cobaltstrike | 7f042d7425b8074392762dbb554d701eefbe1883243026b00ec61d33a6e91952

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5301cebe88ab645dcaa4118868270a3e
SHA1

b28589e48d1799e860220721721d2277c35d56c3
SHA256

7f042d7425b8074392762dbb554d701eefbe1883243026b00ec61d33a6e91952
SHA512

abcf9695df886c6251fc5f99a4b37456c684db14759263d5173c5675e0d9c4ec29c6328edc7e8991fbc06624462a740423eacf8bea206d3c802df858b00b77fb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibf56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234c5-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ca-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234c9-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cb-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cc-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234cd-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ce-43.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234c6-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d1-63.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d2-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d0-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d4-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d3-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d6-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d8-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d7-110.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234dc-132.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234db-133.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234da-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d9-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234d5-99.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3076-67-0x00007FF6B89D0000-0x00007FF6B8D21000-memory.dmp	xmrig
behavioral2/memory/1472-69-0x00007FF767530000-0x00007FF767881000-memory.dmp	xmrig
behavioral2/memory/3432-68-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	xmrig
behavioral2/memory/3236-72-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp	xmrig
behavioral2/memory/404-77-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp	xmrig
behavioral2/memory/2180-113-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	xmrig
behavioral2/memory/1216-123-0x00007FF70A440000-0x00007FF70A791000-memory.dmp	xmrig
behavioral2/memory/3648-122-0x00007FF7315B0000-0x00007FF731901000-memory.dmp	xmrig
behavioral2/memory/1508-108-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp	xmrig
behavioral2/memory/2652-102-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	xmrig
behavioral2/memory/1512-90-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp	xmrig
behavioral2/memory/2608-83-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp	xmrig
behavioral2/memory/2228-82-0x00007FF778210000-0x00007FF778561000-memory.dmp	xmrig
behavioral2/memory/2228-138-0x00007FF778210000-0x00007FF778561000-memory.dmp	xmrig
behavioral2/memory/3432-139-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	xmrig
behavioral2/memory/4988-152-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp	xmrig
behavioral2/memory/2648-154-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	xmrig
behavioral2/memory/4948-153-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp	xmrig
behavioral2/memory/3596-162-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp	xmrig
behavioral2/memory/720-161-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	xmrig
behavioral2/memory/4892-159-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp	xmrig
behavioral2/memory/3660-165-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp	xmrig
behavioral2/memory/4436-164-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp	xmrig
behavioral2/memory/3800-163-0x00007FF668ED0000-0x00007FF669221000-memory.dmp	xmrig
behavioral2/memory/3432-166-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	xmrig
behavioral2/memory/3236-217-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp	xmrig
behavioral2/memory/404-219-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp	xmrig
behavioral2/memory/2608-221-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp	xmrig
behavioral2/memory/1512-223-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp	xmrig
behavioral2/memory/2652-232-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	xmrig
behavioral2/memory/1508-234-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp	xmrig
behavioral2/memory/2180-236-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	xmrig
behavioral2/memory/3648-238-0x00007FF7315B0000-0x00007FF731901000-memory.dmp	xmrig
behavioral2/memory/1216-240-0x00007FF70A440000-0x00007FF70A791000-memory.dmp	xmrig
behavioral2/memory/1472-244-0x00007FF767530000-0x00007FF767881000-memory.dmp	xmrig
behavioral2/memory/3076-243-0x00007FF6B89D0000-0x00007FF6B8D21000-memory.dmp	xmrig
behavioral2/memory/2228-252-0x00007FF778210000-0x00007FF778561000-memory.dmp	xmrig
behavioral2/memory/4988-254-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp	xmrig
behavioral2/memory/4948-256-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp	xmrig
behavioral2/memory/2648-258-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	xmrig
behavioral2/memory/720-260-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	xmrig
behavioral2/memory/4892-265-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp	xmrig
behavioral2/memory/3596-267-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp	xmrig
behavioral2/memory/3800-269-0x00007FF668ED0000-0x00007FF669221000-memory.dmp	xmrig
behavioral2/memory/4436-271-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp	xmrig
behavioral2/memory/3660-273-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3236	fpQoxCz.exe
404	IHJMtCF.exe
2608	nhNuboU.exe
1512	GVxtKoZ.exe
2652	joCollT.exe
1508	vIjvJqU.exe
2180	wGHBYJQ.exe
