cobaltstrike | 329c2c3f27a66cc387aa3ca99e25606d89c2cc992403bce691e82628592bab66

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

684e47edf22b7895a9a2ca8659902293
SHA1

ea99b73a4f2995ce7807fd2b1b44ff9898451db3
SHA256

329c2c3f27a66cc387aa3ca99e25606d89c2cc992403bce691e82628592bab66
SHA512

be5e1adf905c30bfef6a29e1cd3fa072756784fd476339db85d81a9f764f9b8ce33e2d058044f2331540a374034380ccc590441d66aa2768f420f2d43ad0a8a4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b80-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-8.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-49.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-64.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-75.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-110.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-108.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-104.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b81-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b90-95.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8f-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8e-77.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-43.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-34.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-132.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-129.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-119.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4464-103-0x00007FF7134D0000-0x00007FF713821000-memory.dmp	xmrig
behavioral2/memory/3856-102-0x00007FF674B80000-0x00007FF674ED1000-memory.dmp	xmrig
behavioral2/memory/4240-83-0x00007FF7700D0000-0x00007FF770421000-memory.dmp	xmrig
behavioral2/memory/4656-72-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	xmrig
behavioral2/memory/3196-113-0x00007FF762820000-0x00007FF762B71000-memory.dmp	xmrig
behavioral2/memory/4768-114-0x00007FF724030000-0x00007FF724381000-memory.dmp	xmrig
behavioral2/memory/1336-136-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp	xmrig
behavioral2/memory/4132-137-0x00007FF7803C0000-0x00007FF780711000-memory.dmp	xmrig
behavioral2/memory/4816-135-0x00007FF709E80000-0x00007FF70A1D1000-memory.dmp	xmrig
behavioral2/memory/1052-134-0x00007FF75A030000-0x00007FF75A381000-memory.dmp	xmrig
behavioral2/memory/412-131-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp	xmrig
behavioral2/memory/3616-120-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp	xmrig
behavioral2/memory/1956-149-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp	xmrig
behavioral2/memory/3304-152-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp	xmrig
behavioral2/memory/1900-154-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp	xmrig
behavioral2/memory/3052-153-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp	xmrig
behavioral2/memory/1088-148-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp	xmrig
behavioral2/memory/4524-151-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	xmrig
behavioral2/memory/3188-147-0x00007FF716160000-0x00007FF7164B1000-memory.dmp	xmrig
behavioral2/memory/4484-155-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp	xmrig
behavioral2/memory/2276-156-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp	xmrig
behavioral2/memory/3560-157-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp	xmrig
behavioral2/memory/4656-158-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	xmrig
behavioral2/memory/4656-180-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	xmrig
behavioral2/memory/4240-214-0x00007FF7700D0000-0x00007FF770421000-memory.dmp	xmrig
behavioral2/memory/4464-216-0x00007FF7134D0000-0x00007FF713821000-memory.dmp	xmrig
behavioral2/memory/3196-218-0x00007FF762820000-0x00007FF762B71000-memory.dmp	xmrig
behavioral2/memory/3616-231-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp	xmrig
behavioral2/memory/412-233-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp	xmrig
behavioral2/memory/1336-235-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp	xmrig
behavioral2/memory/4768-237-0x00007FF724030000-0x00007FF724381000-memory.dmp	xmrig
behavioral2/memory/1088-241-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp	xmrig
behavioral2/memory/4132-240-0x00007FF7803C0000-0x00007FF780711000-memory.dmp	xmrig
behavioral2/memory/3052-243-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp	xmrig
behavioral2/memory/4524-259-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	xmrig
behavioral2/memory/3304-258-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp	xmrig
behavioral2/memory/1900-255-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp	xmrig
behavioral2/memory/2276-254-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp	xmrig
behavioral2/memory/4484-252-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp	xmrig
behavioral2/memory/3856-250-0x00007FF674B80000-0x00007FF674ED1000-memory.dmp	xmrig
behavioral2/memory/3188-248-0x00007FF716160000-0x00007FF7164B1000-memory.dmp	xmrig
behavioral2/memory/1956-246-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp	xmrig
behavioral2/memory/3560-265-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp	xmrig
behavioral2/memory/1052-267-0x00007FF75A030000-0x00007FF75A381000-memory.dmp	xmrig
behavioral2/memory/4816-269-0x00007FF709E80000-0x00007FF70A1D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4240	egWnIkp.exe
4464	BLIdYZE.exe
3196	IBPfYsC.exe
3616	WXDhxek.exe
4768	gmXHRVt.exe
412	dkQOgcW.exe
1336	XDfGkSP.exe
4132	HULzRQc.exe
3052	SmAiiQU.exe
1088	gItJbGv.exe
1956	RrPUaOc.exe
3188	XrgUydW.exe
3856	vkaVCOF.exe
4524	HkowhsL.exe
3304	wuapKYK.exe
1900	XQJgdTU.exe
