cobaltstrike | 6b43a9c364befb360b7d01c9383624412613c557f04da49a99ecc08a3c941276

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0305d5e34684137e29bebc0409fae550
SHA1

eff60feb95ec1d923eb332090bbd6d3ddb6137cc
SHA256

6b43a9c364befb360b7d01c9383624412613c557f04da49a99ecc08a3c941276
SHA512

496cc1b0d038af767fd5946e5883422f4c702c4add51e2d23080a4f68cdd86d2ce47bda3bd7ed7b08bd23b7e971ca0251e63eff1e04534c48b0502a8d1c5d84a
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibd56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c9c-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-37.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-47.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/5112-48-0x00007FF7E7AE0000-0x00007FF7E7E31000-memory.dmp	xmrig
behavioral2/memory/1452-55-0x00007FF680700000-0x00007FF680A51000-memory.dmp	xmrig
behavioral2/memory/848-59-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp	xmrig
behavioral2/memory/3640-84-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp	xmrig
behavioral2/memory/1344-134-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp	xmrig
behavioral2/memory/3780-128-0x00007FF651310000-0x00007FF651661000-memory.dmp	xmrig
behavioral2/memory/3572-113-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp	xmrig
behavioral2/memory/3324-96-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp	xmrig
behavioral2/memory/1432-89-0x00007FF690CC0000-0x00007FF691011000-memory.dmp	xmrig
behavioral2/memory/1668-75-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp	xmrig
behavioral2/memory/3904-68-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp	xmrig
behavioral2/memory/1996-56-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	xmrig
behavioral2/memory/3480-152-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp	xmrig
behavioral2/memory/4868-156-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp	xmrig
behavioral2/memory/3988-158-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp	xmrig
behavioral2/memory/1080-155-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp	xmrig
behavioral2/memory/804-154-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp	xmrig
behavioral2/memory/2640-153-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/2256-151-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp	xmrig
behavioral2/memory/2784-150-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp	xmrig
behavioral2/memory/1996-138-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	xmrig
behavioral2/memory/3928-157-0x00007FF7760B0000-0x00007FF776401000-memory.dmp	xmrig
behavioral2/memory/4372-159-0x00007FF7311F0000-0x00007FF731541000-memory.dmp	xmrig
behavioral2/memory/1996-160-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	xmrig
behavioral2/memory/848-210-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp	xmrig
behavioral2/memory/3904-212-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp	xmrig
behavioral2/memory/1668-214-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp	xmrig
behavioral2/memory/3640-219-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp	xmrig
behavioral2/memory/1432-221-0x00007FF690CC0000-0x00007FF691011000-memory.dmp	xmrig
behavioral2/memory/3324-223-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp	xmrig
behavioral2/memory/5112-229-0x00007FF7E7AE0000-0x00007FF7E7E31000-memory.dmp	xmrig
behavioral2/memory/1452-231-0x00007FF680700000-0x00007FF680A51000-memory.dmp	xmrig
behavioral2/memory/3572-240-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp	xmrig
behavioral2/memory/3780-242-0x00007FF651310000-0x00007FF651661000-memory.dmp	xmrig
behavioral2/memory/1344-244-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp	xmrig
behavioral2/memory/2784-246-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp	xmrig
behavioral2/memory/2256-248-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp	xmrig
behavioral2/memory/3480-251-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp	xmrig
behavioral2/memory/2640-252-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	xmrig
behavioral2/memory/804-254-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp	xmrig
behavioral2/memory/1080-259-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp	xmrig
behavioral2/memory/4868-261-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp	xmrig
behavioral2/memory/3928-263-0x00007FF7760B0000-0x00007FF776401000-memory.dmp	xmrig
behavioral2/memory/3988-265-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp	xmrig
behavioral2/memory/4372-267-0x00007FF7311F0000-0x00007FF731541000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
848	hmzOYDd.exe
3904	nqOlPJu.exe
1668	BKfoaDp.exe
3640	DjWjPIL.exe
1432	sNIwvpm.exe
3324	cXHAesK.exe
5112	rOVLeyD.exe
1452	Ivjrcqh.exe
3572	qxbgkml.exe
3780	otdTEBk.exe
1344	sUdQHVD.exe
2784	fymPXZo.exe
2256	tWMbLrl.exe
3480	gkLBlco.exe
2640	dXOljBe.exe
804	VvTppzN.exe
1080	wZYbift.exe
4868	vpDnsjA.exe
3928	jtGUNnO.exe
3988	JADmbpL.exe
4372	YbSKIIv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1996-0-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	upx
behavioral2/files/0x0008000000023c9c-5.dat	upx
behavioral2/memory/848-7-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-8.dat	upx
behavioral2/files/0x0007000000023ca0-10.dat	upx
behavioral2/memory/1668-18-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp	upx
