cobaltstrike | 4a8e69ca6d5ac5d38b003c9529bcb6c5f9800b14231a5f56efa82765d15ff7cf

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

0415c36f700130d3928d7866df40f02a
SHA1

5ea74f98358c11153cae671e7508303dc6e20146
SHA256

4a8e69ca6d5ac5d38b003c9529bcb6c5f9800b14231a5f56efa82765d15ff7cf
SHA512

680f2ddd6c02861a35eff74846c9eda470d1bdd279b3da0b7e4409465e1562815eebfc501b2c593f2359c19257db108195d4c2dfb4539e9514ca80f182703260
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUn:Q+u56utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023342-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a6-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a7-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a8-22.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233a3-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233a9-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233aa-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ab-43.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ac-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ad-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ae-64.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022f92-85.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022f9b-93.dat	cobalt_reflective_dll
behavioral2/files/0x000e0000000232aa-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b3-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b4-131.dat	cobalt_reflective_dll
behavioral2/files/0x00100000000232ce-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b1-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233b2-121.dat	cobalt_reflective_dll
behavioral2/files/0x00040000000229ed-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233af-80.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/264-0-0x00007FF7535D0000-0x00007FF753924000-memory.dmp	xmrig
behavioral2/files/0x0009000000023342-4.dat	xmrig
behavioral2/memory/4936-8-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233a6-11.dat	xmrig
behavioral2/files/0x00070000000233a7-10.dat	xmrig
behavioral2/memory/4972-18-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	xmrig
behavioral2/memory/4632-13-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233a8-22.dat	xmrig
behavioral2/memory/1192-26-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp	xmrig
behavioral2/files/0x00080000000233a3-30.dat	xmrig
behavioral2/files/0x00070000000233a9-33.dat	xmrig
behavioral2/memory/2784-31-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp	xmrig
behavioral2/memory/5108-34-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	xmrig
behavioral2/files/0x00070000000233aa-41.dat	xmrig
behavioral2/files/0x00070000000233ab-43.dat	xmrig
behavioral2/files/0x00070000000233ac-52.dat	xmrig
behavioral2/memory/968-56-0x00007FF77F140000-0x00007FF77F494000-memory.dmp	xmrig
behavioral2/memory/2264-57-0x00007FF6441A0000-0x00007FF6444F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ad-66.dat	xmrig
behavioral2/memory/3020-69-0x00007FF775D60000-0x00007FF7760B4000-memory.dmp	xmrig
behavioral2/memory/4936-70-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	xmrig
behavioral2/memory/1536-68-0x00007FF7ED420000-0x00007FF7ED774000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ae-64.dat	xmrig
behavioral2/memory/264-63-0x00007FF7535D0000-0x00007FF753924000-memory.dmp	xmrig
behavioral2/memory/3916-47-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp	xmrig
behavioral2/memory/4632-71-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	xmrig
behavioral2/memory/1192-84-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp	xmrig
behavioral2/files/0x0004000000022f92-85.dat	xmrig
behavioral2/files/0x0002000000022f9b-93.dat	xmrig
behavioral2/memory/4864-106-0x00007FF6214E0000-0x00007FF621834000-memory.dmp	xmrig
behavioral2/files/0x000e0000000232aa-115.dat	xmrig
behavioral2/memory/1056-118-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp	xmrig
behavioral2/files/0x00070000000233b3-124.dat	xmrig
behavioral2/files/0x00070000000233b4-131.dat	xmrig
behavioral2/memory/1864-134-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp	xmrig
behavioral2/memory/3648-132-0x00007FF684A70000-0x00007FF684DC4000-memory.dmp	xmrig
behavioral2/memory/1644-130-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	xmrig
behavioral2/memory/3884-129-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp	xmrig
behavioral2/files/0x00100000000232ce-127.dat	xmrig
behavioral2/files/0x00070000000233b1-122.dat	xmrig
behavioral2/files/0x00070000000233b2-121.dat	xmrig