4484	FWlvNoF.exe
2276	YTkGibX.exe
3560	xoouRdY.exe
1052	GDvGIOx.exe
4816	LYOvTgp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4656-0-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b80-4.dat	upx
behavioral2/files/0x000a000000023b85-8.dat	upx
behavioral2/memory/4464-15-0x00007FF7134D0000-0x00007FF713821000-memory.dmp	upx
behavioral2/memory/3196-19-0x00007FF762820000-0x00007FF762B71000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-25.dat	upx
behavioral2/memory/4768-32-0x00007FF724030000-0x00007FF724381000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-49.dat	upx
behavioral2/files/0x000a000000023b88-46.dat	upx
behavioral2/files/0x000a000000023b8a-64.dat	upx
behavioral2/files/0x000a000000023b8d-75.dat	upx
behavioral2/memory/3188-85-0x00007FF716160000-0x00007FF7164B1000-memory.dmp	upx
behavioral2/memory/4524-90-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
behavioral2/memory/4464-103-0x00007FF7134D0000-0x00007FF713821000-memory.dmp	upx
behavioral2/memory/2276-112-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-110.dat	upx
behavioral2/files/0x000a000000023b93-108.dat	upx
behavioral2/memory/4484-107-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp	upx
behavioral2/memory/1900-106-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-104.dat	upx
behavioral2/memory/3856-102-0x00007FF674B80000-0x00007FF674ED1000-memory.dmp	upx
behavioral2/memory/3304-100-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp	upx
behavioral2/files/0x000b000000023b81-97.dat	upx
behavioral2/files/0x000a000000023b90-95.dat	upx
behavioral2/files/0x000a000000023b8f-87.dat	upx
behavioral2/files/0x000a000000023b8c-84.dat	upx
behavioral2/memory/4240-83-0x00007FF7700D0000-0x00007FF770421000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-77.dat	upx
behavioral2/memory/4656-72-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	upx
behavioral2/memory/1088-70-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp	upx
behavioral2/memory/1956-61-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp	upx
behavioral2/memory/3052-60-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp	upx
behavioral2/memory/4132-55-0x00007FF7803C0000-0x00007FF780711000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-43.dat	upx
behavioral2/memory/1336-39-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-34.dat	upx
behavioral2/memory/412-33-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp	upx
behavioral2/memory/3616-28-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-18.dat	upx
behavioral2/memory/4240-12-0x00007FF7700D0000-0x00007FF770421000-memory.dmp	upx
behavioral2/memory/3196-113-0x00007FF762820000-0x00007FF762B71000-memory.dmp	upx
behavioral2/memory/4768-114-0x00007FF724030000-0x00007FF724381000-memory.dmp	upx
behavioral2/memory/3560-125-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-132.dat	upx
behavioral2/memory/1336-136-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp	upx
behavioral2/memory/4132-137-0x00007FF7803C0000-0x00007FF780711000-memory.dmp	upx
behavioral2/memory/4816-135-0x00007FF709E80000-0x00007FF70A1D1000-memory.dmp	upx
behavioral2/memory/1052-134-0x00007FF75A030000-0x00007FF75A381000-memory.dmp	upx
behavioral2/memory/412-131-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-129.dat	upx
behavioral2/memory/3616-120-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-119.dat	upx
behavioral2/memory/1956-149-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp	upx
behavioral2/memory/3304-152-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp	upx
behavioral2/memory/1900-154-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp	upx
behavioral2/memory/3052-153-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp	upx
behavioral2/memory/1088-148-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp	upx
behavioral2/memory/4524-151-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp	upx
behavioral2/memory/3188-147-0x00007FF716160000-0x00007FF7164B1000-memory.dmp	upx
behavioral2/memory/4484-155-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp	upx
behavioral2/memory/2276-156-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp	upx
behavioral2/memory/3560-157-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp	upx
behavioral2/memory/4656-158-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	upx
behavioral2/memory/4656-180-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XQJgdTU.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoouRdY.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egWnIkp.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBPfYsC.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XDfGkSP.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XrgUydW.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gItJbGv.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vkaVCOF.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RrPUaOc.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTkGibX.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GDvGIOx.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYOvTgp.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BLIdYZE.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dkQOgcW.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HULzRQc.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SmAiiQU.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wuapKYK.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXDhxek.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gmXHRVt.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkowhsL.