cobaltstrike | f88a99ee9c4e057647a8e2bb172d8a4e60b3b0e255cb2f8824728078a8f61ea1

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d25cba8d63e2a6142cbd7ea5f44be344
SHA1

0c4118abd6911cd949af33b470c1002fbd1d0fe2
SHA256

f88a99ee9c4e057647a8e2bb172d8a4e60b3b0e255cb2f8824728078a8f61ea1
SHA512

af6082b393545bb37e51cf7734ae1f7d63053f6c5f3fb7a8b1c88dd42ef4bea6ef5d2c8c8d9a125c674d4a055fc525729e82803141581d04dcecb23d6451593d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUw

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233f1-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023451-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023455-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-39.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-20.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-54.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023452-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-68.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-95.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4216-34-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp	xmrig
behavioral2/memory/1804-28-0x00007FF7893F0000-0x00007FF789741000-memory.dmp	xmrig
behavioral2/memory/4628-57-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp	xmrig
behavioral2/memory/4688-62-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp	xmrig
behavioral2/memory/640-63-0x00007FF7233B0000-0x00007FF723701000-memory.dmp	xmrig
behavioral2/memory/1944-106-0x00007FF742310000-0x00007FF742661000-memory.dmp	xmrig
behavioral2/memory/4304-124-0x00007FF6A7BD0000-0x00007FF6A7F21000-memory.dmp	xmrig
behavioral2/memory/2132-126-0x00007FF66A150000-0x00007FF66A4A1000-memory.dmp	xmrig
behavioral2/memory/4216-125-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp	xmrig
behavioral2/memory/716-122-0x00007FF784670000-0x00007FF7849C1000-memory.dmp	xmrig
behavioral2/memory/2956-110-0x00007FF6AE670000-0x00007FF6AE9C1000-memory.dmp	xmrig
behavioral2/memory/2696-69-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp	xmrig
behavioral2/memory/4468-67-0x00007FF7AABB0000-0x00007FF7AAF01000-memory.dmp	xmrig
behavioral2/memory/3368-55-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	xmrig
behavioral2/memory/3368-133-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	xmrig
behavioral2/memory/888-140-0x00007FF665E40000-0x00007FF666191000-memory.dmp	xmrig
behavioral2/memory/4628-142-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp	xmrig
behavioral2/memory/1720-143-0x00007FF676220000-0x00007FF676571000-memory.dmp	xmrig
behavioral2/memory/3236-141-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	xmrig
behavioral2/memory/5108-146-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp	xmrig
behavioral2/memory/3020-145-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp	xmrig
behavioral2/memory/2344-150-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp	xmrig
behavioral2/memory/1256-154-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp	xmrig
behavioral2/memory/4404-155-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp	xmrig
behavioral2/memory/3712-151-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp	xmrig
behavioral2/memory/3368-156-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	xmrig
behavioral2/memory/640-211-0x00007FF7233B0000-0x00007FF723701000-memory.dmp	xmrig
behavioral2/memory/4688-213-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp	xmrig
behavioral2/memory/1804-215-0x00007FF7893F0000-0x00007FF789741000-memory.dmp	xmrig
behavioral2/memory/2696-217-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp	xmrig
behavioral2/memory/4216-219-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp	xmrig
behavioral2/memory/1720-221-0x00007FF676220000-0x00007FF676571000-memory.dmp	xmrig
behavioral2/memory/3236-223-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	xmrig
behavioral2/memory/888-225-0x00007FF665E40000-0x00007FF666191000-memory.dmp	xmrig
behavioral2/memory/4628-227-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp	xmrig
behavioral2/memory/4468-241-0x00007FF7AABB0000-0x00007FF7AAF01000-memory.dmp	xmrig
behavioral2/memory/3020-243-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp	xmrig
behavioral2/memory/2132-245-0x00007FF66A150000-0x00007FF66A4A1000-memory.dmp	xmrig
behavioral2/memory/1944-248-0x00007FF742310000-0x00007FF742661000-memory.dmp	xmrig
behavioral2/memory/2956-249-0x00007FF6AE670000-0x00007FF6AE9C1000-memory.dmp	xmrig
behavioral2/memory/5108-251-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp	xmrig
behavioral2/memory/716-253-0x00007FF784670000-0x00007FF7849C1000-memory.dmp	xmrig
behavioral2/memory/2344-257-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp	xmrig
behavioral2/memory/4304-259-0x00007FF6A7BD0000-0x00007FF6A7F21000-memory.dmp	xmrig
behavioral2/memory/4404-261-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp	xmrig
behavioral2/memory/1256-263-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp	xmrig
behavioral2/memory/3712-256-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4688	WqQbCyg.exe
640	NHxURPG.exe
2696	ZPzqBoI.exe
1804	fzQrYjp.exe
4216	UzWrtKb.exe
1720	RuAbWsO.exe
888	HGpLIxP.exe
3236	knBgmDG.exe
4628	otmtcrd.exe
4468	qZlxznt.exe
3020	eswlGyO.exe
5108	GkgUsKN.exe
2132	BNhbiIo.exe
1944	dtIbbcm.exe
2956	XoTpVUa.exe
2344	rMGvESm.exe
3712	eyMKuQp.exe
716	yslLwWU.exe
4304	oXZgroD.exe
1256	nvRqwqy.exe
4404	untlAgh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3368-0-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	upx
behavioral2/files/0x00090000000233f1-5.dat	upx
behavioral2/memory/4688-6-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp	upx