behavioral2/memory/968-113-0x00007FF77F140000-0x00007FF77F494000-memory.dmp	xmrig
behavioral2/memory/1988-112-0x00007FF628960000-0x00007FF628CB4000-memory.dmp	xmrig
behavioral2/memory/3916-99-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp	xmrig
behavioral2/memory/5108-98-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	xmrig
behavioral2/memory/3112-94-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp	xmrig
behavioral2/memory/2784-87-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp	xmrig
behavioral2/memory/4048-86-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp	xmrig
behavioral2/files/0x00040000000229ed-90.dat	xmrig
behavioral2/files/0x00070000000233af-80.dat	xmrig
behavioral2/memory/3100-78-0x00007FF726C20000-0x00007FF726F74000-memory.dmp	xmrig
behavioral2/memory/4972-77-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	xmrig
behavioral2/memory/3100-137-0x00007FF726C20000-0x00007FF726F74000-memory.dmp	xmrig
behavioral2/memory/4048-138-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp	xmrig
behavioral2/memory/3112-139-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp	xmrig
behavioral2/memory/4864-140-0x00007FF6214E0000-0x00007FF621834000-memory.dmp	xmrig
behavioral2/memory/1988-141-0x00007FF628960000-0x00007FF628CB4000-memory.dmp	xmrig
behavioral2/memory/1056-142-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp	xmrig
behavioral2/memory/1644-143-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	xmrig
behavioral2/memory/3884-144-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp	xmrig
behavioral2/memory/1864-145-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp	xmrig
behavioral2/memory/4936-146-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	xmrig
behavioral2/memory/4632-147-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	xmrig
behavioral2/memory/4972-148-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4936	BSaEFtD.exe
4632	nQwetll.exe
4972	VOqJZtO.exe
1192	oQMqrHK.exe
2784	OdhsHjF.exe
5108	truVbkK.exe
3916	lhXoRHX.exe
968	YTZnTUc.exe
2264	lCBudrV.exe
1536	JiSVMwh.exe
3020	RwRilsw.exe
3100	PfMEZlO.exe
4048	HQlfDOg.exe
3112	aHSZWYb.exe
4864	wDWHwec.exe
1056	NTHqXxB.exe
1988	FrQiIZI.exe
3884	VgEdHad.exe
3648	MxHuLXT.exe
1644	yNwoQvy.exe
1864	LOgsUls.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/264-0-0x00007FF7535D0000-0x00007FF753924000-memory.dmp	upx
behavioral2/files/0x0009000000023342-4.dat	upx
behavioral2/memory/4936-8-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	upx
behavioral2/files/0x00070000000233a6-11.dat	upx
behavioral2/files/0x00070000000233a7-10.dat	upx
behavioral2/memory/4972-18-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	upx
behavioral2/memory/4632-13-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	upx
behavioral2/files/0x00070000000233a8-22.dat	upx
behavioral2/memory/1192-26-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp	upx
behavioral2/files/0x00080000000233a3-30.dat	upx
behavioral2/files/0x00070000000233a9-33.dat	upx
behavioral2/memory/2784-31-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp	upx
behavioral2/memory/5108-34-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	upx
behavioral2/files/0x00070000000233aa-41.dat	upx
behavioral2/files/0x00070000000233ab-43.dat	upx
behavioral2/files/0x00070000000233ac-52.dat	upx
behavioral2/memory/968-56-0x00007FF77F140000-0x00007FF77F494000-memory.dmp	upx
behavioral2/memory/2264-57-0x00007FF6441A0000-0x00007FF6444F4000-memory.dmp	upx
behavioral2/files/0x00070000000233ad-66.dat	upx
behavioral2/memory/3020-69-0x00007FF775D60000-0x00007FF7760B4000-memory.dmp	upx
behavioral2/memory/4936-70-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	upx
behavioral2/memory/1536-68-0x00007FF7ED420000-0x00007FF7ED774000-memory.dmp	upx
behavioral2/files/0x00070000000233ae-64.dat	upx
behavioral2/memory/264-63-0x00007FF7535D0000-0x00007FF753924000-memory.dmp	upx
behavioral2/memory/3916-47-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp	upx
behavioral2/memory/4632-71-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	upx
behavioral2/memory/1192-84-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp	upx
behavioral2/files/0x0004000000022f92-85.dat	upx
behavioral2/files/0x0002000000022f9b-93.dat	upx
behavioral2/memory/4864-106-0x00007FF6214E0000-0x00007FF621834000-memory.dmp	upx
behavioral2/files/0x000e0000000232aa-115.dat	upx
behavioral2/memory/1056-118-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp	upx
behavioral2/files/0x00070000000233b3-124.dat	upx
behavioral2/files/0x00070000000233b4-131.dat	upx