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FWlvNoF.exe	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4240	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4656 wrote to memory of 4240	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4656 wrote to memory of 4464	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4656 wrote to memory of 4464	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4656 wrote to memory of 3196	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4656 wrote to memory of 3196	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4656 wrote to memory of 3616	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4656 wrote to memory of 3616	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4656 wrote to memory of 4768	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4656 wrote to memory of 4768	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4656 wrote to memory of 412	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4656 wrote to memory of 412	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4656 wrote to memory of 1336	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4656 wrote to memory of 1336	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4656 wrote to memory of 4132	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4656 wrote to memory of 4132	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4656 wrote to memory of 3052	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4656 wrote to memory of 3052	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4656 wrote to memory of 3188	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4656 wrote to memory of 3188	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4656 wrote to memory of 1088	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4656 wrote to memory of 1088	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4656 wrote to memory of 1956	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4656 wrote to memory of 1956	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4656 wrote to memory of 3856	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4656 wrote to memory of 3856	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4656 wrote to memory of 4524	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4656 wrote to memory of 4524	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4656 wrote to memory of 3304	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4656 wrote to memory of 3304	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4656 wrote to memory of 1900	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4656 wrote to memory of 1900	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4656 wrote to memory of 4484	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4656 wrote to memory of 4484	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4656 wrote to memory of 2276	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4656 wrote to memory of 2276	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4656 wrote to memory of 3560	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4656 wrote to memory of 3560	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4656 wrote to memory of 1052	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4656 wrote to memory of 1052	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4656 wrote to memory of 4816	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4656 wrote to memory of 4816	4656	2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-27_684e47edf22b7895a9a2ca8659902293_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\System\egWnIkp.exe
  C:\Windows\System\egWnIkp.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\BLIdYZE.exe
  C:\Windows\System\BLIdYZE.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\IBPfYsC.exe
  C:\Windows\System\IBPfYsC.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\WXDhxek.exe
  C:\Windows\System\WXDhxek.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\gmXHRVt.exe
  C:\Windows\System\gmXHRVt.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\dkQOgcW.exe
  C:\Windows\System\dkQOgcW.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\XDfGkSP.exe
  C:\Windows\System\XDfGkSP.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\HULzRQc.exe
  C:\Windows\System\HULzRQc.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\SmAiiQU.exe
  C:\Windows\System\SmAiiQU.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\XrgUydW.exe
  C:\Windows\System\XrgUydW.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\gItJbGv.exe
  C:\Windows\System\gItJbGv.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\RrPUaOc.exe
  C:\Windows\System\RrPUaOc.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\vkaVCOF.exe
  C:\Windows\System\vkaVCOF.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\HkowhsL.exe
  C:\Windows\System\HkowhsL.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\wuapKYK.exe
  C:\Windows\System\wuapKYK.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\XQJgdTU.exe
  C:\Windows\System\XQJgdTU.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\FWlvNoF.exe
  C:\Windows\System\FWlvNoF.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\YTkGibX.exe
  C:\Windows\System\YTkGibX.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\xoouRdY.exe
  C:\Windows\System\xoouRdY.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\GDvGIOx.exe
  C:\Windows\System\GDvGIOx.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\LYOvTgp.exe
  C:\Windows\System\LYOvTgp.exe
  2⤵
  - Executes dropped EXE
  PID:4816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BLIdYZE.exe