behavioral2/memory/3904-12-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-23.dat	upx
behavioral2/memory/3640-26-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-28.dat	upx
behavioral2/memory/1432-32-0x00007FF690CC0000-0x00007FF691011000-memory.dmp	upx
behavioral2/memory/3324-36-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-37.dat	upx
behavioral2/files/0x0007000000023ca5-42.dat	upx
behavioral2/memory/5112-48-0x00007FF7E7AE0000-0x00007FF7E7E31000-memory.dmp	upx
behavioral2/memory/1452-55-0x00007FF680700000-0x00007FF680A51000-memory.dmp	upx
behavioral2/memory/848-59-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp	upx
behavioral2/memory/3780-63-0x00007FF651310000-0x00007FF651661000-memory.dmp	upx
behavioral2/memory/1344-69-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-74.dat	upx
behavioral2/memory/2784-78-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp	upx
behavioral2/memory/3640-84-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-90.dat	upx
behavioral2/files/0x0007000000023cae-99.dat	upx
behavioral2/files/0x0007000000023caf-108.dat	upx
behavioral2/files/0x0007000000023cb2-125.dat	upx
behavioral2/files/0x0007000000023cb3-133.dat	upx
behavioral2/memory/4372-135-0x00007FF7311F0000-0x00007FF731541000-memory.dmp	upx
behavioral2/memory/1344-134-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp	upx
behavioral2/memory/3988-130-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp	upx
behavioral2/memory/3780-128-0x00007FF651310000-0x00007FF651661000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-126.dat	upx
behavioral2/memory/3928-124-0x00007FF7760B0000-0x00007FF776401000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-119.dat	upx
behavioral2/memory/4868-118-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp	upx
behavioral2/memory/3572-113-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp	upx
behavioral2/memory/1080-112-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp	upx
behavioral2/memory/804-105-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-101.dat	upx
behavioral2/memory/2640-100-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-97.dat	upx
behavioral2/memory/3324-96-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp	upx
behavioral2/memory/3480-95-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp	upx
behavioral2/memory/1432-89-0x00007FF690CC0000-0x00007FF691011000-memory.dmp	upx
behavioral2/memory/2256-88-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp	upx
behavioral2/memory/1668-75-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-70.dat	upx
behavioral2/memory/3904-68-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-65.dat	upx
behavioral2/files/0x0007000000023ca7-61.dat	upx
behavioral2/memory/3572-57-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp	upx
behavioral2/memory/1996-56-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-47.dat	upx
behavioral2/memory/3480-152-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp	upx
behavioral2/memory/4868-156-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp	upx
behavioral2/memory/3988-158-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp	upx
behavioral2/memory/1080-155-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp	upx
behavioral2/memory/804-154-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp	upx
behavioral2/memory/2640-153-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp	upx
behavioral2/memory/2256-151-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp	upx
behavioral2/memory/2784-150-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp	upx
behavioral2/memory/1996-138-0x00007FF747660000-0x00007FF7479B1000-memory.dmp	upx
behavioral2/memory/3928-157-0x00007FF7760B0000-0x00007FF776401000-memory.dmp	upx
behavioral2/memory/4372-159-0x00007FF7311F0000-0x00007FF731541000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\otdTEBk.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JADmbpL.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VvTppzN.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjWjPIL.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cXHAesK.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWMbLrl.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ivjrcqh.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qxbgkml.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUdQHVD.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gkLBlco.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vpDnsjA.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqOlPJu.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNIwvpm.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOVLeyD.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YbSKIIv.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dXOljBe.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wZYbift.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jtGUNnO.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hmzOYDd.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BKfoaDp.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fymPXZo.