behavioral2/memory/1864-134-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp	upx
behavioral2/memory/3648-132-0x00007FF684A70000-0x00007FF684DC4000-memory.dmp	upx
behavioral2/memory/1644-130-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	upx
behavioral2/memory/3884-129-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp	upx
behavioral2/files/0x00100000000232ce-127.dat	upx
behavioral2/files/0x00070000000233b1-122.dat	upx
behavioral2/files/0x00070000000233b2-121.dat	upx
behavioral2/memory/968-113-0x00007FF77F140000-0x00007FF77F494000-memory.dmp	upx
behavioral2/memory/1988-112-0x00007FF628960000-0x00007FF628CB4000-memory.dmp	upx
behavioral2/memory/3916-99-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp	upx
behavioral2/memory/5108-98-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp	upx
behavioral2/memory/3112-94-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp	upx
behavioral2/memory/2784-87-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp	upx
behavioral2/memory/4048-86-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp	upx
behavioral2/files/0x00040000000229ed-90.dat	upx
behavioral2/files/0x00070000000233af-80.dat	upx
behavioral2/memory/3100-78-0x00007FF726C20000-0x00007FF726F74000-memory.dmp	upx
behavioral2/memory/4972-77-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	upx
behavioral2/memory/3100-137-0x00007FF726C20000-0x00007FF726F74000-memory.dmp	upx
behavioral2/memory/4048-138-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp	upx
behavioral2/memory/3112-139-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp	upx
behavioral2/memory/4864-140-0x00007FF6214E0000-0x00007FF621834000-memory.dmp	upx
behavioral2/memory/1988-141-0x00007FF628960000-0x00007FF628CB4000-memory.dmp	upx
behavioral2/memory/1056-142-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp	upx
behavioral2/memory/1644-143-0x00007FF6402E0000-0x00007FF640634000-memory.dmp	upx
behavioral2/memory/3884-144-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp	upx
behavioral2/memory/1864-145-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp	upx
behavioral2/memory/4936-146-0x00007FF748680000-0x00007FF7489D4000-memory.dmp	upx
behavioral2/memory/4632-147-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp	upx
behavioral2/memory/4972-148-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OdhsHjF.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RwRilsw.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HQlfDOg.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxHuLXT.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VOqJZtO.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oQMqrHK.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgEdHad.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YTZnTUc.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PfMEZlO.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHSZWYb.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wDWHwec.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NTHqXxB.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FrQiIZI.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQwetll.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiSVMwh.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lhXoRHX.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCBudrV.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yNwoQvy.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LOgsUls.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BSaEFtD.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\truVbkK.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 4936	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 264 wrote to memory of 4936	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 264 wrote to memory of 4632	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 264 wrote to memory of 4632	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 264 wrote to memory of 4972	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 264 wrote to memory of 4972	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 264 wrote to memory of 1192	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 264 wrote to memory of 1192	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 264 wrote to memory of 2784	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 264 wrote to memory of 2784	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 264 wrote to memory of 5108	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 264 wrote to memory of 5108	