Filesize
5.2MB

MD5
1d1b683ebd290202791eb68d2fc96306

SHA1
12c3f7ed411b7721f28d70daa2fb6532aac99dda

SHA256
306b80c7c2a0c4bd1090db6deee7ebb93007ee1290f69f3319fbdb2b54bee72d

SHA512
d8be3ba4af166af4615b11ba4d9eab87c2cb531f55476e7fce0541485e8efe9febc2f15cae2a1a405cdf7d2084ccae5d963bc95c6b8f55fc2e3ec37cd3f778a3

Download Submit
C:\Windows\System\FWlvNoF.exe

Filesize
5.2MB

MD5
ed72e028ef83f2794d02c798310b37e1

SHA1
986f8e95708502e21371dad444ff8d6127edb08d

SHA256
3d7bf37b0f5269b88ec2f98be861af7118c6c736830fce511660a0a5c7390fc8

SHA512
2cdcfa9f9eb0fbbeef4fb2af0d2517eef5ad40dc162dfeb8f11c72b1e83987c1555dbd2c13b0968df7d975f88a3808b2ff813fb2e5faf3ec66c70399c85e8feb

Download Submit
C:\Windows\System\GDvGIOx.exe

Filesize
5.2MB

MD5
2b88023ad248e63af31e988fce9dc293

SHA1
bc8ba6c22fed71e576753f2d2d74e72c3d85375f

SHA256
96b0847454bd23d762cb90cdcaeb70a4cdbc92cbbf3a1a9f4e948c95a93cfd39

SHA512
2279f59e76f713afa5e976490380b8e9fcecb449a970faf690aa30577bd4912e3815a19c594d37a60e9379c3d0c1ad33a5f72b75a714882fbb62e341652925b6

Download Submit
C:\Windows\System\HULzRQc.exe

Filesize
5.2MB

MD5
a1721c0eb915ad13e159dce85f161d7c

SHA1
df13c644520b95fa5016141ab7dcda3f7576fb8f

SHA256
a2228ff3bab1f06e0e3472e4f5ad2c4ab7213d6c47ee5e16b12380291d21e89b

SHA512
5565e04184ce11b5233f4c41287fd96bff697d62a38842b6c44143f5e0241a49bab30a6e0fb64b023d8b1aecbbea9f0f77ddaf42f8d5f6c78ec4003755446f3c

Download Submit
C:\Windows\System\HkowhsL.exe

Filesize
5.2MB

MD5
1b4a173c9ab5b73fd0cec904d50b6cc5

SHA1
757db306a800ead88c96359147d5407d02f331b9

SHA256
12cd401c9383de18c5e21ce831c19cd1e64875fe1b2e8a6a4e1bdedc2d1455c4

SHA512
b05f8f6f707246b83c2477e385d1d2ef1ea302a4e5ab45fa4954ce31472e780c4efcd01b2c5bf3361439416d454ace0cf2f39b6fc20bc944fca2c8ebd856a807

Download Submit
C:\Windows\System\IBPfYsC.exe

Filesize
5.2MB

MD5
69840778c58c283416aa67f7c25f40ea

SHA1
3db5d61f212172b44e39ca2f8bf60e3e122c5f80

SHA256
9b7bac3eb59dc78bd11e32062fb251f0d6a64a340de9d511b6f26ddfe20a94cf

SHA512
9a61035ec4df8284819446c3e7b9328993ef78bde681c4a16221fa64a3251f007fd6f34f3454c71891798db2cfc605c452c92db8f46aa3d11d4c2d7dd89e5c7c

Download Submit
C:\Windows\System\LYOvTgp.exe

Filesize
5.2MB

MD5
4323c4788f06e21734e3904f5bc8f50b

SHA1
0b5087a760b5ff14f4c49f115b5b51bf37d7bd9e

SHA256
4d375da335da6a56ac75c04d3238f168186f848685cfb3ce2c77bbd06610f2dd

SHA512
f53957f1863441465acf5434f755af06622974dad6454a40691cdd1a9b5d5e6deda9efa9e4469b666cd9452820f56b32fd27c3fe004b7f1ead176e70549c11d9

Download Submit
C:\Windows\System\RrPUaOc.exe

Filesize
5.2MB

MD5
8630edbca755ae0ec8e917d8854e85e9

SHA1
52a3c7164fa17cb64c3ce5d846de29322317f2e7

SHA256
c689acd3c4c3032df3900ce7c08dba18dfe4409ce83d996367d6c8c0eee11f42

SHA512
9cf2f334bbd3ca9f24ba25bf50f64460768c360bbbd6b99a5120af0101730bfdca93ea927cf2d1baeb5044d5260ed4a5c3ac8b2e5a4ced767e315c592595a1bf

Download Submit
C:\Windows\System\SmAiiQU.exe

Filesize
5.2MB

MD5
40e35db41124f8fffa7ceab4c8e9b75f

SHA1
e50f6d90f0582a09f7b8a9e9f994e1c913689124

SHA256
3492e06a1aec4cbf383702ebe316a694710fe32b3f9cf9065bf81bac9d24a40c

SHA512
708ce04f6cb90e88d73e265dc53f917c3a2cfaa84db7fa937a0891950d2136251715be5470311fd0c2c0eb0ddeab8ab4b3b572197e0d32820f372bfb127b5427