3648	LVVPEDx.exe
1216	UJlJdZp.exe
1472	HdXRkfj.exe
3076	HpIOmzM.exe
2228	bJsmcKY.exe
4988	leOOzEf.exe
4948	WOUprGm.exe
2648	rHADQWt.exe
720	PLrFRrX.exe
4892	gquluMo.exe
3596	aMKxMbC.exe
3800	bOAenyJ.exe
4436	YvoqbXj.exe
3660	GAtuVQW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3432-0-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	upx
behavioral2/files/0x00080000000234c5-4.dat	upx
behavioral2/memory/3236-6-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp	upx
behavioral2/files/0x00070000000234ca-9.dat	upx
behavioral2/files/0x00070000000234c9-11.dat	upx
behavioral2/memory/404-12-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp	upx
behavioral2/memory/2608-18-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp	upx
behavioral2/files/0x00070000000234cb-23.dat	upx
behavioral2/memory/1512-24-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp	upx
behavioral2/files/0x00070000000234cc-30.dat	upx
behavioral2/files/0x00070000000234cd-35.dat	upx
behavioral2/memory/2652-31-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	upx
behavioral2/files/0x00070000000234ce-43.dat	upx
behavioral2/memory/2180-42-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	upx
behavioral2/memory/1508-38-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp	upx
behavioral2/files/0x00080000000234c6-46.dat	upx
behavioral2/memory/3648-48-0x00007FF7315B0000-0x00007FF731901000-memory.dmp	upx
behavioral2/files/0x00070000000234d1-63.dat	upx
behavioral2/files/0x00070000000234d2-65.dat	upx
behavioral2/memory/3076-67-0x00007FF6B89D0000-0x00007FF6B8D21000-memory.dmp	upx
behavioral2/memory/1472-69-0x00007FF767530000-0x00007FF767881000-memory.dmp	upx
behavioral2/memory/3432-68-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	upx
behavioral2/files/0x00070000000234d0-61.dat	upx
behavioral2/memory/1216-57-0x00007FF70A440000-0x00007FF70A791000-memory.dmp	upx
behavioral2/memory/3236-72-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-79.dat	upx
behavioral2/memory/404-77-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-73.dat	upx
behavioral2/files/0x00070000000234d6-96.dat	upx
behavioral2/files/0x00070000000234d8-105.dat	upx
behavioral2/files/0x00070000000234d7-110.dat	upx
behavioral2/memory/2180-113-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp	upx
behavioral2/memory/4892-112-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp	upx
behavioral2/memory/3800-124-0x00007FF668ED0000-0x00007FF669221000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-132.dat	upx
behavioral2/memory/3660-135-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp	upx
behavioral2/files/0x00070000000234db-133.dat	upx
behavioral2/memory/4436-131-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp	upx
behavioral2/files/0x00070000000234da-127.dat	upx
behavioral2/memory/1216-123-0x00007FF70A440000-0x00007FF70A791000-memory.dmp	upx
behavioral2/memory/3648-122-0x00007FF7315B0000-0x00007FF731901000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-116.dat	upx
behavioral2/memory/3596-109-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp	upx
behavioral2/memory/1508-108-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp	upx
behavioral2/memory/720-103-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	upx
behavioral2/memory/2652-102-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-99.dat	upx
behavioral2/memory/2648-94-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	upx
behavioral2/memory/4948-91-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp	upx
behavioral2/memory/4988-84-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp	upx
behavioral2/memory/1512-90-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp	upx
behavioral2/memory/2608-83-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp	upx
behavioral2/memory/2228-82-0x00007FF778210000-0x00007FF778561000-memory.dmp	upx
behavioral2/memory/2228-138-0x00007FF778210000-0x00007FF778561000-memory.dmp	upx
behavioral2/memory/3432-139-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp	upx
behavioral2/memory/4988-152-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp	upx
behavioral2/memory/2648-154-0x00007FF7630E0000-0x00007FF763431000-memory.dmp	upx
behavioral2/memory/4948-153-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp	upx
behavioral2/memory/3596-162-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp	upx
behavioral2/memory/720-161-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	upx
behavioral2/memory/4892-159-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp	upx
behavioral2/memory/3660-165-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp	upx
behavioral2/memory/4436-164-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp	upx
behavioral2/memory/3800-163-0x00007FF668ED0000-0x00007FF669221000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PLrFRrX.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gquluMo.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bOAenyJ.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nhNuboU.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\joCollT.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vIjvJqU.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LVVPEDx.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wGHBYJQ.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJsmcKY.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAtuVQW.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GVxtKoZ.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HdXRkfj.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMKxMbC.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvoqbXj.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leOOzEf.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHADQWt.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOUprGm.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fpQoxCz.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHJMtCF.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UJlJdZp.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpIOmzM.exe	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 3236	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3432 wrote to memory of 3236	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3432 wrote to memory of 404	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3432 wrote to memory of 404	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3432 wrote to memory of 2608	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3432 wrote to memory of 2608	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3432 wrote to memory of 1512	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3432 wrote to memory of 1512	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3432 wrote to memory of 2652	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3432 wrote to memory of 2652	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3432 wrote to memory of 1508	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3432 wrote to memory of 1508	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3432 wrote to memory of 2180	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3432 wrote to memory of 2180	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3432 wrote to memory of 3648	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3432 wrote to memory of 3648	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3432 wrote to memory of 1216	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3432 wrote to memory of 1216	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3432 wrote to memory of 1472	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3432 wrote to memory of 1472	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3432 wrote to memory of 3076	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3432 wrote to memory of 3076	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3432 wrote to memory of 2228	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3432 wrote to memory of 2228	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3432 wrote to memory of 4988	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3432 wrote to memory of 4988	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3432 wrote to memory of 2648	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3432 wrote to memory of 2648	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3432 wrote to memory of 4948	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3432 wrote to memory of 4948	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3432 wrote to memory of 720	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3432 wrote to memory of 720	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3432 wrote to memory of 4892	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3432 wrote to memory of 4892	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3432 wrote to memory of 3596	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3432 wrote to memory of 3596	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3432 wrote to memory of 3800	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3432 wrote to memory of 3800	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3432 wrote to memory of 4436	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3432 wrote to memory of 4436	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3432 wrote to memory of 3660	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3432 wrote to memory of 3660	3432	2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_5301cebe88ab645dcaa4118868270a3e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\System\fpQoxCz.exe
  C:\Windows\System\fpQoxCz.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\IHJMtCF.exe
  C:\Windows\System\IHJMtCF.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\nhNuboU.exe
  C:\Windows\System\nhNuboU.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\GVxtKoZ.exe
  C:\Windows\System\GVxtKoZ.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\joCollT.exe
  C:\Windows\System\joCollT.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\vIjvJqU.exe
  C:\Windows\System\vIjvJqU.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\wGHBYJQ.exe
  C:\Windows\System\wGHBYJQ.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\LVVPEDx.exe
  C:\Windows\System\LVVPEDx.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\UJlJdZp.exe
  C:\Windows\System\UJlJdZp.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\HdXRkfj.exe
  C:\Windows\System\HdXRkfj.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\HpIOmzM.exe
  C:\Windows\System\HpIOmzM.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\bJsmcKY.exe
  C:\Windows\System\bJsmcKY.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\leOOzEf.exe
  C:\Windows\System\leOOzEf.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\rHADQWt.exe
  C:\Windows\System\rHADQWt.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\WOUprGm.exe
  C:\Windows\System\WOUprGm.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\PLrFRrX.exe
  C:\Windows\System\PLrFRrX.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\gquluMo.exe
  C:\Windows\System\gquluMo.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\aMKxMbC.exe
  C:\Windows\System\aMKxMbC.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\bOAenyJ.exe
  C:\Windows\System\bOAenyJ.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System\YvoqbXj.exe
  C:\Windows\System\YvoqbXj.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\GAtuVQW.exe
  C:\Windows\System\GAtuVQW.exe
  2⤵
  - Executes dropped EXE
  PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GAtuVQW.exe