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 264 wrote to memory of 3916	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 264 wrote to memory of 3916	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 264 wrote to memory of 968	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 264 wrote to memory of 968	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 264 wrote to memory of 2264	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 264 wrote to memory of 2264	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 264 wrote to memory of 3020	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 264 wrote to memory of 3020	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 264 wrote to memory of 1536	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 264 wrote to memory of 1536	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 264 wrote to memory of 3100	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 264 wrote to memory of 3100	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 264 wrote to memory of 4048	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 264 wrote to memory of 4048	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 264 wrote to memory of 3112	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 264 wrote to memory of 3112	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 264 wrote to memory of 4864	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 264 wrote to memory of 4864	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 264 wrote to memory of 1056	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 264 wrote to memory of 1056	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 264 wrote to memory of 1988	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 264 wrote to memory of 1988	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 264 wrote to memory of 3884	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 264 wrote to memory of 3884	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 264 wrote to memory of 3648	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 264 wrote to memory of 3648	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 264 wrote to memory of 1644	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 264 wrote to memory of 1644	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 264 wrote to memory of 1864	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 264 wrote to memory of 1864	264	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\System\BSaEFtD.exe
  C:\Windows\System\BSaEFtD.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\nQwetll.exe
  C:\Windows\System\nQwetll.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\VOqJZtO.exe
  C:\Windows\System\VOqJZtO.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\oQMqrHK.exe
  C:\Windows\System\oQMqrHK.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\OdhsHjF.exe
  C:\Windows\System\OdhsHjF.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\truVbkK.exe
  C:\Windows\System\truVbkK.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\lhXoRHX.exe
  C:\Windows\System\lhXoRHX.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\YTZnTUc.exe
  C:\Windows\System\YTZnTUc.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\lCBudrV.exe
  C:\Windows\System\lCBudrV.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\RwRilsw.exe
  C:\Windows\System\RwRilsw.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\JiSVMwh.exe
  C:\Windows\System\JiSVMwh.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\PfMEZlO.exe
  C:\Windows\System\PfMEZlO.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\HQlfDOg.exe
  C:\Windows\System\HQlfDOg.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\aHSZWYb.exe
  C:\Windows\System\aHSZWYb.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\wDWHwec.exe
  C:\Windows\System\wDWHwec.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\NTHqXxB.exe
  C:\Windows\System\NTHqXxB.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\FrQiIZI.exe
  C:\Windows\System\FrQiIZI.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\VgEdHad.exe
  C:\Windows\System\VgEdHad.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\MxHuLXT.exe
  C:\Windows\System\MxHuLXT.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\yNwoQvy.exe
  C:\Windows\System\yNwoQvy.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\LOgsUls.exe
  C:\Windows\System\LOgsUls.exe
  2⤵
  - Executes dropped EXE
  PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BSaEFtD.exe