Download Submit
C:\Windows\System\WXDhxek.exe

Filesize
5.2MB

MD5
91595cde3416599c3cce77ec4ef7118a

SHA1
2b3a79b143a7b7b01270c3a0df2d68dd3a262a40

SHA256
54e447ac7742d8bb5af766f6c3169a06640b65f7a761789f9bd1e6a57a9db353

SHA512
7288b02ae94782d97287f7e85b272bf85d905c62029b3808733c1577d01aa5fd4527eb3db1d0039b6e2a7eb0a787ba9fd30e45c1fb93feef30b53e3c83179110

Download Submit
C:\Windows\System\XDfGkSP.exe

Filesize
5.2MB

MD5
4ea94a1abca6c5b6f197db1e0f3b8588

SHA1
97ca430f8d5a0f1e7deda7a530c43f796447601d

SHA256
6f6a2723e8b0c3cd1ef660b6290a97ee6e0778e613dceeeed6285e2dd5386976

SHA512
8993a69f049c5a29e8a582627405b1453099103370cb83cab575f40d6893bd5e1dc18509e49c19f4f4069d4770a6d862632705ed0fcf368495fc521135d474f8

Download Submit
C:\Windows\System\XQJgdTU.exe

Filesize
5.2MB

MD5
e710bae18d90d965032bdbc143285aa9

SHA1
42395bb81856ce0bd3006df0ae071781145c621c

SHA256
711efdc4f15231419c54a2a5035ef8160b79227b63f369ca1be28c9a7139911f

SHA512
9c2d5cc936a891bcc432e631ab74807115cdb059ec23ee3962d04712a9d93a51569b22408b44da8089097380bbc38cb6948a284abcd122b79ee6f3f41ac17fe7

Download Submit
C:\Windows\System\XrgUydW.exe

Filesize
5.2MB

MD5
bd7c6a369b29b009929e0288b8bd6f0c

SHA1
ec31485bfebe0fcc5dc90a33df1c84e8d1c56fdd

SHA256
2217289abe2221bce3525c0740ee77e042d923aa173a480fe3f13a25436dc90a

SHA512
bfcd1f8bffe8bcea4273ee3f3f02f03a4909c79ae583fb8a6b493fb070310cd4bb729e0a71ca54cbdd4e127e7fbd10823ba5e4e0a04d82b53258d369876268bd

Download Submit
C:\Windows\System\YTkGibX.exe

Filesize
5.2MB

MD5
a38ba89329b43f215a8fea3407b9ed82

SHA1
1ff62e6137557ac1f3368cd7c056e040d35cdeaa

SHA256
e7584218c8ef28101dc935ccc74bba785ee7b3f5a33b30ba92711e48ed5360d2

SHA512
82bbf4b532970872a22f11984cc54a2a5abcbe10d7fbdf3375ea9a1a45857956e267e6c2660ff679ac468e2d3f4cdbbb25930d710e0ec1669019fadda999346b

Download Submit
C:\Windows\System\dkQOgcW.exe

Filesize
5.2MB

MD5
40e0e8f9a01f89808f25e969c3b346de

SHA1
88cd6606555f0acdeb78a4e22390e5f312f476b0

SHA256
df7196cc71f74a34787a174578d9f5cdd2506324e8a4f269f44622ca5163db94

SHA512
ce362410f2abb9dfad7d41e00e90c48e1d8e344d2d69a8d1bd833e596e9907bfc3ae37af9f1b0eb2256707cbfaec8feae92631a4c3376694970d381299e77dfe

Download Submit
C:\Windows\System\egWnIkp.exe

Filesize
5.2MB

MD5
dc7ae7fc79195f72745f9a81e561b03e

SHA1
bde3c271534f8aeb3d422bd1b527b97de59d1a35

SHA256
ed8d6ba3a73c9174f2e7055f6689dee5c7bb0103b4d379782e12df743f4b24a0

SHA512
564a24d079a135b10ae442919fcbf3ba8d0daa60589a90f2d3918872736b86d657313dfddcfda2a9a4a72562baab7c214610053c413df2d6bfc1abb9836ec6cc