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 848	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1996 wrote to memory of 848	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1996 wrote to memory of 3904	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1996 wrote to memory of 3904	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1996 wrote to memory of 1668	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1996 wrote to memory of 1668	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1996 wrote to memory of 3640	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1996 wrote to memory of 3640	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1996 wrote to memory of 1432	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1996 wrote to memory of 1432	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1996 wrote to memory of 3324	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1996 wrote to memory of 3324	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1996 wrote to memory of 5112	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1996 wrote to memory of 5112	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1996 wrote to memory of 1452	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1996 wrote to memory of 1452	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1996 wrote to memory of 3572	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1996 wrote to memory of 3572	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1996 wrote to memory of 3780	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1996 wrote to memory of 3780	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1996 wrote to memory of 1344	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1996 wrote to memory of 1344	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1996 wrote to memory of 2784	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1996 wrote to memory of 2784	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1996 wrote to memory of 2256	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1996 wrote to memory of 2256	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1996 wrote to memory of 3480	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1996 wrote to memory of 3480	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1996 wrote to memory of 2640	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1996 wrote to memory of 2640	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1996 wrote to memory of 804	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1996 wrote to memory of 804	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1996 wrote to memory of 1080	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1996 wrote to memory of 1080	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1996 wrote to memory of 4868	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1996 wrote to memory of 4868	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1996 wrote to memory of 3928	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1996 wrote to memory of 3928	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1996 wrote to memory of 3988	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1996 wrote to memory of 3988	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1996 wrote to memory of 4372	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1996 wrote to memory of 4372	1996	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\System\hmzOYDd.exe
  C:\Windows\System\hmzOYDd.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System\nqOlPJu.exe
  C:\Windows\System\nqOlPJu.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\BKfoaDp.exe
  C:\Windows\System\BKfoaDp.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\DjWjPIL.exe
  C:\Windows\System\DjWjPIL.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\sNIwvpm.exe
  C:\Windows\System\sNIwvpm.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\cXHAesK.exe
  C:\Windows\System\cXHAesK.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\rOVLeyD.exe
  C:\Windows\System\rOVLeyD.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\Ivjrcqh.exe
  C:\Windows\System\Ivjrcqh.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\qxbgkml.exe
  C:\Windows\System\qxbgkml.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\otdTEBk.exe
  C:\Windows\System\otdTEBk.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\sUdQHVD.exe
  C:\Windows\System\sUdQHVD.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\fymPXZo.exe
  C:\Windows\System\fymPXZo.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\tWMbLrl.exe
  C:\Windows\System\tWMbLrl.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\gkLBlco.exe
  C:\Windows\System\gkLBlco.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\dXOljBe.exe
  C:\Windows\System\dXOljBe.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\VvTppzN.exe
  C:\Windows\System\VvTppzN.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System\wZYbift.exe
  C:\Windows\System\wZYbift.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\vpDnsjA.exe
  C:\Windows\System\vpDnsjA.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\jtGUNnO.exe
  C:\Windows\System\jtGUNnO.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\JADmbpL.exe
  C:\Windows\System\JADmbpL.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\YbSKIIv.exe
  C:\Windows\System\YbSKIIv.exe
  2⤵
  - Executes dropped EXE
  PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BKfoaDp.exe