Filesize
5.9MB

MD5
81e9492693e10fa300dd204a013bb358

SHA1
cd1860f2c9c23751759885d3e49e6abb9c917ea0

SHA256
966ac3e490e75dce2d6a1122133283f196b5e6ccf920af42105d7a43b394b09d

SHA512
e1d23844ba44e6aa1e8027707cccd00ea67f244d8e2247b9c44b0da4ef882e39cdf8feaac936a01976c559fa9fed3fbac11cc90fc1b1e882e29008602d668f45

Download Submit
C:\Windows\System\FrQiIZI.exe

Filesize
5.9MB

MD5
3e801c0123e4797e1fc370c7b4ee71a2

SHA1
a7881effa12ae158427384e2445ae34d1b4e443d

SHA256
273f5da1ee569acd51831eafa00ff3ea1281010bc85c2cd58fa87b3498bd40de

SHA512
5dafee4e25ebe25a840c03966ae3eb911d34e548fead8c02ce1e0dd19a8c5497923b4ea94f746018e976155684af9a5ad10438fc5d0c9a9a4f40ed14ed41b998

Download Submit
C:\Windows\System\HQlfDOg.exe

Filesize
5.9MB

MD5
9c21eca506a16b8966f1a5734c905b31

SHA1
dcc467b57cbadb08d28a50be642892b3a5650871

SHA256
ebaaab16bf5c50bdec03afb84d94dfa14af89314ad7c47cec93d3d5add111451

SHA512
edf91d02e11d8214d0b8655d09c7316c352d3b2974b9ba6ea88814d20ccaf08406344129a1cedf3c185f480617677c82aac05ab93bafe58813d1764b87316621

Download Submit
C:\Windows\System\JiSVMwh.exe

Filesize
5.9MB

MD5
75b12cbdba33757274ecb3a43f02c979

SHA1
b0204658786cf57f1bf082e1e27542856a4a8345

SHA256
304ece02ae14961db0c0a3f2f65a748fadf41cefedbb71a11a6cec6142bca62a

SHA512
02d16f40e1262ce47234498468ef62ef38b3788e42898a9e47de707252609073c781f6985a51762dabea9284ff49a50d558e937cbaea24086bb57fc1b6856989

Download Submit
C:\Windows\System\LOgsUls.exe

Filesize
5.9MB

MD5
900ae4780d27223da196c8d43cf951cf

SHA1
a0705527b099fb0403f12e9f5a2de409b04ed61d

SHA256
a3337f8c76687290e9fa8539f08eecadc7b6e64719c9643d87f29a4bf386394e

SHA512
64147a39b597b44acadd8b7bb056e6776ceb5ea9c617055966d6386602cab9bf8f581afd3dc1c47075a4a2070f47827d90e7304789e28205e0206961aa1f345e

Download Submit
C:\Windows\System\MxHuLXT.exe

Filesize
5.9MB

MD5
fc03b9c11cf20ce4e9558e991ff599d9

SHA1
f4081b0c37ad03230b1d1286e94236685aff5740

SHA256
dd5ba10af07f0d60c28ed61785d9cd272d3bec0937c1b583d07d5feff44b8bb4

SHA512
e57cc3bc09fcf16ee6cc8fa0c6b3b49d3efaa433401086d84a120445cd27268c537cf0f348faaa3494f3c25266b7fb960cde401ac0d7f3293b92fa35cd7ee8b6

Download Submit
C:\Windows\System\NTHqXxB.exe

Filesize
5.9MB

MD5
7c0eda26eac1067e27a5b2e3c4518b1a

SHA1
9b2b9b47b4a2f74cda13ba0c30cd0b5377cc1098

SHA256
ac03c2fd73b161bcac2a15f54c42aab5f9d06dc97a2623e22c85b1dd93d3320b

SHA512
12dd20b3c96c3004bfc336d732de2e757fcbe4971a8af3f23b5b8fa3a5ddaa517570bcea2ea0f2a1b618d65ca8af7e49aed2d3f55ad85b8be686697f77a95fe0

Download Submit
C:\Windows\System\OdhsHjF.exe

Filesize
5.9MB

MD5
e286470dd6c4ba482bb983d9417ac7d9

SHA1
37518ccb37e0b4a8fd355bcdce79e9e7a2c11d29

SHA256
bade75de6c1112f20c1576d44f9337cfc3064f240e7a110e424c3ee675db4d86

SHA512
2b2792e3cbd1f0c2a7d381b3b19fd97e788ac38632dfae3fc2f303923d26c5e109fa8861beab32068f1152c955c68410173c0d8b97368c1a1d589c1c68eb349e

Download Submit
C:\Windows\System\PfMEZlO.exe

Filesize
5.9MB

MD5
c222297f27b22d198265cdda8c45c1c0

SHA1
2c658fea42d2fc21df6ea9bc164ee4009a011fc4

SHA256
93c36727ab1988368baa4ecbefc978464f7e9777f95c462699d45f9eead68bee

SHA512
8225cd8340434fff7f3694dcbee5b339a2e91a1e80a3ca26b212cae2a5c3a1afd28e4261b733a7334d25b783963877419446fff4610ee6dc8621001ca34eefb5