behavioral2/files/0x0008000000023451-10.dat	upx
behavioral2/memory/640-18-0x00007FF7233B0000-0x00007FF723701000-memory.dmp	upx
behavioral2/files/0x0007000000023455-25.dat	upx
behavioral2/files/0x0007000000023457-31.dat	upx
behavioral2/files/0x0007000000023458-39.dat	upx
behavioral2/memory/888-45-0x00007FF665E40000-0x00007FF666191000-memory.dmp	upx
behavioral2/files/0x000700000002345a-49.dat	upx
behavioral2/files/0x0007000000023459-47.dat	upx
behavioral2/memory/3236-46-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	upx
behavioral2/memory/1720-36-0x00007FF676220000-0x00007FF676571000-memory.dmp	upx
behavioral2/memory/4216-34-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp	upx
behavioral2/memory/1804-28-0x00007FF7893F0000-0x00007FF789741000-memory.dmp	upx
behavioral2/memory/2696-23-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp	upx
behavioral2/files/0x0007000000023456-20.dat	upx
behavioral2/files/0x000700000002345b-54.dat	upx
behavioral2/memory/4628-57-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp	upx
behavioral2/files/0x0008000000023452-59.dat	upx
behavioral2/memory/4688-62-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp	upx
behavioral2/memory/640-63-0x00007FF7233B0000-0x00007FF723701000-memory.dmp	upx
behavioral2/files/0x000700000002345c-68.dat	upx
behavioral2/files/0x000700000002345f-78.dat	upx
behavioral2/files/0x000700000002345d-84.dat	upx
behavioral2/files/0x0007000000023460-83.dat	upx
behavioral2/files/0x0007000000023463-101.dat	upx
behavioral2/memory/1944-106-0x00007FF742310000-0x00007FF742661000-memory.dmp	upx
behavioral2/files/0x0007000000023465-118.dat	upx
behavioral2/memory/4304-124-0x00007FF6A7BD0000-0x00007FF6A7F21000-memory.dmp	upx
behavioral2/memory/1256-127-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp	upx
behavioral2/files/0x0007000000023467-131.dat	upx
behavioral2/files/0x0007000000023466-129.dat	upx
behavioral2/memory/4404-128-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp	upx
behavioral2/memory/2132-126-0x00007FF66A150000-0x00007FF66A4A1000-memory.dmp	upx
behavioral2/memory/4216-125-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp	upx
behavioral2/memory/716-122-0x00007FF784670000-0x00007FF7849C1000-memory.dmp	upx
behavioral2/memory/3712-121-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp	upx
behavioral2/files/0x0007000000023464-116.dat	upx
behavioral2/files/0x0007000000023462-112.dat	upx
behavioral2/memory/2344-111-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp	upx
behavioral2/memory/2956-110-0x00007FF6AE670000-0x00007FF6AE9C1000-memory.dmp	upx
behavioral2/memory/5108-105-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp	upx
behavioral2/files/0x0007000000023461-95.dat	upx
behavioral2/memory/3020-70-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp	upx
behavioral2/memory/2696-69-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp	upx
behavioral2/memory/4468-67-0x00007FF7AABB0000-0x00007FF7AAF01000-memory.dmp	upx
behavioral2/memory/3368-55-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	upx
behavioral2/memory/3368-133-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	upx
behavioral2/memory/888-140-0x00007FF665E40000-0x00007FF666191000-memory.dmp	upx
behavioral2/memory/4628-142-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp	upx
behavioral2/memory/1720-143-0x00007FF676220000-0x00007FF676571000-memory.dmp	upx
behavioral2/memory/3236-141-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp	upx
behavioral2/memory/5108-146-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp	upx
behavioral2/memory/3020-145-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp	upx
behavioral2/memory/2344-150-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp	upx
behavioral2/memory/1256-154-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp	upx
behavioral2/memory/4404-155-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp	upx
behavioral2/memory/3712-151-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp	upx
behavioral2/memory/3368-156-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp	upx
behavioral2/memory/640-211-0x00007FF7233B0000-0x00007FF723701000-memory.dmp	upx
behavioral2/memory/4688-213-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp	upx
behavioral2/memory/1804-215-0x00007FF7893F0000-0x00007FF789741000-memory.dmp	upx
behavioral2/memory/2696-217-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fzQrYjp.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UzWrtKb.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\knBgmDG.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WqQbCyg.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rMGvESm.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oXZgroD.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\untlAgh.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qZlxznt.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RuAbWsO.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otmtcrd.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkgUsKN.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtIbbcm.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XoTpVUa.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yslLwWU.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NHxURPG.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HGpLIxP.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eswlGyO.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BNhbiIo.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyMKuQp.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nvRqwqy.