Filesize
5.2MB

MD5
5f8b75d26586623be88bcf5a2e2fbfe4

SHA1
580f3dd40cb97a23fa7b0227776a88db97cec8a4

SHA256
3285100a24d2d913359be98fe26601e96a1e03d6c98d6ac00b8e9d92d76efd72

SHA512
7ac7267c2cef333d633b694a46f5b2bfefb3995a0be03ed79d916f0ec5516f4a136b582adebc5769fec6e58c223e8da92cc667806a1158d19a545314f939ce49

Download Submit
C:\Windows\System\DjWjPIL.exe

Filesize
5.2MB

MD5
306a3c7f110478a0b8a156c3987d0478

SHA1
c4226237e3cf68a8ca857653e9d406523e13c8f6

SHA256
d8ee18efe1a34d0a3492e0d31cec53f3e8936132c849ad07f4f95e09fb69d6e9

SHA512
2c37bd62cddb216d6681a83589d6b3a7af27d765c244342b77648f4612298768453ee6b95aeba8e3b6a226d196cee583322242426482c7740348adf67cde886a

Download Submit
C:\Windows\System\Ivjrcqh.exe

Filesize
5.2MB

MD5
958f207c7efe7fc37f16456b1e289b20

SHA1
1691e367f70c1e6e12afcebf3f9327a0cc1ea770

SHA256
9fd88394d09cbe7220e3ed5e95ba0706cc84f5738744f253102c4f411b368e68

SHA512
b2e68c66f0263dd8a7ac2ea65c577940f7a5857356bede7243d7acc8ffb45c979b0b273c0b4ef0e7d6985c46879b9137a2a71a0ac479ea03f13c5f3697c61062

Download Submit
C:\Windows\System\JADmbpL.exe

Filesize
5.2MB

MD5
d0e05f6c70a573745b1383d6b8dbf9e0

SHA1
4c2d7452f146f04ca24ee067b1404ff1c2b32684

SHA256
79b118dd56518d6ef719a043051342cea91dfb49783c3623014ffbf7d2cec8d0

SHA512
44e978aa105a85e2cec88a51e8ed0e7034e3ca95c4f3f7b70ff7a114acd1010285bde00d04411e03965089b4863f8d56bd4b105a1a23652199fd8a778edc781f

Download Submit
C:\Windows\System\VvTppzN.exe

Filesize
5.2MB

MD5
1dc7b3e90ef76b94465f02d15dda0c5f

SHA1
d2dd0c77273fcc51bbd3fe8ae4d4823553aa9ed3

SHA256
087bb89e4d89eb7229cc195ecf113dfff969bd487e81e042f2e55d45cb9f926c

SHA512
5e9a7a9722e432cd689c6a8edfbacffc11b3c674646f247e0078e5a08abff456e463b42d04593378d1801574919688f5146c543b5a799cdc6dde90ac6b4f6b29

Download Submit
C:\Windows\System\YbSKIIv.exe

Filesize
5.2MB

MD5
3dd7618848603e37dc422b8f1e3d6579

SHA1
4029f8cf9ea69c7d68df0a5894bdd8f6396d31d7

SHA256
c0b92059e03643f99924715f2734eb423bd50b1880be8bc245237ba985a5caa9

SHA512
7d38a71e33c499c0210ac248ea705b05193a38659f1dcba2bfc58c49e5c1383f5f021de88c5ca0a9ebe618fc59c8131d5716e23d6cd1a83c473ff942e5125f7f

Download Submit
C:\Windows\System\cXHAesK.exe

Filesize
5.2MB

MD5
10ee5f1b9ab397d4c142b439d6089a73

SHA1
2bb1501e7f8aae5b9b1f6afa874b861be28c4dc8

SHA256
c6241ea77c3b41ffecb40f3b744776a8db66c810b13055c891b0ba4f98674b4e

SHA512
e570534e14dcbcc9d9e46a727ac16e4f8a34c58753f7f7478bf657d6591a77b5f7bd502d00cfda1355ab31accda0b7ede14b35343508db3d3045449237848926

Download Submit
C:\Windows\System\dXOljBe.exe

Filesize
5.2MB

MD5
b2bcc8c15ec82f339098224cf125fb7f

SHA1
fdae4acc5ff38e6c3b37fb1ea714f42a1f16da84

SHA256
8cebbd519ae2238778f892a73577b0e1e457b017544ce8c9a1274a581abc519a

SHA512
8b3a5ba4c22b42b18f5178128b87f28a5402db02ab0e39a826dbeda223f529f296a4da40613b0b00e9b13c466fb7799dae1c43f5761742dfe995e337eadf0ea9