Download Submit
C:\Windows\System\RwRilsw.exe

Filesize
5.9MB

MD5
61acb65738d3f29621d292e9f661b805

SHA1
b328a305392b07db78f035af7ea5cf614d5af0cf

SHA256
e364670e2a7143f0c08ac8c686ff32944d175ebc858365d471a2f45802cd9eb5

SHA512
4df36774d9c41674d008afb48c77156bf2928d27425895372995a4edbf079836f8ca0280e1547ea6bf1015ddf198071cc6d6e0a5b09b13652657f940d72407af

Download Submit
C:\Windows\System\VOqJZtO.exe

Filesize
5.9MB

MD5
c4a5ac442344288cedf013dde052bb3d

SHA1
bedf2f187b25699689215deae3094f89fa501492

SHA256
2e16f9f05f9fab326d03c509557d2db427c021050165ed14f49980f5a92c83a4

SHA512
61b3211e8380ed33ca6198921a6485eb76df67832741c1bfd64ead631ed0397d4e544b6ea3b5766559b16a5c480fbad9d7d56da4e21ad6b2fc7de084d05c6e04

Download Submit
C:\Windows\System\VgEdHad.exe

Filesize
5.9MB

MD5
31375fa37bdbbcbd668b32e8279a64bd

SHA1
73c18a17204604f4daa031c0d82a1c307cb08034

SHA256
8118791bc4fe6f4eb43d0af43552bec8d7253fd28ccd32faf2e89edd56ff9f2b

SHA512
462f18a4a428e88ea9da56e686871a0713a14a87980dc56a8286658bab4c3c4fb0d4180db4e55e4fe37f7c6776a4da9aa56e411fd9ff01c319576bc5d93e21ef

Download Submit
C:\Windows\System\YTZnTUc.exe

Filesize
5.9MB

MD5
e257e91ff3ac3ad1605512ae31c13356

SHA1
5f7bd4154bce3c8f747c1ce17e27bf325d035f5a

SHA256
de667bb867a575cc285928256d003c00b5ad0d19e39bea032edb044f59b6a1e9

SHA512
b37054883b6d4e52307eb5fb788e2cad35bf21c490059afafc21995d84f1cadb765d1942d757ba2e1af9c1e7ca5b351afa1b3b32b166b9fbb5ccbe356e43ce64

Download Submit
C:\Windows\System\aHSZWYb.exe

Filesize
5.9MB

MD5
3b868deed15f9c0a4ff1f167635f3260

SHA1
19c3f4a3f85b2603cd58ea01c6def89c06c66f79

SHA256
cc23427a2362b44bbe374608c5cc07c53c41200a4f76bc91b5247ac5e75e6e29

SHA512
4d3dca4de65361638891f5d5c1666eb804e2014055634e9af790d7235e4faf8c3bfae6c2cac7aa31cf41753d18024f6d85029f0f739cb8312260e353c0537f0f

Download Submit
C:\Windows\System\lCBudrV.exe

Filesize
5.9MB

MD5
d69771e13055be79a93e0408e4bbfd55

SHA1
a87dc6cad81e5d48d5dba5d676476a48d291cd41

SHA256
bb5bd99a52323bcebfa8e938de9cc0c68e62af4a58fb6dc3d0b8939d06c15a22

SHA512
36fd13818e357f143a1b063563d33ecee8d4a2fa1f46a245a145524e7904639eaa0dc16c0246a4be099abe08553ce0095c54640cdf7404d0a79ef3e12dfaa64f

Download Submit
C:\Windows\System\lhXoRHX.exe

Filesize
5.9MB

MD5
b1181b928db8632d2a54b3ab85ecfb15

SHA1
802e0133132a165ac7332827c09eda2809dac3bb

SHA256
d26e2b0feb8abcc0563bb71acd192be661be03731726b9cefcfbbba69d04b0ba

SHA512
2e903dbe663315e07c4f7b686789823bb3933527cc347f1a5ee11bf9a5a4a156fb7ceeae141ba087cfdd45cb08b0d83d8859d0bb4d18d0cd5982f545129a8b6e