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZPzqBoI.exe	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4688	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3368 wrote to memory of 4688	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3368 wrote to memory of 640	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3368 wrote to memory of 640	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3368 wrote to memory of 2696	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3368 wrote to memory of 2696	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3368 wrote to memory of 1804	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3368 wrote to memory of 1804	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3368 wrote to memory of 4216	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3368 wrote to memory of 4216	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3368 wrote to memory of 1720	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3368 wrote to memory of 1720	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3368 wrote to memory of 888	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3368 wrote to memory of 888	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3368 wrote to memory of 3236	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3368 wrote to memory of 3236	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3368 wrote to memory of 4628	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3368 wrote to memory of 4628	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3368 wrote to memory of 4468	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3368 wrote to memory of 4468	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3368 wrote to memory of 3020	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3368 wrote to memory of 3020	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3368 wrote to memory of 5108	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3368 wrote to memory of 5108	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3368 wrote to memory of 2132	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3368 wrote to memory of 2132	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3368 wrote to memory of 1944	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3368 wrote to memory of 1944	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3368 wrote to memory of 2956	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3368 wrote to memory of 2956	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3368 wrote to memory of 2344	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3368 wrote to memory of 2344	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3368 wrote to memory of 3712	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3368 wrote to memory of 3712	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3368 wrote to memory of 716	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3368 wrote to memory of 716	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3368 wrote to memory of 4304	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3368 wrote to memory of 4304	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3368 wrote to memory of 1256	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3368 wrote to memory of 1256	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3368 wrote to memory of 4404	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3368 wrote to memory of 4404	3368	2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_d25cba8d63e2a6142cbd7ea5f44be344_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\System\WqQbCyg.exe
  C:\Windows\System\WqQbCyg.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\NHxURPG.exe
  C:\Windows\System\NHxURPG.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\ZPzqBoI.exe
  C:\Windows\System\ZPzqBoI.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\fzQrYjp.exe
  C:\Windows\System\fzQrYjp.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\UzWrtKb.exe
  C:\Windows\System\UzWrtKb.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\RuAbWsO.exe
  C:\Windows\System\RuAbWsO.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\HGpLIxP.exe
  C:\Windows\System\HGpLIxP.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System\knBgmDG.exe
  C:\Windows\System\knBgmDG.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\otmtcrd.exe
  C:\Windows\System\otmtcrd.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\qZlxznt.exe
  C:\Windows\System\qZlxznt.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\eswlGyO.exe
  C:\Windows\System\eswlGyO.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\GkgUsKN.exe
  C:\Windows\System\GkgUsKN.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\BNhbiIo.exe
  C:\Windows\System\BNhbiIo.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\dtIbbcm.exe
  C:\Windows\System\dtIbbcm.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\XoTpVUa.exe
  C:\Windows\System\XoTpVUa.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\rMGvESm.exe
  C:\Windows\System\rMGvESm.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\eyMKuQp.exe
  C:\Windows\System\eyMKuQp.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\yslLwWU.exe
  C:\Windows\System\yslLwWU.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\oXZgroD.exe
  C:\Windows\System\oXZgroD.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\nvRqwqy.exe
  C:\Windows\System\nvRqwqy.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\untlAgh.exe
  C:\Windows\System\untlAgh.exe
  2⤵
  - Executes dropped EXE
  PID:4404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BNhbiIo.exe