Filesize
5.2MB

MD5
4e5c2f1d395699e03eda22bc2d37b560

SHA1
1e6c95376e1a81573634e219247345ef9d8b9742

SHA256
37e24dd3cdcec787cbb10d910d1736254be76ffd79172853639affe145e11d98

SHA512
d98c23ac37b6b08828a416c01f9e3a4d26018250a2aa6d6e4f03ee78512641f1c7236fbbf28c0a4efa96878b47b1e02ff3a552c8f8334e50a667aad9bcec09cd

Download Submit
C:\Windows\System\GVxtKoZ.exe

Filesize
5.2MB

MD5
ceaca4ea3cf0e0b59f67db0e1c771a64

SHA1
f45c6cbac44c8d12546c557f5854e20bdbb883c1

SHA256
a8806df06b231f991d2dad998601a542e343a5419a118dccc49ed5c53976f8ce

SHA512
4d81166e20cf967873a5edfb38cbd55ab3019e80001a31b473795e17c5446939e175dbce324b5ade47e5a6de3dbe5474d0c8ebe2acc3eb97236cf3f03bf1e2d4

Download Submit
C:\Windows\System\HdXRkfj.exe

Filesize
5.2MB

MD5
792534d8f218894bac3bbe62dd060aff

SHA1
605c330203c45175d4b5471eafb494ed687bc493

SHA256
f05a54da531637ece9266500be8d6a1d70a9ff76eadf44349ca2102429bc9564

SHA512
f4379f0758d6a85ecad54c8b19cf5d07e1b363d73bfa4739d918bad2650fda1184e2907fa909152768ff7769a25e7837f7e0fb723325786b420782b7796ced1a

Download Submit
C:\Windows\System\HpIOmzM.exe

Filesize
5.2MB

MD5
aff3582c11a9ead2728414a530599ea3

SHA1
518c5557c644049f16625c7c4b4093016bc0ae11

SHA256
9c4944a04d646a17f9aadcf388743566c9a8658cb2a0a1b2bf23b225b533bcbf

SHA512
49ac3df9f58bebe59ce06195fa6c44983dfd5e0b316fd10c00ebf817f8a74fa2f805c2420c78300efd7728cd5ed16d2ea21f7684a8883acb7ec41870a0dd3707

Download Submit
C:\Windows\System\IHJMtCF.exe

Filesize
5.2MB

MD5
d16e03a1b189a46f46b8fed718e4d61c

SHA1
84d008895c7eb7fe38ffa3ce682890c6b063c324

SHA256
bd892cbdc0a206dcd62194e09ebacf0533599b7d1ec88791fd8d1b683d0f2c8e

SHA512
d6551307a0d7c6792d673b27b31b45fffdbaa0f4768442d03b510e25dda78b9de892a8246a86d08483dca54f2adbb4d864139254b656c883fe1acb11bcccea13

Download Submit
C:\Windows\System\LVVPEDx.exe

Filesize
5.2MB

MD5
33af686c034ac9cf0bbf2420d83346c2

SHA1
dfb3234f7a31abcabb14f9818a055c6972c67675

SHA256
3999d467563f11d9cfd79c587153a02a4f8040ced0571df33adf4063510c21a5

SHA512
f4ed45fef886ae4d47b9bbee211de0b19ebb97dbaf1ddfb7a1d6930ccf7e3972948bdbfe1be683db1ebd7323ec94e7566c6eb8bf31f2b3a1e94127b6f3e4efbb

Download Submit
C:\Windows\System\PLrFRrX.exe

Filesize
5.2MB

MD5
57062646b6044c865aa14196c846371d

SHA1
d2d9b93c6b72938eb2f51144ade7715b6ab229bf

SHA256
ea90d6aa988d4abebcbfddb66056cfbc7ee66f99a87495f755be957e8abf00e8

SHA512
9718949f5e567fbe4676e52248c72c2d56ad9bffe63c7d663fe78bfc47dd100b969eb93e9bd100415a2e09d2e5aa7a8d056a6ba1e0f69e9c4db55798b016b7b3

Download Submit
C:\Windows\System\UJlJdZp.exe

Filesize
5.2MB

MD5
abfd663546e08f30b29d166dbb79ac73

SHA1
e966f85a8803854b1332a19990f73204b6d40ff2

SHA256
34b038782e8c1123455b4a2d3912cec978d40141026646a0b8e4ff7dfdf841b2

SHA512
a678be3472a9d9f6c81535ba489ce1b13cbd273928db4d06264c4b854677fa4f614687b3034147c21a0630d148d47963ada52cb12c119d5278d111ac0d80f38f