Download Submit
C:\Windows\System\nQwetll.exe

Filesize
5.9MB

MD5
404c1b51926e1e1f83ca71a1d7946569

SHA1
76356092893bbbb759bba3dfaa99cc4beaa5bf20

SHA256
c41f4c1da1e66cd3e8d46127146a119ace8b7dcab9256eb0ddb8ae44125830e7

SHA512
e8be20f7071c120e10b0bed098a3f84ea84a6e7ec2645f50d5e1080a0276d5b287aa66140d98dd8b9bebd736cc36f62e810ddbc74ceeb3e0ffba29844a58108e

Download Submit
C:\Windows\System\oQMqrHK.exe

Filesize
5.9MB

MD5
560e5acb75addf015b72535eeb791ca0

SHA1
4b8dd865f5179eb64a91ba7b126675b88fff878a

SHA256
9982e9e11c7738ea6e2f3caf0cb6494135587d43076cb45b7b4edcdd62d5e284

SHA512
b9e7f8c8d6c9d79864d58ad91fba31511c5e94cd2cf49116825f344a9fec55bbcca682cc977e8c0080a175e3207efe37d7b3a693d046f1d61e48548608465262

Download Submit
C:\Windows\System\truVbkK.exe

Filesize
5.9MB

MD5
580f8b1f355b1fd2f6749c24dfb394ec

SHA1
e90de93016c277ee46d92509ddde63284ca0b5d6

SHA256
412d9a0efe1fd48bcf5068077e7672230dda3f1ccc9253b66bd7d2098d1aff4b

SHA512
411621d241a64b8c41fa46c15716835f9ef704f5ed21db912d2ca12d3d215707880946fc55882a98c0282cb63d56eebd424e498297a52794483e942fac99d604

Download Submit
C:\Windows\System\wDWHwec.exe

Filesize
5.9MB

MD5
fa29675eff549bcb3fa30c3c806b906a

SHA1
fcaef65e3ba70edfbb42374e02f0833cc951a6a2

SHA256
a7751dfb297ca1fa968761466958783e58e9d6ba0e64113acf5a3cd6c794dd14

SHA512
98f9c9f8eb6e82a67e364ef166488b80f8d05969750a6b38662b77684c5f90dce66ea2902983b53a99596278b85078f630462d525d025bf17978201249d0c0ee

Download Submit
C:\Windows\System\yNwoQvy.exe

Filesize
5.9MB

MD5
27ff89feede2c7425b66841c60e2d2e5

SHA1
af536d87e42db55168e6e054a176dc18a00fbf90

SHA256
1db2201b4a6e18cc35a13434f77c961e6fd73a98ce584e3be2792a3dfb5ea3f6

SHA512
35514232c2f5b3467044f36f926550f87278bd2ea6717204645e36753c78626237f895926bae702e84ac4c6828f6788aa297aeb7df889ad60821f4e8dd145aa7

Download Submit
memory/264-63-0x00007FF7535D0000-0x00007FF753924000-memory.dmp

Filesize
3.3MB

Download
memory/264-0-0x00007FF7535D0000-0x00007FF753924000-memory.dmp

Filesize
3.3MB

Download
memory/264-1-0x000001C361700000-0x000001C361710000-memory.dmp

Filesize
64KB

Download
memory/968-154-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

Filesize
3.3MB

Download
memory/968-113-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

Filesize
3.3MB

Download
memory/968-56-0x00007FF77F140000-0x00007FF77F494000-memory.dmp

Filesize
3.3MB

Download
memory/1056-118-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp

Filesize
3.3MB

Download
memory/1056-161-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp

Filesize
3.3MB

Download
memory/1056-142-0x00007FF6736B0000-0x00007FF673A04000-memory.dmp

Filesize
3.3MB

Download
memory/1192-26-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp

Filesize
3.3MB

Download
memory/1192-84-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp

Filesize
3.3MB

Download
memory/1192-149-0x00007FF7B3A00000-0x00007FF7B3D54000-memory.dmp

Filesize
3.3MB

Download
memory/1536-68-0x00007FF7ED420000-0x00007FF7ED774000-memory.dmp

Filesize
3.3MB

Download
memory/1536-155-0x00007FF7ED420000-0x00007FF7ED774000-memory.dmp

Filesize
3.3MB

Download
memory/1644-143-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/1644-166-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/1644-130-0x00007FF6402E0000-0x00007FF640634000-memory.dmp