Filesize
5.2MB

MD5
3211876bed8031e5ce417d8196bba65c

SHA1
20e90fd452932948d8b5aede6b648e49bc208a0b

SHA256
6db438ab256a27a82874bb8ccc0f2e7aa44e233c67aa51c05d2f43b582f1a109

SHA512
459f0b152dd98ba74b74b79ba3eab587c5d01d16bf889a9bffe1ffcbc899bf1ba96d8c82222ba70baafa66dc1f46bbe1acac7e62a8850efb4f5218c1f2ecd94d

Download Submit
C:\Windows\System\GkgUsKN.exe

Filesize
5.2MB

MD5
eaef01c736133118187cc27d84d107a0

SHA1
bd1e57e69b134fd1731a37d81f33ced62e4a8538

SHA256
dd28aea4d199b3d59c59c12f5a4129c6ea98ffedcaa5e4fbaf2b6d08e288c932

SHA512
d35b9b2e48ba67f136393328d4211312082bbc19f3c4ba2995cc834957b8c588a9b71773e3199128f26117f4dd11cb2859969f607d2666a39fffbc996f57f9a4

Download Submit
C:\Windows\System\HGpLIxP.exe

Filesize
5.2MB

MD5
db9511003aec2824da432ab9e35d6c98

SHA1
a1a11a8eac1f4674b980583683f1e8b3e2874a9a

SHA256
3513be406ce62b4c2c834ae80b30c7c96f32e05314d513b3d08d4c906c3083ff

SHA512
8be8e7a1c5ac3f9e89263120ae4ad54da2838e724b410a56a18a0d1614ea16a6460f277fcd094393cfe6887d93452e808f439950e49a1c51aab60490e64ec165

Download Submit
C:\Windows\System\NHxURPG.exe

Filesize
5.2MB

MD5
e6e21897db26b24eeb20aa0879a14037

SHA1
0329a25895cac331efc386ac4fb7480d9d0a11a6

SHA256
f9aa8a5a17200e6bd903dbfa16c5f5e68ed4afd0cf6b48b409ce9eb986b1af90

SHA512
9701fce223580577f18c902ab2d97da277fba670e7c9b07b3a10d92dcfb2d5dcda91b7a81f6996bf614e4d7f87d3b25b02475d17df9f54f471ee27adfd4a1c25

Download Submit
C:\Windows\System\RuAbWsO.exe

Filesize
5.2MB

MD5
c520ca80e5f76b201b13c8fe4e05df8e

SHA1
20e511270f71aac3fad7a0b98cb1b7e0e805110d

SHA256
299fbc5d389c54cfde3c5f2fc3ea268c2dcced79fe484dc7a3a3f1abb87b623b

SHA512
1c19f56d6b6eefb6f6ab2c98b9333bf9c4d73bda18c9c00df7bad751c76598999b00acc810cdfe9795fd3c8e163e239aeadc0a880999d2e134dd76c9af2b9a18

Download Submit
C:\Windows\System\UzWrtKb.exe

Filesize
5.2MB

MD5
d0dd4e3890a3cff38e7571c0ba1cd30f

SHA1
a47fa91a481bb019582443bb4988bdd344da6edc

SHA256
8bd8be6e53a7781adff9903aea4c0569cf0a1780c6e4375a634ab2baa7d6af7a

SHA512
4611e8e1c222eeea0744b61c0087a0b8651d04a5513c51bee4f5e46bf3a15535946550fd6d853a4b1174419065c754eab7bf5b997122a0e898d466a7d9127a50

