cobaltstrike | 5e91faac3378d625203fcbaac1b7b2f6691e3bf6808ca72a18327f3779e6dc8f

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2c64a77623a32caf4b93f78005167501
SHA1

8f03a657847919334a0dc8ae53cb8a167c5c27dd
SHA256

5e91faac3378d625203fcbaac1b7b2f6691e3bf6808ca72a18327f3779e6dc8f
SHA512

00621f2dac61baee3515b47f7b17c1cfc4216445c097eaf626f968e2e1e10aedcba3e179e22c09501ae9be3d260dfbe7278cf4fea331b019f03c70b46c21da5e
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibj56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023ca7-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cad-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb7-111.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cab-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb6-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2124-91-0x00007FF66EE40000-0x00007FF66F191000-memory.dmp	xmrig
behavioral2/memory/3100-127-0x00007FF767EC0000-0x00007FF768211000-memory.dmp	xmrig
behavioral2/memory/2528-126-0x00007FF71E360000-0x00007FF71E6B1000-memory.dmp	xmrig
behavioral2/memory/3208-125-0x00007FF7A4650000-0x00007FF7A49A1000-memory.dmp	xmrig
behavioral2/memory/2260-115-0x00007FF68CEF0000-0x00007FF68D241000-memory.dmp	xmrig
behavioral2/memory/32-110-0x00007FF692BC0000-0x00007FF692F11000-memory.dmp	xmrig
behavioral2/memory/944-49-0x00007FF63E5F0000-0x00007FF63E941000-memory.dmp	xmrig
behavioral2/memory/2156-129-0x00007FF706010000-0x00007FF706361000-memory.dmp	xmrig
behavioral2/memory/4552-133-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp	xmrig
behavioral2/memory/3972-131-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	xmrig
behavioral2/memory/3064-135-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp	xmrig
behavioral2/memory/4056-134-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	xmrig
behavioral2/memory/1364-130-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp	xmrig
behavioral2/memory/220-132-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp	xmrig
behavioral2/memory/4056-128-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	xmrig
behavioral2/memory/448-141-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp	xmrig
behavioral2/memory/2936-146-0x00007FF721760000-0x00007FF721AB1000-memory.dmp	xmrig
behavioral2/memory/1880-150-0x00007FF653FD0000-0x00007FF654321000-memory.dmp	xmrig
behavioral2/memory/4940-144-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp	xmrig
behavioral2/memory/5000-142-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp	xmrig
behavioral2/memory/1112-139-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp	xmrig
behavioral2/memory/1552-138-0x00007FF74A400000-0x00007FF74A751000-memory.dmp	xmrig
behavioral2/memory/1560-137-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp	xmrig
behavioral2/memory/4056-151-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	xmrig
behavioral2/memory/2156-212-0x00007FF706010000-0x00007FF706361000-memory.dmp	xmrig
behavioral2/memory/1364-214-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp	xmrig
behavioral2/memory/3972-216-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	xmrig
behavioral2/memory/220-219-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp	xmrig
behavioral2/memory/4552-221-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp	xmrig
behavioral2/memory/944-222-0x00007FF63E5F0000-0x00007FF63E941000-memory.dmp	xmrig
behavioral2/memory/3064-224-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp	xmrig
behavioral2/memory/1552-234-0x00007FF74A400000-0x00007FF74A751000-memory.dmp	xmrig
behavioral2/memory/1112-236-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp	xmrig
behavioral2/memory/1560-232-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp	xmrig
behavioral2/memory/2124-238-0x00007FF66EE40000-0x00007FF66F191000-memory.dmp	xmrig
behavioral2/memory/32-240-0x00007FF692BC0000-0x00007FF692F11000-memory.dmp	xmrig
behavioral2/memory/3208-244-0x00007FF7A4650000-0x00007FF7A49A1000-memory.dmp	xmrig
behavioral2/memory/5000-242-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp	xmrig
behavioral2/memory/2260-246-0x00007FF68CEF0000-0x00007FF68D241000-memory.dmp	xmrig
behavioral2/memory/448-256-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp	xmrig
behavioral2/memory/4940-258-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp	xmrig
behavioral2/memory/2528-255-0x00007FF71E360000-0x00007FF71E6B1000-memory.dmp	xmrig
behavioral2/memory/3100-253-0x00007FF767EC0000-0x00007FF768211000-memory.dmp	xmrig
behavioral2/memory/2936-251-0x00007FF721760000-0x00007FF721AB1000-memory.dmp	xmrig
behavioral2/memory/1880-249-0x00007FF653FD0000-0x00007FF654321000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2156	wAOnSdo.exe
1364	cdsyoeL.exe
3972	oTfruwR.exe
220	wOSBkQK.exe
4552	UvlUHCP.exe
3064	CpgnUyq.exe
944	jhphAFs.exe
1560	xoJcvUp.exe
1552	wItrAMZ.exe
1112	kvwPAgI.exe
2124	exiOTxn.exe
5000	jieDWSu.exe
3208	gdkBuHM.exe
448	yGgJcvm.exe
4940	ZlsKcxa.exe
32	PuxxTQH.exe
2528	QzvhGgZ.exe
2260	uwaSeiP.exe
3100	BYwFWsQ.exe
2936	nTTvezU.exe
1880	GfXvBMS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4056-0-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	upx
behavioral2/files/0x0008000000023ca7-5.dat	upx
behavioral2/memory/2156-6-0x00007FF706010000-0x00007FF706361000-memory.dmp	upx
behavioral2/files/0x0008000000023cad-10.dat	upx
behavioral2/memory/3972-25-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-32.dat	upx