Filesize
3.3MB

Download
memory/1864-145-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp

Filesize
3.3MB

Download
memory/1864-165-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp

Filesize
3.3MB

Download
memory/1864-134-0x00007FF6AB8C0000-0x00007FF6ABC14000-memory.dmp

Filesize
3.3MB

Download
memory/1988-141-0x00007FF628960000-0x00007FF628CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-164-0x00007FF628960000-0x00007FF628CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-112-0x00007FF628960000-0x00007FF628CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-153-0x00007FF6441A0000-0x00007FF6444F4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-57-0x00007FF6441A0000-0x00007FF6444F4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-31-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp

Filesize
3.3MB

Download
memory/2784-150-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp

Filesize
3.3MB

Download
memory/2784-87-0x00007FF61DDB0000-0x00007FF61E104000-memory.dmp

Filesize
3.3MB

Download
memory/3020-156-0x00007FF775D60000-0x00007FF7760B4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-69-0x00007FF775D60000-0x00007FF7760B4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-137-0x00007FF726C20000-0x00007FF726F74000-memory.dmp

Filesize
3.3MB

Download
memory/3100-78-0x00007FF726C20000-0x00007FF726F74000-memory.dmp

Filesize
3.3MB

Download
memory/3100-157-0x00007FF726C20000-0x00007FF726F74000-memory.dmp

Filesize
3.3MB

Download
memory/3112-139-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp

Filesize
3.3MB

Download
memory/3112-159-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp

Filesize
3.3MB

Download
memory/3112-94-0x00007FF6FF920000-0x00007FF6FFC74000-memory.dmp

Filesize
3.3MB

Download
memory/3648-132-0x00007FF684A70000-0x00007FF684DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-162-0x00007FF684A70000-0x00007FF684DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3884-163-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp

Filesize
3.3MB

Download
memory/3884-144-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp

Filesize
3.3MB

Download
memory/3884-129-0x00007FF7BEAD0000-0x00007FF7BEE24000-memory.dmp

Filesize
3.3MB

Download
memory/3916-47-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp

Filesize
3.3MB

Download
memory/3916-99-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp

Filesize
3.3MB

Download
memory/3916-152-0x00007FF79A6B0000-0x00007FF79AA04000-memory.dmp

Filesize
3.3MB

Download
memory/4048-158-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/4048-138-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/4048-86-0x00007FF65F290000-0x00007FF65F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-13-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-71-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-147-0x00007FF6C4BA0000-0x00007FF6C4EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-140-0x00007FF6214E0000-0x00007FF621834000-memory.dmp

Filesize
3.3MB

Download
memory/4864-160-0x00007FF6214E0000-0x00007FF621834000-memory.dmp

Filesize
3.3MB

Download
memory/4864-106-0x00007FF6214E0000-0x00007FF621834000-memory.dmp

Filesize
3.3MB

Download
memory/4936-146-0x00007FF748680000-0x00007FF7489D4000-memory.dmp

Filesize
3.3MB

Download
memory/4936-70-0x00007FF748680000-0x00007FF7489D4000-memory.dmp

Filesize
3.3MB

Download
memory/4936-8-0x00007FF748680000-0x00007FF7489D4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-148-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp

Filesize
3.3MB

Download
memory/4972-18-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp

Filesize
3.3MB

Download
memory/4972-77-0x00007FF7A7C20000-0x00007FF7A7F74000-memory.dmp

Filesize
3.3MB

Download
memory/5108-98-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download
memory/5108-34-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download
memory/5108-151-0x00007FF7109D0000-0x00007FF710D24000-memory.dmp

Filesize
3.3MB

Download