Download Submit
C:\Windows\System\WqQbCyg.exe

Filesize
5.2MB

MD5
86500c8e6031fe5cc034d012811de7c4

SHA1
fabd1b4ac6a3e62ddeb8dee80eb3f88df0ec4afc

SHA256
360037205edd17a1758307bdbc1e824da8224d7005b1fa20c247fc677a464063

SHA512
35f109c4f01055c07eabe9cf4c30ca54dca72335dbb99f5da7511d47d1e90098cdff19983ce79ebd4c961b67b04734bd49c634d5b66d7d608806c7f33ad41a2e

Download Submit
C:\Windows\System\XoTpVUa.exe

Filesize
5.2MB

MD5
300ed7ff7a1264b1c4a013b1aac8e2b0

SHA1
9dc95ed4e03d7a0b58f54cb9c769d3d4490fe3f6

SHA256
0350faafe23b7756c80c7f4d3c71df7e73390141e06794ebb1b91014716ea837

SHA512
493330d432f10c7ac05294f58500c1e6f49c688a4ee016820fe4ae103603945093ce15c6b62418368de0d08a4f76c5508dde875b74230ac3cc5bd1ae1c5b854e

Download Submit
C:\Windows\System\ZPzqBoI.exe

Filesize
5.2MB

MD5
ae0baca1447cc588d9cf890b7909a496

SHA1
efc1ec6b67a0efb2500606362914e7b7f15b66cf

SHA256
148cdf395d53209b0a59167e0365ad8378b29c339a51d1e981e6ae87a408c814

SHA512
848e8d8e58c71c454f821149885cd6ec35603abf04c288703fc724ca6ea76c16fc2f0893b99bd212033483e574ad3ec04f4aae15460343a8af39bcb0d3722d2f

Download Submit
C:\Windows\System\dtIbbcm.exe

Filesize
5.2MB

MD5
d81cf2a25798065dc9b5092b68433241

SHA1
ee8c3f875690555ccd6709e03a14c00c273ceca6

SHA256
44838df9e8d0e01113acd17cd7da993828f82fe68f1650e694fd6e9ca9ed35b6

SHA512
b20ea68d1a23a7b55587159deaaac3956839b7b07c30b7e4366953e7cd78a9a97ebd74cda45aaf59a5a413b707bc2507d8ca0fbdc8c56e20591f57ec05a7454d

Download Submit
C:\Windows\System\eswlGyO.exe

Filesize
5.2MB

MD5
5dcd8c3539b4e01d89fd1ecf0e05e563

SHA1
817c42ed552bd9e6ec32d6766aa251dfd785af19

SHA256
edd4fb2fcadfe81bab593240af2d0d9ff5b2735cdcb791fcc4947a27bd1f4a66

SHA512
e6e4dee8e3dcdac9fc0dc4f0db199c0243e9218f992ef85746f25d1007571f5e43482febf3314448bb8f8291da12a430c2f44f9533c7dca6603ba0a6e064ab78

Download Submit
C:\Windows\System\eyMKuQp.exe

Filesize
5.2MB

MD5
a0489ae820a001fcdc8e3c0fb1ee8029

SHA1
5b06d03299b7b83970c27f14e07cf11cc7a787df

SHA256
90005b21e81271b670b34b6f7611d864edec416ead960294237569334abf0fa1

SHA512
0e59a64761b755ebd43f770ac97f52af64b111de147bbcbad0ee02d9fa090e28b8f9167af0fd8e43646d5737853a67de7dcdf9bd0079a8ead5b31a8956793f7c

Download Submit
C:\Windows\System\fzQrYjp.exe

Filesize
5.2MB

MD5
7fa4cbecb956cfb072bde110059ff47f

SHA1
958ec4db1ece170446b3088f49f856f24740a5f4

SHA256
47d9b9a56f1d610bd3fb77273cbd1ce609b737b15f12e4812791e8a222eff3b0

SHA512
e9fe421bfd3f7cd89e0f2b72b4e61eb5301c5e55ac26be29deb8bd506d400e772410f8da4567335cd005daf5179868d7703642219829efab4515cd0afd29f738

Download Submit
C:\Windows\System\knBgmDG.exe

Filesize
5.2MB

MD5
e4570e6a20ad363444a706e468e3c4f0

SHA1
3981ef8e97c1bca4f237ff70bd70a1c73d89ea4f

SHA256
6f48c658ae4180c1721e903bbb2fdd471c60753ba9d1b951f980a72e83dbc0b9

SHA512
a1eda23cb3b41ae672be55a2c6384b506ff0fd79acc01a7203c3caba7f0f7809cb4f90bb84317e9a55ca764b96b92c2a44edf1c8d2627bb7bdfbc371a2c28fa7