behavioral2/memory/220-33-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-51.dat	upx
behavioral2/memory/1560-53-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-66.dat	upx
behavioral2/memory/5000-74-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp	upx
behavioral2/memory/2124-91-0x00007FF66EE40000-0x00007FF66F191000-memory.dmp	upx
behavioral2/memory/4940-109-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-113.dat	upx
behavioral2/files/0x0007000000023cbf-121.dat	upx
behavioral2/memory/3100-127-0x00007FF767EC0000-0x00007FF768211000-memory.dmp	upx
behavioral2/memory/2528-126-0x00007FF71E360000-0x00007FF71E6B1000-memory.dmp	upx
behavioral2/memory/3208-125-0x00007FF7A4650000-0x00007FF7A49A1000-memory.dmp	upx
behavioral2/memory/1880-124-0x00007FF653FD0000-0x00007FF654321000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-119.dat	upx
behavioral2/files/0x0007000000023cbe-117.dat	upx
behavioral2/memory/2936-116-0x00007FF721760000-0x00007FF721AB1000-memory.dmp	upx
behavioral2/memory/2260-115-0x00007FF68CEF0000-0x00007FF68D241000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-111.dat	upx
behavioral2/memory/32-110-0x00007FF692BC0000-0x00007FF692F11000-memory.dmp	upx
behavioral2/files/0x0008000000023cab-107.dat	upx
behavioral2/files/0x0007000000023cba-103.dat	upx
behavioral2/memory/448-101-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-100.dat	upx
behavioral2/files/0x0007000000023cbb-89.dat	upx
behavioral2/files/0x0007000000023cb8-87.dat	upx
behavioral2/files/0x0007000000023cb6-70.dat	upx
behavioral2/files/0x0007000000023cb3-58.dat	upx
behavioral2/memory/1552-63-0x00007FF74A400000-0x00007FF74A751000-memory.dmp	upx
behavioral2/memory/1112-54-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-50.dat	upx
behavioral2/memory/944-49-0x00007FF63E5F0000-0x00007FF63E941000-memory.dmp	upx
behavioral2/memory/3064-46-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-36.dat	upx
behavioral2/memory/4552-34-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-38.dat	upx
behavioral2/files/0x0007000000023cae-24.dat	upx
behavioral2/memory/1364-18-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp	upx
behavioral2/memory/2156-129-0x00007FF706010000-0x00007FF706361000-memory.dmp	upx
behavioral2/memory/4552-133-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp	upx
behavioral2/memory/3972-131-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	upx
behavioral2/memory/3064-135-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp	upx
behavioral2/memory/4056-134-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	upx
behavioral2/memory/1364-130-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp	upx
behavioral2/memory/220-132-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp	upx
behavioral2/memory/4056-128-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	upx
behavioral2/memory/448-141-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp	upx
behavioral2/memory/2936-146-0x00007FF721760000-0x00007FF721AB1000-memory.dmp	upx
behavioral2/memory/1880-150-0x00007FF653FD0000-0x00007FF654321000-memory.dmp	upx
behavioral2/memory/4940-144-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp	upx
behavioral2/memory/5000-142-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp	upx
behavioral2/memory/1112-139-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp	upx
behavioral2/memory/1552-138-0x00007FF74A400000-0x00007FF74A751000-memory.dmp	upx
behavioral2/memory/1560-137-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp	upx
behavioral2/memory/4056-151-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp	upx
behavioral2/memory/2156-212-0x00007FF706010000-0x00007FF706361000-memory.dmp	upx
behavioral2/memory/1364-214-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp	upx
behavioral2/memory/3972-216-0x00007FF626FD0000-0x00007FF627321000-memory.dmp	upx
behavioral2/memory/220-219-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wAOnSdo.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhphAFs.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\exiOTxn.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gdkBuHM.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwaSeiP.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wOSBkQK.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wItrAMZ.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGgJcvm.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpgnUyq.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoJcvUp.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jieDWSu.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuxxTQH.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nTTvezU.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdsyoeL.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTfruwR.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvlUHCP.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QzvhGgZ.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BYwFWsQ.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kvwPAgI.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZlsKcxa.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GfXvBMS.exe	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 2156	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4056 wrote to memory of 2156	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4056 wrote to memory of 1364	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4056 wrote to memory of 1364	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4056 wrote to memory of 3972	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4056 wrote to memory of 3972	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4056 wrote to memory of 220	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4056 wrote to memory of 220	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4056 wrote to memory of 4552	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4056 wrote to memory of 4552	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4056 wrote to memory of 3064	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4056 wrote to memory of 3064	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4056 wrote to memory of 944	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4056 wrote to memory of 944	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4056 wrote to memory of 1560	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4056 wrote to memory of 1560	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4056 wrote to memory of 1552	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4056 wrote to memory of 1552	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4056 wrote to memory of 1112	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4056 wrote to memory of 1112	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4056 wrote to memory of 2124	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4056 wrote to memory of 2124	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4056 wrote to memory of 448	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4056 wrote to memory of 448	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4056 wrote to memory of 5000	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4056 wrote to memory of 5000	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4056 wrote to memory of 3208	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4056 wrote to memory of 3208	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4056 wrote to memory of 4940	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4056 wrote to memory of 4940	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4056 wrote to memory of 32	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4056 wrote to memory of 32	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4056 wrote to memory of 2936	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4056 wrote to memory of 2936	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4056 wrote to memory of 2528	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4056 wrote to memory of 2528	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4056 wrote to memory of 2260	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4056 wrote to memory of 2260	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4056 wrote to memory of 3100	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4056 wrote to memory of 3100	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4056 wrote to memory of 1880	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4056 wrote to memory of 1880	4056	2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_2c64a77623a32caf4b93f78005167501_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\System\wAOnSdo.exe
  C:\Windows\System\wAOnSdo.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\cdsyoeL.exe
  C:\Windows\System\cdsyoeL.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\oTfruwR.exe
  C:\Windows\System\oTfruwR.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\wOSBkQK.exe
  C:\Windows\System\wOSBkQK.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\UvlUHCP.exe
  C:\Windows\System\UvlUHCP.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\CpgnUyq.exe
  C:\Windows\System\CpgnUyq.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\jhphAFs.exe
  C:\Windows\System\jhphAFs.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\xoJcvUp.exe
  C:\Windows\System\xoJcvUp.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\wItrAMZ.exe
  C:\Windows\System\wItrAMZ.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\kvwPAgI.exe
  C:\Windows\System\kvwPAgI.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\exiOTxn.exe
  C:\Windows\System\exiOTxn.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\yGgJcvm.exe
  C:\Windows\System\yGgJcvm.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\jieDWSu.exe
  C:\Windows\System\jieDWSu.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\gdkBuHM.exe
  C:\Windows\System\gdkBuHM.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\ZlsKcxa.exe
  C:\Windows\System\ZlsKcxa.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\PuxxTQH.exe
  C:\Windows\System\PuxxTQH.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\nTTvezU.exe
  C:\Windows\System\nTTvezU.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\QzvhGgZ.exe
  C:\Windows\System\QzvhGgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\uwaSeiP.exe
  C:\Windows\System\uwaSeiP.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\BYwFWsQ.exe
  C:\Windows\System\BYwFWsQ.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\GfXvBMS.exe
  C:\Windows\System\GfXvBMS.exe
  2⤵
  - Executes dropped EXE
  PID:1880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BYwFWsQ.exe