Download Submit
C:\Windows\System\fymPXZo.exe

Filesize
5.2MB

MD5
a71976fab743de7c12577535dd9167b5

SHA1
407207101c25f08f83ea6e5f02b55543522d116f

SHA256
7fc31be5e4a8fdb65ed6cc75a8f678fcf9e1e03cd6d8be639b35060942079ddb

SHA512
27157c257bc9feb6f714cc5353f4fbec8bf5cda625a7dcd9ae4d41688fcff0c9c31261f553d6f42519d417e98a6b1f96f8497b69025b194452d1d5fe1415e4b9

Download Submit
C:\Windows\System\gkLBlco.exe

Filesize
5.2MB

MD5
52b43776a7dd8fae28869b21335eb86c

SHA1
3c78534445366ad85e386c78129dab228e2d7f19

SHA256
34c5c0568f7966e3f9a3da595c39db36cb4cd4e13ad9a55ece55f1c46290b23e

SHA512
11213ffad9670f1dcfef3ce2157ea698b25578fb97ed5deb4ecd43265cb27a0d071fd70a3ebf4a4dc8b16979a204976ccd7681442bee78e5afba5a97cca56c3d

Download Submit
C:\Windows\System\hmzOYDd.exe

Filesize
5.2MB

MD5
4cc01f2e31899f53acb706d53af2a716

SHA1
f6a287131e3dce74c1dd26fc1f15bc8fb1cb27e8

SHA256
56571d4cc1224afb52dc34b9d2fb2643e39efdbbfa04ce326645518d53fdb3e9

SHA512
730b73e18ce1d9f4f20a07a1f2cf1423ea30d4fb753921917bcc4b226dd6777e7f433d8e981e99f6c5fb90ebef7684d6ac74fcac74b83e174c71926af9f827ad

Download Submit
C:\Windows\System\jtGUNnO.exe

Filesize
5.2MB

MD5
e7cbbbebb46a3cf2c191891ec4fb6b43

SHA1
ac58b635a6c50e80cddb6132ac637be8f381e3fa

SHA256
f9db727719c960663a1e73b3732647927c6a31f99f4459b0b39b8f8ce42354b8

SHA512
632cad4446d712a5dc52dc018ad9604e5f710f951aa7583840d994e716c7db64b90a021c00b16a138efd753a2dd8323d04e9ce19302bec44aa3ac271eba8888d

Download Submit
C:\Windows\System\nqOlPJu.exe

Filesize
5.2MB

MD5
5f4b0def33d585ee1b77840589ba98f1

SHA1
aa68e99da58ad6f80f06b887a524e75a3a90e927

SHA256
527dbc8122ffe901e5cad32c8de8cc0ade70534b7de050aa8baac7908f2fa277

SHA512
3aeaefdde646ef9dae8fdfd180e219aa3bcd95cf0c535812af587742df31d4ad12e0251c2ace5ad6de48d7811b11a2463c42ed20da0c956e56bac948cf2fbba9

Download Submit
C:\Windows\System\otdTEBk.exe

Filesize
5.2MB

MD5
e3da89dacbcef93212727901c7c9282d

SHA1
cf6b5f77eecf8d3d4a1e0306b985212c727df8eb

SHA256
b85f49a15ff6eb1ad9762fb97a5ae5b24a8bcf48e4a0011a0bfa8b2492fe7ba2

SHA512
4dbc9cc4e5067ba1d07629b797fefd6060eb7a393191eee6fc19cc93a20b6642be76b472f68509fd5f31a775543d64dc79ed3748839fab28260d52156bb37867

Download Submit
C:\Windows\System\qxbgkml.exe

Filesize
5.2MB

MD5
9f39423fdf44dfa091801df502156b1d

SHA1
a2ce3b4917817b8c85f68d435544359c017e41af

SHA256
240805ba1e13d27c6ab5b11f39eb0e4787a83fc25a110399bd056222b9626419

SHA512
0bd4250dc5ac7c6fa6a91a1f86fcf02f9ec86522e817a71504bb99b74d5e3db06ff6f7c0197197ef12fc792bc0147f80e96a6c6d32ec2dcb393cc7e90367316d