Download Submit
C:\Windows\System\nvRqwqy.exe

Filesize
5.2MB

MD5
102a79cdf6864dc1df63bbea578a841e

SHA1
283d599e4859c024ed544284e885859d44f04b4c

SHA256
a357bced43563a56ccd04f8eaf4c64f4c382f3183d9e2cfdd33c2f0efcd27b51

SHA512
1cbdb6676d90e68691d9fcd67b40a44c45e3a7331afdc780f3aa07967013bec88ec550947fa4a471967e371793568cfa9142b136c6cb60162fcce601ef85f449

Download Submit
C:\Windows\System\oXZgroD.exe

Filesize
5.2MB

MD5
c42cba69df7156c4943c6d678a7e229c

SHA1
be4ab3531085c2c3c80f2ff10e2f92603da7a49a

SHA256
a58cb6c882bfdb01ce9fb322c93a42e49af9e0e70103528c827b2dd6537563dd

SHA512
1771e9c2fd30f5b79897367ba8406eb64998ccd64aedf887614faed7ac8686bd733ee6be14ce9a136a2239f87f97f59092d4e300d36bf0398fecfe060959392c

Download Submit
C:\Windows\System\otmtcrd.exe

Filesize
5.2MB

MD5
1f45a543b291893a3902e367771855cc

SHA1
c757799ee69b4c98491a7407bb2fcfcd0e9e50af

SHA256
391a65ba04b3b29a01c2ca481bd897ea7120ce0750f375640d68b37d1c3bb13b

SHA512
f39a00cfb19c2721269d58698fb36164eea1bde8f8a14a9d23f7a64293d702fe30d1d25192702f7d3f0768f0625be3c3d961eb7c8b7e6fdba1d97fd970f77c56

Download Submit
C:\Windows\System\qZlxznt.exe

Filesize
5.2MB

MD5
198d7ad27eb512f2673b752eb47889c8

SHA1
d7b4d3f576df01c11f80446995f67f0d75d4ce56

SHA256
687193d58593d4ca5d7d75b6afe93b83dcc68718d289df4fb9aca3d0bf85691a

SHA512
6c754d9cf6a9dac39909fae005f5e619adacb2200788cc8407e87a2fa7d25f6cf6eafbc56bdd1e25a5d683ad901d3e688775c7514dd9bcea63a8c4c121fb719c

Download Submit
C:\Windows\System\rMGvESm.exe

Filesize
5.2MB

MD5
4a156493b0065709ab463176f02171e1

SHA1
320bb003f53ed3472b297e1cf6d96eb4187740a1

SHA256
63995b5de282e5d329cd358fa8456814555a479ab2f14123d97128719f1e3f7e

SHA512
736ab38d0a04c03d578eb3e5ea948eda5886503d323fd272f5c8183af86a60af65a980806a2c31daa0e53c7174c5de2f916a4b139cf3ff2316b6ee18663f79b8

Download Submit
C:\Windows\System\untlAgh.exe

Filesize
5.2MB

MD5
c3ae495bf771ce272b5998385138797b

SHA1
8ce57ddf8163a15d2338365d16cae40937308135

SHA256
d0f01943497b7f2d863a85c3b6ee98abf9e9ac44d524d91c650b6d904605e706

SHA512
104ce37e669b3f1381a5519c43e27f747841d5b34b0ccda690dd8d78bfc495e236c64b7d253eef6f2c7112e9704d84767b25fcf55848a02df7ac6a31b34b60e0

Download Submit
C:\Windows\System\yslLwWU.exe

Filesize
5.2MB

MD5
c02ffeef0942623ef7927a688d7a9d85

SHA1
244e105470e9a2493ae3851784b32c493049a33b

SHA256
c00a027f16775af58ffae784925ddc589db55f1ba864539d384b2c35f3d01f9b

SHA512
8f8bdb9af9cf9ce06a1d00da1c46b65c30dae4d42609b876b54b708a84732d84bc06074b9ac73ef5a8809d889da54210739fc139dd689362b17307575d11eeaf