Filesize
5.2MB

MD5
60b6433a22c56c6ac7ff07178b7763f5

SHA1
c16c3569d5afbd291da4b52b72262a47651e968d

SHA256
0da7beb6a5701d240c218c6d8010483f463e82eed0b614377f7cb4966d83da00

SHA512
04b42fdbfe49b7063e139faf1bc91b9c5732746da5e76d400c3ca989784efe3e18f325db45446d0259b1838b6d663909faadd2fda973158b4ab09ab4e1bae151

Download Submit
C:\Windows\System\CpgnUyq.exe

Filesize
5.2MB

MD5
68e74b33710036d99345f2b33f728985

SHA1
06ab7a52d8da7cc558b7b78e5b8daa7c75da8b65

SHA256
ee1ed1d05c74588afa19f3afc5d1c984525bcd4f9c182f09c8d7d731f939b858

SHA512
2385e50be9cd3afb325b748429e511a945100686dac0058cd306973ff041dc61b514b3eadddff738ab1bc8b5ab3c8f03412b548918e2329517783f8a8ae121ac

Download Submit
C:\Windows\System\GfXvBMS.exe

Filesize
5.2MB

MD5
72853a1dd7ac7fa12c042fc5798561d2

SHA1
0dcd5028e8da292a826c446580b2946adf8f01dd

SHA256
909d683500085c67feb4927681208b5913dc84283f25951cf0dd92780f3f6dfd

SHA512
667574149cad72568abb33fbb7bdcd6a8412f0d64026f213ec8e2539c807faf9ff826af3176b540a31ddbe51129a1d0e5e1fc58127e78a8fc562e969ff886b7d

Download Submit
C:\Windows\System\PuxxTQH.exe

Filesize
5.2MB

MD5
30babee47d7cf73f796449bc049543e3

SHA1
de4eb63a049d7da4a2742e61eecb77415934888d

SHA256
e2cd369339628c21bf786458eecbf8162b4c7d93e19f3f96cf93a2d3af284c8d

SHA512
05b5e57ffaaa5521a8912c32d6e3ab0dea23ff2d9a035cfd6c656d5451a5c7e6fb01588d37ebfcc61c500a6c8c5e6997344245b12a90b9940e2da3f0aaec2e4c

Download Submit
C:\Windows\System\QzvhGgZ.exe

Filesize
5.2MB

MD5
0a02d71c1e6136d2438161c4c4556d76

SHA1
9686c57b77b719ddcdffce016bd4fa695af5e2b6

SHA256
7f1106d1dbd80943d80a498b4fe7b8d04a1960909bcaf1d43413fd51b2fe321e

SHA512
c1ef1b8ce4159957e2c82fe43a2cde7d9f46d671536377254521ea3c33b177412ae071df8c7acffef149b492d48a60305178b827348d0d5df149c50265ce6722

Download Submit
C:\Windows\System\UvlUHCP.exe

Filesize
5.2MB

MD5
a831ef7f08e3641a01f489da6472c942

SHA1
2f64eca89db68dc5f8cc6bc841871df970153490

SHA256
07356b107632f085fdbc75852dd2d9f1e325d02e8ded85bc68d4cc880f3a9335

SHA512
4b7a292e4cad743da88116b026e98e61e922fb06f828fce7cb921db629945e5addbe1415520a23ada7fb0afabf668ce0424f086a3a3cd0a6f080493defbdda1e

Download Submit
C:\Windows\System\ZlsKcxa.exe

Filesize
5.2MB

MD5
293d2e15f66173fc1dc6044d16b84a55

SHA1
003779099c7dc58c40105ecf2327388f5f23e4bd

SHA256
c6c20d8396d07b12e21e3c597226d3809d544caf1277e94f0cc2717268d9d3cb

SHA512
1260befca4e2e6638ee0e88528917e8c4a6aeead1740f412a8fdb64e8e2b80ffc94d09da4de68e084abf83162a00e27c47be4f0c068ccf1fb0db96a2e1ed1a40

Download Submit
C:\Windows\System\cdsyoeL.exe

Filesize
5.2MB

MD5
9e6f18309ea750d628b9224d07634f7c

SHA1
9bac5326032010e8502a5955257b2d9dfb6250b1

SHA256
e6ad1524c31367ce27a41c5806b7b734e9c297f7db32ee92c2255d0044daa8c7

SHA512
570192cc166b1b2aeb639edf68acdf85d52d0a29aaa74072a04092859b118e521526e57a25e0a12e4ae904fd144180f2d9a0a48110cc558a487a661d4f4f7746