Download Submit
C:\Windows\System\rOVLeyD.exe

Filesize
5.2MB

MD5
5b18e35dc9f04b38275f2b4efc136c62

SHA1
cf43098646b21847585f86d871f16b648c5f33a6

SHA256
dd8d85e74bc39ad8f66ec136ef8b346609327ca7beb771bed6fc76413a2f40c1

SHA512
91e90e264a2b2768c3a1ba001bd1fefb3ce0e25e93ce660a743a0540c814cee6e81b0dd6981e1d7c96a37588d0befdb880ebada5a8ba67842be0a615aa5f23d7

Download Submit
C:\Windows\System\sNIwvpm.exe

Filesize
5.2MB

MD5
ddd434d3db411ab48a100c4d1af734eb

SHA1
132dd22d61790ea1370eb8ca911b2e559824f7b3

SHA256
b2cd3048991028c5e4eb0ad8af33f9b0313abfeecf698c870a61fee399a89a36

SHA512
082e136848f14576c56993223879c3ecd9be8e3dc632aa4a962f337f38679620f8922647de2c6da6163644816c438028d10d8aedc64ae6db8d52af0c5ad2f871

Download Submit
C:\Windows\System\sUdQHVD.exe

Filesize
5.2MB

MD5
03c7dcf36465d7f00f5cf61e5c15ec22

SHA1
a1dad3f9ca2a826e2dd3b8e371860c3dbf63a7b5

SHA256
060bce4aa7aae8e0b2414bdf0b87b5ede8adb0960d32c42f96d82fa2e8f71170

SHA512
c0236eb789650c1d0455047885018b5b0c95b341fca69a39217f1e87d128943971f8aedbf17499ce272e249da176c8e483f7d32c9e9700f37fa3ef65a70b8dfa

Download Submit
C:\Windows\System\tWMbLrl.exe

Filesize
5.2MB

MD5
410a019cc777c36018a9dfc40d7bba51

SHA1
fa40a83cf42c11ba1ff06fc66d707a5a74956fad

SHA256
26cb83929b99c623ac47611b44379ccb10cfa3de76f3e03f812173986a889e06

SHA512
f863b852fa6a14cc5356a5052262848e914d810cf4fbde97dd8b5924dd7d4b3264a3a570166e219a821a9abb1c187acc5989dfc160a27301a57e61ef1ab692c7

Download Submit
C:\Windows\System\vpDnsjA.exe

Filesize
5.2MB

MD5
2ce6e96020a2491067f934da9d8da6ed

SHA1
fc97c4001db7b61236d6e3ff681789bd0b2719da

SHA256
1ac0090c71afd6769880180e68864767cdf2ae32c2b4e9f07e153b2ec3374017

SHA512
f4e6d3e5cc427139f489f019517e59c87c745d60ca00b285f06a2cf02a2102b4f5d2fe8ff06656f82d3e5e213a93a8e48a45d4a96196ade47de5546c4204f297

Download Submit
C:\Windows\System\wZYbift.exe

Filesize
5.2MB

MD5
8931d4846fd0024dafd08956979109f0

SHA1
39d607f9f1849a1e2f524ac0befff942c651b0c5

SHA256
b75128cc00744577f69b4f6d605c353e2850ababbeec1de61b7aa4525a2c636f

SHA512
04a8990750c235b9d9ae70d1c4fcd1106c2834e6a3bf471a675b202158f459133a9b67d50afc8ac0eb138fed2b81e7d9e37d13d90d889adc01870a4755164a27

Download Submit
memory/804-254-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp

Filesize
3.3MB

Download
memory/804-154-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp

Filesize
3.3MB

Download
memory/804-105-0x00007FF67ACC0000-0x00007FF67B011000-memory.dmp

Filesize
3.3MB

Download
memory/848-210-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/848-7-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/848-59-0x00007FF60F150000-0x00007FF60F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1080-259-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp

Filesize
3.3MB

Download
memory/1080-155-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp

Filesize
3.3MB

Download
memory/1080-112-0x00007FF739DD0000-0x00007FF73A121000-memory.dmp

Filesize
3.3MB

Download
memory/1344-69-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-134-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-244-0x00007FF7E3B80000-0x00007FF7E3ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1432-221-0x00007FF690CC0000-0x00007FF691011000-memory.dmp