Download Submit
memory/640-63-0x00007FF7233B0000-0x00007FF723701000-memory.dmp

Filesize
3.3MB

Download
memory/640-211-0x00007FF7233B0000-0x00007FF723701000-memory.dmp

Filesize
3.3MB

Download
memory/640-18-0x00007FF7233B0000-0x00007FF723701000-memory.dmp

Filesize
3.3MB

Download
memory/716-122-0x00007FF784670000-0x00007FF7849C1000-memory.dmp

Filesize
3.3MB

Download
memory/716-253-0x00007FF784670000-0x00007FF7849C1000-memory.dmp

Filesize
3.3MB

Download
memory/888-140-0x00007FF665E40000-0x00007FF666191000-memory.dmp

Filesize
3.3MB

Download
memory/888-225-0x00007FF665E40000-0x00007FF666191000-memory.dmp

Filesize
3.3MB

Download
memory/888-45-0x00007FF665E40000-0x00007FF666191000-memory.dmp

Filesize
3.3MB

Download
memory/1256-263-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1256-127-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1256-154-0x00007FF74FB30000-0x00007FF74FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1720-221-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1720-36-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1720-143-0x00007FF676220000-0x00007FF676571000-memory.dmp

Filesize
3.3MB

Download
memory/1804-28-0x00007FF7893F0000-0x00007FF789741000-memory.dmp

Filesize
3.3MB

Download
memory/1804-215-0x00007FF7893F0000-0x00007FF789741000-memory.dmp

Filesize
3.3MB

Download
memory/1944-106-0x00007FF742310000-0x00007FF742661000-memory.dmp

Filesize
3.3MB

Download
memory/1944-248-0x00007FF742310000-0x00007FF742661000-memory.dmp

Filesize
3.3MB

Download
memory/2132-126-0x00007FF66A150000-0x00007FF66A4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-245-0x00007FF66A150000-0x00007FF66A4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-257-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-111-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-150-0x00007FF6E3480000-0x00007FF6E37D1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-23-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp

Filesize
3.3MB

Download
memory/2696-69-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp

Filesize
3.3MB

Download
memory/2696-217-0x00007FF6F1240000-0x00007FF6F1591000-memory.dmp

Filesize
3.3MB

Download
memory/2956-110-0x00007FF6AE670000-0x00007FF6AE9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-249-0x00007FF6AE670000-0x00007FF6AE9C1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-70-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-145-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-243-0x00007FF780F70000-0x00007FF7812C1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-223-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-141-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3236-46-0x00007FF6AE5A0000-0x00007FF6AE8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3368-156-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-55-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-0-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-133-0x00007FF625BB0000-0x00007FF625F01000-memory.dmp

Filesize
3.3MB

Download
memory/3368-1-0x000002B14B820000-0x000002B14B830000-memory.dmp

Filesize
64KB

Download
memory/3712-256-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-121-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-151-0x00007FF779B90000-0x00007FF779EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-125-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-219-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-34-0x00007FF7901A0000-0x00007FF7904F1000-memory.dmp

Filesize
3.3MB

Download
memory/4304-259-0x00007FF6A7BD0000-0x00007FF6A7F21000-memory.dmp

Filesize
3.3MB

Download
memory/4304-124-0x00007FF6A7BD0000-0x00007FF6A7F21000-memory.dmp

Filesize
3.3MB

Download
memory/4404-261-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-155-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4404-128-0x00007FF66B070000-0x00007FF66B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-67-0x00007FF7AABB0000-0x00007FF7AAF01000-memory.dmp

Filesize
3.3MB

Download
memory/4468-241-0x00007FF7AABB0000-0x00007FF7AAF01000-memory.dmp

Filesize
3.3MB

Download
memory/4628-57-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp

Filesize
3.3MB

Download
memory/4628-227-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp

Filesize
3.3MB

Download
memory/4628-142-0x00007FF65A730000-0x00007FF65AA81000-memory.dmp

Filesize
3.3MB

Download
memory/4688-62-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp

Filesize
3.3MB

Download
memory/4688-6-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp

Filesize
3.3MB

Download
memory/4688-213-0x00007FF71BC00000-0x00007FF71BF51000-memory.dmp

Filesize
3.3MB

Download
memory/5108-146-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp

Filesize
3.3MB

Download
memory/5108-251-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp

Filesize
3.3MB

Download
memory/5108-105-0x00007FF6D0CE0000-0x00007FF6D1031000-memory.dmp

Filesize
3.3MB

Download