Download Submit
C:\Windows\System\exiOTxn.exe

Filesize
5.2MB

MD5
03a0864478e41ac0fb43007dec4eb30e

SHA1
956bbc0c06e374992e54c213792791d8f5ecca8a

SHA256
0005f667155e46fd24f93cbdd1588bba645d5f46363651bc649bfab9af9abfc1

SHA512
7aae49e9b4a710b2284816c9d6ede745fe46b9f4c0766640645bdcea6bc977b474d2678fab0d0e253e6021fc9306e7c7d1dc0df9299d47d844157371a5f853cf

Download Submit
C:\Windows\System\gdkBuHM.exe

Filesize
5.2MB

MD5
73e7875d870071be782c231d5a6c55d3

SHA1
14739a6b4f32b2163317268ec08c4a85ab353192

SHA256
c330c4d58881602528e99fba75239c9c3cba590f2b0b677dd1213ae01340eb3a

SHA512
fcfca56da6b50eace0552c95502e8646f75618d68890c15ef188476385b746c973be78ee57fdaf9a03747579a464b54150b1492ca6ff1a79a35a9ec7a70e3a85

Download Submit
C:\Windows\System\jhphAFs.exe

Filesize
5.2MB

MD5
a900d4ad61d0c07822f9eebda9dfcc51

SHA1
87c10df705331e480360e5278ddb493c673c6798

SHA256
fc64d2ce9d85738e56d6713dc2737e6c3c1983aab43643409f562e42fbe75457

SHA512
378780f66687fe3b0ea2ecf5f48762175b6fda4c31d20be99b4a754cb5b283e5e7a110ea6e688bb56fab1bbc7f6db6f6e0ba4a660b9b519beaa212af139ffb60

Download Submit
C:\Windows\System\jieDWSu.exe

Filesize
5.2MB

MD5
1c7ed5e5350d9f782b58b2ad8fefe174

SHA1
b95ee075aacb72431829ad669372bfaa021f94b6

SHA256
34d4412df81b19517804e6eae43224fc222398eda06394d63deaeab71b5b17de

SHA512
10fce3ced4355530b9a33c8b0cfec3718868841789e5e9c7be836f785aaaf491b89a1364e4033a004b372389ac73ae283c63097716d8ddee9b9e7dcd5ccbb19b

Download Submit
C:\Windows\System\kvwPAgI.exe

Filesize
5.2MB

MD5
c92d0e01cb86f3d4e51fce34272228a1

SHA1
4e6d38027fb43af2ec295ab1e7cefaf5285a2a77

SHA256
bd7c1c866c5357d3b959fce1ccd71dfa33a2b75f18a08bcc83186d8f58d8887a

SHA512
e196e79afc4fd7b336441601044df4125ea907b6b3496f35a84bcce4d730943e955f22dfe6d6e3ed81a1e5ed3597c413afd1fdb9cbb3449971ac73f7e48e3b49

Download Submit
C:\Windows\System\nTTvezU.exe

Filesize
5.2MB

MD5
4c856a273dc55d2c20264f24eb681c99

SHA1
69a1df4980e2c5665332bfe130456fa6e75bcc57

SHA256
fce4d6d4491216f7b1714401e861798170fd91c4023e42cb272fed33700e2899

SHA512
465d1af6e7e52f054880c6e0950797ecc1ed5e9aa819d4d2346ba582e2112841930ad85c3f4d42a4fca44b4e423e3130460521e208a5a0371ad51173955cbb9a

Download Submit
C:\Windows\System\oTfruwR.exe

Filesize
5.2MB

MD5
997cb2cfc4e16de4eddbb89160fa20ab

SHA1
308a997c687aff9232ab2a48db3cb9f25d8217d7

SHA256
db291dae7e6857059e85c777aeaeb6b9ee1d63ad85520e1ef4fc991aa069d2fb

SHA512
bced310b9a328cef873c79d1c9448c4ebd494358a97b4ef20981711bac2f038afcc7235f5ea54fcda25a3c5285a52e4234f8f0be59ecec52f309b1406e462212

