755481000-memory.dmp

Filesize
3.3MB

Download
memory/4464-134-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp

Filesize
3.3MB

Download
memory/4464-1-0x00000221C7A90000-0x00000221C7AA0000-memory.dmp

Filesize
64KB

Download
memory/4464-87-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp

Filesize
3.3MB

Download
memory/4464-0-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp

Filesize
3.3MB

Download
memory/4464-161-0x00007FF7917C0000-0x00007FF791B11000-memory.dmp

Filesize
3.3MB

Download
memory/4860-143-0x00007FF7CDF50000-0x00007FF7CE2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-264-0x00007FF7CDF50000-0x00007FF7CE2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-101-0x00007FF662F40000-0x00007FF663291000-memory.dmp

Filesize
3.3MB

Download
memory/4984-159-0x00007FF662F40000-0x00007FF663291000-memory.dmp

Filesize
3.3MB

Download
memory/4984-260-0x00007FF662F40000-0x00007FF663291000-memory.dmp

Filesize
3.3MB

Download