Filesize
3.3MB

Download
memory/1432-32-0x00007FF690CC0000-0x00007FF691011000-memory.dmp

Filesize
3.3MB

Download
memory/1432-89-0x00007FF690CC0000-0x00007FF691011000-memory.dmp

Filesize
3.3MB

Download
memory/1452-231-0x00007FF680700000-0x00007FF680A51000-memory.dmp

Filesize
3.3MB

Download
memory/1452-55-0x00007FF680700000-0x00007FF680A51000-memory.dmp

Filesize
3.3MB

Download
memory/1668-214-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-18-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-75-0x00007FF7BFB50000-0x00007FF7BFEA1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-0-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-1-0x000001EB8CC30000-0x000001EB8CC40000-memory.dmp

Filesize
64KB

Download
memory/1996-56-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-160-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-138-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-151-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp

Filesize
3.3MB

Download
memory/2256-88-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp

Filesize
3.3MB

Download
memory/2256-248-0x00007FF6BA320000-0x00007FF6BA671000-memory.dmp

Filesize
3.3MB

Download
memory/2640-100-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-252-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-153-0x00007FF749E90000-0x00007FF74A1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-150-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-246-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-78-0x00007FF63C650000-0x00007FF63C9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-96-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp

Filesize
3.3MB

Download
memory/3324-36-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp

Filesize
3.3MB

Download
memory/3324-223-0x00007FF77BBD0000-0x00007FF77BF21000-memory.dmp

Filesize
3.3MB

Download
memory/3480-95-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp

Filesize
3.3MB

Download
memory/3480-152-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp

Filesize
3.3MB

Download
memory/3480-251-0x00007FF6EADE0000-0x00007FF6EB131000-memory.dmp

Filesize
3.3MB

Download
memory/3572-57-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp

Filesize
3.3MB

Download
memory/3572-113-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp

Filesize
3.3MB

Download
memory/3572-240-0x00007FF69CFE0000-0x00007FF69D331000-memory.dmp

Filesize
3.3MB

Download
memory/3640-26-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-84-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-219-0x00007FF6C4680000-0x00007FF6C49D1000-memory.dmp

Filesize
3.3MB

Download
memory/3780-242-0x00007FF651310000-0x00007FF651661000-memory.dmp

Filesize
3.3MB

Download
memory/3780-63-0x00007FF651310000-0x00007FF651661000-memory.dmp

Filesize
3.3MB

Download
memory/3780-128-0x00007FF651310000-0x00007FF651661000-memory.dmp

Filesize
3.3MB

Download
memory/3904-68-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-212-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-12-0x00007FF7CF770000-0x00007FF7CFAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3928-157-0x00007FF7760B0000-0x00007FF776401000-memory.dmp

Filesize
3.3MB

Download
memory/3928-124-0x00007FF7760B0000-0x00007FF776401000-memory.dmp

Filesize
3.3MB

Download
memory/3928-263-0x00007FF7760B0000-0x00007FF776401000-memory.dmp

Filesize
3.3MB

Download
memory/3988-158-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp

Filesize
3.3MB

Download
memory/3988-265-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp

Filesize
3.3MB

Download
memory/3988-130-0x00007FF71A930000-0x00007FF71AC81000-memory.dmp

Filesize
3.3MB

Download
memory/4372-159-0x00007FF7311F0000-0x00007FF731541000-memory.dmp

Filesize
3.3MB

Download
memory/4372-135-0x00007FF7311F0000-0x00007FF731541000-memory.dmp

Filesize
3.3MB

Download
memory/4372-267-0x00007FF7311F0000-0x00007FF731541000-memory.dmp

Filesize
3.3MB

Download
memory/4868-118-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-156-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-261-0x00007FF6A33A0000-0x00007FF6A36F1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-48-0x00007FF7E7AE0000-0x00007FF7E7E31000-memory.dmp

Filesize
3.3MB

Download
memory/5112-229-0x00007FF7E7AE0000-0x00007FF7E7E31000-memory.dmp

Filesize
3.3MB

Download