Download Submit
C:\Windows\System\uwaSeiP.exe

Filesize
5.2MB

MD5
c0ed11953efdca0d6c252bf45c754661

SHA1
facaaf598222cdae8a3d872d94ad847a2ba37476

SHA256
da9d592e7f09c89641c1722fafcaf4f13e855b69da55d5e79b7f163ffb74c600

SHA512
0fd5dd95676a5b3206b4b9d6116ae51745de85e344968e6fe3c67de2127398b74f902db180026e67f72f2b32d749e6fa4d50bc4394659ee59e9849532f1f941b

Download Submit
C:\Windows\System\wAOnSdo.exe

Filesize
5.2MB

MD5
b49a8f06b45ccf3bf427452789d5fbb4

SHA1
ab1ddee1e588fdd6813093d0bb1116580ed51fbc

SHA256
d495d22a3ad300e35d913a18c05d5d7e97cea812dfe2d8f4dede140210edb01b

SHA512
5737e3aca10b9c31dae2c44a2ce1bc6b554b784a913073a24ace8d5ac6b159f5fcc2abaf519fdcec450b19472bdc9e88054f2792554654c594fa2094621e44a4

Download Submit
C:\Windows\System\wItrAMZ.exe

Filesize
5.2MB

MD5
40988b2c1c9e62630d3840618a873eda

SHA1
c47a648ccef5e0fdf1a19eac4a457fc5f9b523a8

SHA256
c9350add116523fa2e4b4a313412257d5c2ff4be1b4f609d2ac5e79444cafdf3

SHA512
047957d7992e31cd5ed5971f3bfe4fa6670dd760c6b343dde44f5819da4dc02cf3992ff64b19e049aa5c48e3226d654117e25c4c0cff44991d28a0deea12203a

Download Submit
C:\Windows\System\wOSBkQK.exe

Filesize
5.2MB

MD5
6c66f78dc23a416ea1e28936db4deede

SHA1
de25835c239763170b20dd7540ce71f8e3acd116

SHA256
ce6e4e8eb76a20caccc43bfbd04ec5f8d4a9c50b8816c21500cd74c99dcefbaf

SHA512
e9654538bb384f48b3ee7f816985db72366a24e8b70c79761ffac861615632be6f0d33c9b5b9c227894ca0bd55ad7e04e4f1cf8c8f379b2a8c7e54d7d945bcac

Download Submit
C:\Windows\System\xoJcvUp.exe

Filesize
5.2MB

MD5
2cd1af6ab7bc372987b6180ff761defa

SHA1
1dcc364763d66aae8efd45f847cf7f69059c1f6a

SHA256
bd1e01b75e2cf84a96216d3afcc95b4e5904c5791ff823a8116a75eca0040503

SHA512
69ebabb013c856ea64a28b11ec22b8d6043db7ce143ccf90f999fab6dc4496ff9adc10608b664b48817e3b37e70084992ddef420ee1c6e29e5ce67b56e3d3a42

Download Submit
C:\Windows\System\yGgJcvm.exe

Filesize
5.2MB

MD5
cd50aaf22eb5f40fd4ee8d7d67166d74

SHA1
e82ddaf63da168eecbdc4a2f6cb39b725e03a53f

SHA256
c0d8bbb998affbd874180f42916d89a1cef7d5d6295f94ab718234c53f210396

SHA512
333679e8a0d528ec48f85c8503f2cc801fb5a20d06055584b6ded2f992512e5165fbb5b589e8ac573cafac14cc7527f23c7eb64d49bb8151326a0a83fa67cfb2

Download Submit
memory/32-240-0x00007FF692BC0000-0x00007FF692F11000-memory.dmp

Filesize
3.3MB

Download
memory/32-110-0x00007FF692BC0000-0x00007FF692F11000-memory.dmp

Filesize
3.3MB

Download
memory/220-219-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp

Filesize
3.3MB

Download
memory/220-33-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp

Filesize
3.3MB

Download
memory/220-132-0x00007FF771D50000-0x00007FF7720A1000-memory.dmp

Filesize
3.3MB

Download
memory/448-101-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/448-141-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/448-256-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/944-222-0x00007FF63E5F0000-0x00007FF63E941000-memory.dmp

Filesize
3.3MB

Download
memory/944-49-0x00007FF63E5F0000-0x00007FF63E941000-memory.dmp

Filesize
3.3MB

Download
memory/1112-139-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-54-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-236-0x00007FF6148F0000-0x00007FF614C41000-memory.dmp