Download Submit
C:\Windows\System\gItJbGv.exe

Filesize
5.2MB

MD5
fa60ed2e42395fc1a54b49e61b8cd806

SHA1
1bcc10264a1be6e35e6896800c7cd3104528f63b

SHA256
5789b898451f1abb50aaabba38c7c0c0a3f2914cd056817276d0e9623fa16289

SHA512
af742b4c233900940355d8b05d683967cbf32fd9eee988fbd0d325c0ee1581365c42d44b542e2dd7dbfaf0e9d816be34a52c9d2cbf7674f89fab7feb99d016f1

Download Submit
C:\Windows\System\gmXHRVt.exe

Filesize
5.2MB

MD5
54cb0271334f83a63829cc1a126d00da

SHA1
521430d80226784d018cce4293dda2e6e6fefa37

SHA256
8feedadd9f0a5a61d28a940b1699d1417f5e5fab51c755d7fae4d52be8e08fc2

SHA512
69cca155fb9cd8c30dd1c990ada2b1f99ab5705e9109748be04169c88ffab2620a523d36db803f70e01c2b20d0592b6f0da559207e0778c2d98e88ac3fdda39b

Download Submit
C:\Windows\System\vkaVCOF.exe

Filesize
5.2MB

MD5
df032161262662836d20717f7d27a25e

SHA1
6aa3d2a9a5c73fc4fc0ba31bf808f1e7e8699245

SHA256
00118b6164bcc69cdd5842ede6c5fc1a383d892109e4b1e0ab37c61096d0029f

SHA512
0197d7bd935b00beccfa369e8450939a09c8bc5b00dab5f2107ea368f8561cf60cf80e8881476fb2256382e87f7d8a8dd00b25931be340f13fb7d0c6cc16297f

Download Submit
C:\Windows\System\wuapKYK.exe

Filesize
5.2MB

MD5
0e18cfa920d10f91c1b92b5e04c3b9b1

SHA1
dd2a59e645bb027dd24f439f47f1e5f930918359

SHA256
d5b63a496d3d9d1154def43a9e27acaa1f5a5e8f4bd2b9c2898ab53b9853ef0b

SHA512
ef48860d40513c430eb72203be9919a71d41782a125d365e9972e7f9e7474e68090515fe582bf2863de654045843db5a9a48f69bc9a6edf926ab53ba4fa0e70d

Download Submit
C:\Windows\System\xoouRdY.exe

Filesize
5.2MB

MD5
d29a3a73781a457cf5b0025c0bd46a8c

SHA1
91caffba8b139af6a9e16f831f94ba4f06464768

SHA256
d0bde5f1051d3309b722f44483dcf7d933d5fab1d95d3f5db2eb1e7b41f0ab5d

SHA512
9452a41850cff26f34abde13dbeba4fe0ef4cf5fe14322d3daa1fdac8df58d18f1adceebc28bf2539c8eabaf65a518f7df45bff5334c213e8267a138036de411

Download Submit
memory/412-131-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp

Filesize
3.3MB

Download
memory/412-233-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp

Filesize
3.3MB

Download
memory/412-33-0x00007FF6F8FD0000-0x00007FF6F9321000-memory.dmp

Filesize
3.3MB

Download
memory/1052-134-0x00007FF75A030000-0x00007FF75A381000-memory.dmp

Filesize
3.3MB

Download
memory/1052-267-0x00007FF75A030000-0x00007FF75A381000-memory.dmp

Filesize
3.3MB

Download
memory/1088-241-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp

Filesize
3.3MB

Download
memory/1088-70-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp

Filesize
3.3MB

Download
memory/1088-148-0x00007FF6656E0000-0x00007FF665A31000-memory.dmp

Filesize
3.3MB

Download
memory/1336-136-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp

Filesize
3.3MB

Download
memory/1336-235-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp

Filesize
3.3MB

Download
memory/1336-39-0x00007FF6E2E80000-0x00007FF6E31D1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-106-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp

Filesize
3.3MB

Download
memory/1900-154-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp

Filesize
3.3MB

Download
memory/1900-255-0x00007FF74A0F0000-0x00007FF74A441000-memory.dmp

Filesize
3.3MB

Download
memory/1956-61-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp

Filesize
3.3MB

Download
memory/1956-149-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp

Filesize
3.3MB

Download
memory/1956-246-0x00007FF6CCF30000-0x00007FF6CD281000-memory.dmp

Filesize
3.3MB

Download
memory/2276-254-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp

Filesize
3.3MB

Download
memory/2276-112-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp

Filesize
3.3MB

Download
memory/2276-156-0x00007FF7A1B30000-0x00007FF7A1E81000-memory.dmp

Filesize
3.3MB

Download
memory/3052-243-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp

Filesize
3.3MB

Download
memory/3052-60-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp

Filesize
3.3MB

Download
memory/3052-153-0x00007FF6719D0000-0x00007FF671D21000-memory.dmp

Filesize
3.3MB

Download
memory/3188-147-0x00007FF716160000-0x00007FF7164B1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-85-0x00007FF716160000-0x00007FF7164B1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-248-0x00007FF716160000-0x00007FF7164B1000-memory.dmp

Filesize
3.3MB

Download
memory/3196-218-0x00007FF762820000-0x00007FF762B71000-memory.dmp

Filesize
3.3MB

Download
memory/3196-113-0x00007FF762820000-0x00007FF762B71000-memory.dmp

Filesize
3.3MB

Download
memory/3196-19-0x00007FF762820000-0x00007FF762B71000-memory.dmp

Filesize
3.3MB

Download
memory/3304-100-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-258-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp

Filesize
3.3MB

Download
memory/3304-152-0x00007FF694F70000-0x00007FF6952C1000-memory.dmp

Filesize
3.3MB

Download
memory/3560-125-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp

Filesize
3.3MB

Download
memory/3560-157-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp

Filesize
3.3MB

Download
memory/3560-265-0x00007FF7C2110000-0x00007FF7C2461000-memory.dmp

Filesize
3.3MB

Download
memory/3616-231-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp

Filesize
3.3MB

Download
memory/3616-28-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp

Filesize
3.3MB

Download
memory/3616-120-0x00007FF7FB920000-0x00007FF7FBC71000-memory.dmp

Filesize
3.3MB

Download
memory/3856-250-0x00007FF674B80000-0x00007FF674ED1000-memory.dmp

Filesize
3.3MB

Download
memory/3856-102-0x00007FF674B80000-0x00007FF674ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4132-55-0x00007FF7803C0000-0x00007FF780711000-memory.dmp

Filesize
3.3MB

Download
memory/4132-240-0x00007FF7803C0000-0x00007FF780711000-memory.dmp

Filesize
3.3MB

Download
memory/4132-137-0x00007FF7803C0000-0x00007FF780711000-memory.dmp

Filesize
3.3MB

Download
memory/4240-214-0x00007FF7700D0000-0x00007FF770421000-memory.dmp

Filesize
3.3MB

Download
memory/4240-12-0x00007FF7700D0000-0x00007FF770421000-memory.dmp

Filesize
3.3MB

Download
memory/4240-83-0x00007FF7700D0000-0x00007FF770421000-memory.dmp

Filesize
3.3MB

Download
memory/4464-103-0x00007FF7134D0000-0x00007FF713821000-memory.dmp

Filesize
3.3MB

Download
memory/4464-216-0x00007FF7134D0000-0x00007FF713821000-memory.dmp

Filesize
3.3MB

Download
memory/4464-15-0x00007FF7134D0000-0x00007FF713821000-memory.dmp

Filesize
3.3MB

Download
memory/4484-252-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp

Filesize
3.3MB

Download
memory/4484-155-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp

Filesize
3.3MB

Download
memory/4484-107-0x00007FF67F910000-0x00007FF67FC61000-memory.dmp

Filesize
3.3MB

Download
memory/4524-90-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/4524-259-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/4524-151-0x00007FF74DF10000-0x00007FF74E261000-memory.dmp

Filesize
3.3MB

Download
memory/4656-72-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-180-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-158-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-0-0x00007FF659F70000-0x00007FF65A2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4656-1-0x0000019C09F10000-0x0000019C09F20000-memory.dmp

Filesize
64KB

Download
memory/4768-237-0x00007FF724030000-0x00007FF724381000-memory.dmp

Filesize
3.3MB

Download
memory/4768-114-0x00007FF724030000-0x00007FF724381000-memory.dmp

Filesize
3.3MB

Download
memory/4768-32-0x00007FF724030000-0x00007FF724381000-memory.dmp

Filesize
3.3MB

Download
memory/4816-135-0x00007FF709E80000-0x00007FF70A1D1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-269-0x00007FF709E80000-0x00007FF70A1D1000-memory.dmp

Filesize
3.3MB

Download