Download Submit
C:\Windows\System\WOUprGm.exe

Filesize
5.2MB

MD5
bcaa8c00c755b521062e8cd4a5ccb702

SHA1
325b29748f24419a099175d204e8ef540c738102

SHA256
54d1d24c8e3f84ab123e8e1c7ee6111b55d1b40abb57861ce25ee5336b4af012

SHA512
1ab022df57b69dfc66ba29ab9070d74ed2c88b980dff8c49b5c4d649f2b47f4ed22e7554103cf1b637e9944d71003c6aca7bf0335b778922ddde044f45bccb73

Download Submit
C:\Windows\System\YvoqbXj.exe

Filesize
5.2MB

MD5
7bd619b5ce1365151934d7ae28c1e35c

SHA1
afa5bb3d8da3432192e01ba914c03f7959126bea

SHA256
59aa6acdfecbc5a3a92dadb06a97d95c8d39a5ae8f36f2ee54c3941359aa06fc

SHA512
7a5414fff154f9cc1fc390c138aa39798cef2cdfca06977ce116fe37b187d6deefc63dd14c3d6001b672eb3b859d93adcaa787e721647e3a51cacd22914fa9f5

Download Submit
C:\Windows\System\aMKxMbC.exe

Filesize
5.2MB

MD5
4100165fe4fc5c07126ceba60ba81c14

SHA1
77d33729001fbb62aedf7fc1636573c350d34803

SHA256
1cabaaac4a0a673fabb0b7f4adc21d1b013096d747c8097c4f93f8bde67e673f

SHA512
4bccdc7e791fe0c4d03b7871da2238b1b57486c7415048933371b8eb29667dd923943c632f0938a0862af3f5f058a21eab034e52ca7db67dffe33ba8501998d3

Download Submit
C:\Windows\System\bJsmcKY.exe

Filesize
5.2MB

MD5
410677bed036304af85e510048d973a0

SHA1
28dba6e99db7f0b2628cad777d3b51bbafc06b78

SHA256
30e9b7e0cb27255365925884c0d031011b893f8bb8bc76acb1c389893d01afac

SHA512
ca1c6a74a3f69b29225109057c8f1338953cb96ae4cbf13f79e5f0d46419246d4b90a14c976281cd3c05f7b62a1bd47428e97a4c49eeea96fe50f921128711fa

Download Submit
C:\Windows\System\bOAenyJ.exe

Filesize
5.2MB

MD5
a8a4ffe375c5813e1e7c94ad8b1efd05

SHA1
5662a088d8c12151b67049494c64f761466002e1

SHA256
e19c47d15adc49270dcb090efb760106b8197ff6b43b398a79e14adfc0e6db73

SHA512
fc329b70188a0b95b0155d2799f0e85703c136c41d5e373f231a5284b693c0a414dacec1846060e9873ec45157db4fe783deaca5d7c4cec6ffe383fe0d08a5f1

Download Submit
C:\Windows\System\fpQoxCz.exe

Filesize
5.2MB

MD5
aca66aff51ef3b060a13e9d5c866caeb

SHA1
ebeabb0eef76f502c4a61b0b0bc1844a8726e730

SHA256
8f2954eefce4338631ff989316a73c2528179e12d8a1e43c413248cd1de10e8f

SHA512
a9e9d0c17936d36c45d79f50c89f0a54a1b16cc3ac4c094f6dfea993c1c28c98cca8a1c5a43272ddaa9ab073ff441d5e011910476d3b0a5872abc6d8205363e1

Download Submit
C:\Windows\System\gquluMo.exe

Filesize
5.2MB

MD5
60273ca67fd9b7351a478b2cdbe8f0ea

SHA1
0679db2de91a5062a76b29659e344736c90d8d43

SHA256
f10b1c1d3f3f9f383dd5bf6ed1c6d0fcaeca458323c565e73c42fc323c0014fe

SHA512
a059184b7c660918291b31d8ba085ab1c59fb885f65d1f160fbfa2eea8ccec7b42c0cccfe3608c0b8ecc4826f87c65cfc2321848566e00f3e60c6a625592f68d