Filesize
3.3MB

Download
memory/1364-130-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp

Filesize
3.3MB

Download
memory/1364-18-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp

Filesize
3.3MB

Download
memory/1364-214-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp

Filesize
3.3MB

Download
memory/1552-234-0x00007FF74A400000-0x00007FF74A751000-memory.dmp

Filesize
3.3MB

Download
memory/1552-138-0x00007FF74A400000-0x00007FF74A751000-memory.dmp

Filesize
3.3MB

Download
memory/1552-63-0x00007FF74A400000-0x00007FF74A751000-memory.dmp

Filesize
3.3MB

Download
memory/1560-53-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp

Filesize
3.3MB

Download
memory/1560-137-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp

Filesize
3.3MB

Download
memory/1560-232-0x00007FF73FB40000-0x00007FF73FE91000-memory.dmp

Filesize
3.3MB

Download
memory/1880-124-0x00007FF653FD0000-0x00007FF654321000-memory.dmp

Filesize
3.3MB

Download
memory/1880-249-0x00007FF653FD0000-0x00007FF654321000-memory.dmp

Filesize
3.3MB

Download
memory/1880-150-0x00007FF653FD0000-0x00007FF654321000-memory.dmp

Filesize
3.3MB

Download
memory/2124-91-0x00007FF66EE40000-0x00007FF66F191000-memory.dmp

Filesize
3.3MB

Download
memory/2124-238-0x00007FF66EE40000-0x00007FF66F191000-memory.dmp

Filesize
3.3MB

Download
memory/2156-212-0x00007FF706010000-0x00007FF706361000-memory.dmp

Filesize
3.3MB

Download
memory/2156-6-0x00007FF706010000-0x00007FF706361000-memory.dmp

Filesize
3.3MB

Download
memory/2156-129-0x00007FF706010000-0x00007FF706361000-memory.dmp

Filesize
3.3MB

Download
memory/2260-115-0x00007FF68CEF0000-0x00007FF68D241000-memory.dmp

Filesize
3.3MB

Download
memory/2260-246-0x00007FF68CEF0000-0x00007FF68D241000-memory.dmp

Filesize
3.3MB

Download
memory/2528-255-0x00007FF71E360000-0x00007FF71E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-126-0x00007FF71E360000-0x00007FF71E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-146-0x00007FF721760000-0x00007FF721AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-116-0x00007FF721760000-0x00007FF721AB1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-251-0x00007FF721760000-0x00007FF721AB1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-135-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp

Filesize
3.3MB

Download
memory/3064-46-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp

Filesize
3.3MB

Download
memory/3064-224-0x00007FF6C28E0000-0x00007FF6C2C31000-memory.dmp

Filesize
3.3MB

Download
memory/3100-253-0x00007FF767EC0000-0x00007FF768211000-memory.dmp

Filesize
3.3MB

Download
memory/3100-127-0x00007FF767EC0000-0x00007FF768211000-memory.dmp

Filesize
3.3MB

Download
memory/3208-244-0x00007FF7A4650000-0x00007FF7A49A1000-memory.dmp

Filesize
3.3MB

Download
memory/3208-125-0x00007FF7A4650000-0x00007FF7A49A1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-131-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download
memory/3972-25-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download
memory/3972-216-0x00007FF626FD0000-0x00007FF627321000-memory.dmp

Filesize
3.3MB

Download
memory/4056-134-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-128-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-151-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-0-0x00007FF7C9570000-0x00007FF7C98C1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-1-0x000001D3C9090000-0x000001D3C90A0000-memory.dmp

Filesize
64KB

Download
memory/4552-221-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp

Filesize
3.3MB

Download
memory/4552-34-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp

Filesize
3.3MB

Download
memory/4552-133-0x00007FF788AC0000-0x00007FF788E11000-memory.dmp

Filesize
3.3MB

Download
memory/4940-109-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp

Filesize
3.3MB

Download
memory/4940-144-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp

Filesize
3.3MB

Download
memory/4940-258-0x00007FF6FFEC0000-0x00007FF700211000-memory.dmp

Filesize
3.3MB

Download
memory/5000-142-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp

Filesize
3.3MB

Download
memory/5000-242-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp

Filesize
3.3MB

Download
memory/5000-74-0x00007FF78EC00000-0x00007FF78EF51000-memory.dmp

Filesize
3.3MB

Download