Download Submit
C:\Windows\System\joCollT.exe

Filesize
5.2MB

MD5
68869307bee869c843b15104813ba6ac

SHA1
da40a928db7cf5539ab280f6b0cea534643e524a

SHA256
9fcb2ebfd91e6701076e6d645ff00839cec47d7eeed223bd1fdb3a31bb64ecce

SHA512
3f73ad993d682ccd8c16c2a9102a4f5789462f28e572c60b905626174fda21eb3c57bf15607d2c42b08eb4724cc118251de35a7ad358b4e4e82d87db3498bbf5

Download Submit
C:\Windows\System\leOOzEf.exe

Filesize
5.2MB

MD5
fe70678916c9458df70c1bb47f3fcb89

SHA1
9a0a6cedc155cb410e59cb24025ec44896856300

SHA256
17bbe698c833f1301f3db30d7a8381d3ed171389d874c45304bdecc68898e42a

SHA512
5fea89f59b65102f13d145d532981d1a8c3a710844d9e9a3f58456a3e5e50c9171d53f1fa50f6894743431a9347bcb300149896ed253cb37b2a58ea7615e1335

Download Submit
C:\Windows\System\nhNuboU.exe

Filesize
5.2MB

MD5
f01b4e7dc871fa288d3a1b449c0d6265

SHA1
92cbe79dded983393158bc8ab180609ff4bdec08

SHA256
0700e4d7a03b1b875e40f2b5596efd881635e73e3be67b203fa8aa06f2694bc9

SHA512
49667741309ecf0fe11ac0d3ec48de7e7113c2a35bf7b74f3c5156e72bbf04dee756d8d64b624566b89085e819f1b71e395bddd851da18ec5aa58ca9e29b8af1

Download Submit
C:\Windows\System\rHADQWt.exe

Filesize
5.2MB

MD5
78deeabdda4032fc84250a079e807b72

SHA1
5b14893d7e301bef883ecc938b2452956ca26fc5

SHA256
27b9d501fe01ee0236b8d5f35d5dc9eebe1a6471fe886a4d788767addd9881e9

SHA512
6c696b7ea384edbf354d5db80c98bc9d68dc4711d66d3980bdfb8ffb3564ddede0ad6f43fb39f4e42d91058a346103156c1cf51a3e657cb7c8cfd367d488d046

Download Submit
C:\Windows\System\vIjvJqU.exe

Filesize
5.2MB

MD5
c587a57f2a233bcd810554fedf516d52

SHA1
93391f7ae36a279bbd94690157b0367dda3849fd

SHA256
73010c441327371acd89746c7f9a2ad78ee04584ffcce016c41ef10ca6f1cf89

SHA512
e11cf0cd25b958462d6c9f090553f5942dac5c9e55ddaeea7653647831554c995280bfd662838fae94edf7ce715e6b7c59beedc5ddff5a95b739bbd606a3aca5

Download Submit
C:\Windows\System\wGHBYJQ.exe

Filesize
5.2MB

MD5
cd2368d001081bdbfcdcb76029d262bf

SHA1
a0c3c01c066f49b62973f2cdcaac3806996ca76e

SHA256
2628f67818d3fe1dc7df47c2985bf1a7a97ff5906756ed797d947512019c0a4a

SHA512
f7f897f0ce37d90b89d672ff7cffabccae7827f7251237d3fa31ff19b4f41b4ea1c24e134093f7e44cd8a2c2a92cd4a9617a535354e87129d0399d8bbb8615ff

Download Submit
memory/404-12-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp

Filesize
3.3MB

Download
memory/404-219-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp

Filesize
3.3MB

Download
memory/404-77-0x00007FF72FE60000-0x00007FF7301B1000-memory.dmp

Filesize
3.3MB

Download
memory/720-103-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/720-260-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/720-161-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/1216-57-0x00007FF70A440000-0x00007FF70A791000-memory.dmp

Filesize
3.3MB

Download
memory/1216-240-0x00007FF70A440000-0x00007FF70A791000-memory.dmp

Filesize
3.3MB

Download
memory/1216-123-0x00007FF70A440000-0x00007FF70A791000-memory.dmp

Filesize
3.3MB

Download
memory/1472-244-0x00007FF767530000-0x00007FF767881000-memory.dmp

Filesize
3.3MB

Download
memory/1472-69-0x00007FF767530000-0x00007FF767881000-memory.dmp

Filesize
3.3MB

Download
memory/1508-38-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp

Filesize
3.3MB

Download
memory/1508-108-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp

Filesize
3.3MB

Download
memory/1508-234-0x00007FF6A5F10000-0x00007FF6A6261000-memory.dmp

Filesize
3.3MB

Download
memory/1512-223-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-90-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-24-0x00007FF6DE6A0000-0x00007FF6DE9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-113-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-42-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-236-0x00007FF6FB580000-0x00007FF6FB8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-252-0x00007FF778210000-0x00007FF778561000-memory.dmp

Filesize
3.3MB

Download
memory/2228-138-0x00007FF778210000-0x00007FF778561000-memory.dmp

Filesize
3.3MB

Download
memory/2228-82-0x00007FF778210000-0x00007FF778561000-memory.dmp

Filesize
3.3MB

Download
memory/2608-18-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-83-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-221-0x00007FF7EBD90000-0x00007FF7EC0E1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-258-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/2648-94-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/2648-154-0x00007FF7630E0000-0x00007FF763431000-memory.dmp

Filesize
3.3MB

Download
memory/2652-31-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp

Filesize
3.3MB

Download
memory/2652-232-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp

Filesize
3.3MB

Download
memory/2652-102-0x00007FF65C6D0000-0x00007FF65CA21000-memory.dmp

Filesize
3.3MB

Download
memory/3076-67-0x00007FF6B89D0000-0x00007FF6B8D21000-memory.dmp

Filesize
3.3MB

Download
memory/3076-243-0x00007FF6B89D0000-0x00007FF6B8D21000-memory.dmp

Filesize
3.3MB

Download
memory/3236-72-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-6-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-217-0x00007FF7C8650000-0x00007FF7C89A1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-166-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-68-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-139-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-0-0x00007FF7F8250000-0x00007FF7F85A1000-memory.dmp

Filesize
3.3MB

Download
memory/3432-1-0x000002B42C500000-0x000002B42C510000-memory.dmp

Filesize
64KB

Download
memory/3596-109-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp

Filesize
3.3MB

Download
memory/3596-267-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp

Filesize
3.3MB

Download
memory/3596-162-0x00007FF6D5EC0000-0x00007FF6D6211000-memory.dmp

Filesize
3.3MB

Download
memory/3648-238-0x00007FF7315B0000-0x00007FF731901000-memory.dmp

Filesize
3.3MB

Download
memory/3648-48-0x00007FF7315B0000-0x00007FF731901000-memory.dmp

Filesize
3.3MB

Download
memory/3648-122-0x00007FF7315B0000-0x00007FF731901000-memory.dmp

Filesize
3.3MB

Download
memory/3660-135-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-273-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp

Filesize
3.3MB

Download
memory/3660-165-0x00007FF768E80000-0x00007FF7691D1000-memory.dmp

Filesize
3.3MB

Download
memory/3800-269-0x00007FF668ED0000-0x00007FF669221000-memory.dmp

Filesize
3.3MB

Download
memory/3800-163-0x00007FF668ED0000-0x00007FF669221000-memory.dmp

Filesize
3.3MB

Download
memory/3800-124-0x00007FF668ED0000-0x00007FF669221000-memory.dmp

Filesize
3.3MB

Download
memory/4436-271-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp

Filesize
3.3MB

Download
memory/4436-131-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp

Filesize
3.3MB

Download
memory/4436-164-0x00007FF7719E0000-0x00007FF771D31000-memory.dmp

Filesize
3.3MB

Download
memory/4892-159-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp

Filesize
3.3MB

Download
memory/4892-265-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp

Filesize
3.3MB

Download
memory/4892-112-0x00007FF69BA40000-0x00007FF69BD91000-memory.dmp

Filesize
3.3MB

Download
memory/4948-153-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-256-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-91-0x00007FF6C3760000-0x00007FF6C3AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-254-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-84-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4988-152-0x00007FF6C9A70000-0x00007FF6C9DC1000-memory.dmp

Filesize
3.3MB

Download