cobaltstrike | 238861a3ac9009e142e23ee3f460ac8a01a118ff7930c513c268889eededa7ea

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

aedf99c03f75bed657e10527d3721c70
SHA1

fee7181294a7b62361a503cfce0fa14295af3862
SHA256

238861a3ac9009e142e23ee3f460ac8a01a118ff7930c513c268889eededa7ea
SHA512

efcf36b4ee3d818858b8b94fe0736844ac7a015cb6111dc323aa529db0c0c7d779d2990386a9ecfbe378f9f4ec4449741ab1f85ba42c10b2fcc4e2a5d66291e5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lQ:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023455-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-28.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-127.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023456-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-35.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4164-103-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	xmrig
behavioral2/memory/1256-117-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp	xmrig
behavioral2/memory/3692-102-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp	xmrig
behavioral2/memory/2560-97-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp	xmrig
behavioral2/memory/904-92-0x00007FF731730000-0x00007FF731A81000-memory.dmp	xmrig
behavioral2/memory/904-129-0x00007FF731730000-0x00007FF731A81000-memory.dmp	xmrig
behavioral2/memory/3696-133-0x00007FF6C5340000-0x00007FF6C5691000-memory.dmp	xmrig
behavioral2/memory/1960-134-0x00007FF62EF80000-0x00007FF62F2D1000-memory.dmp	xmrig
behavioral2/memory/3712-135-0x00007FF743BA0000-0x00007FF743EF1000-memory.dmp	xmrig
behavioral2/memory/3448-140-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp	xmrig
behavioral2/memory/4712-139-0x00007FF792EC0000-0x00007FF793211000-memory.dmp	xmrig
behavioral2/memory/1468-137-0x00007FF687290000-0x00007FF6875E1000-memory.dmp	xmrig
behavioral2/memory/2496-141-0x00007FF6C7490000-0x00007FF6C77E1000-memory.dmp	xmrig
behavioral2/memory/1436-143-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp	xmrig
behavioral2/memory/1276-148-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp	xmrig
behavioral2/memory/2416-149-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp	xmrig
behavioral2/memory/5064-153-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp	xmrig
behavioral2/memory/216-151-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp	xmrig
behavioral2/memory/4200-150-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp	xmrig
behavioral2/memory/4908-147-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	xmrig
behavioral2/memory/4376-146-0x00007FF617770000-0x00007FF617AC1000-memory.dmp	xmrig
behavioral2/memory/3764-152-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp	xmrig
behavioral2/memory/1364-145-0x00007FF673B20000-0x00007FF673E71000-memory.dmp	xmrig
behavioral2/memory/904-158-0x00007FF731730000-0x00007FF731A81000-memory.dmp	xmrig
behavioral2/memory/2560-218-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp	xmrig
behavioral2/memory/3692-220-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp	xmrig
behavioral2/memory/4164-222-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	xmrig
behavioral2/memory/1256-226-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp	xmrig
behavioral2/memory/4712-225-0x00007FF792EC0000-0x00007FF793211000-memory.dmp	xmrig
behavioral2/memory/1468-229-0x00007FF687290000-0x00007FF6875E1000-memory.dmp	xmrig
behavioral2/memory/1364-230-0x00007FF673B20000-0x00007FF673E71000-memory.dmp	xmrig
behavioral2/memory/3448-232-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp	xmrig
behavioral2/memory/4908-244-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	xmrig
behavioral2/memory/2416-249-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp	xmrig
behavioral2/memory/1436-248-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp	xmrig
behavioral2/memory/4376-245-0x00007FF617770000-0x00007FF617AC1000-memory.dmp	xmrig
behavioral2/memory/1276-242-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp	xmrig
behavioral2/memory/5064-253-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp	xmrig
behavioral2/memory/216-257-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp	xmrig
behavioral2/memory/4200-255-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp	xmrig
behavioral2/memory/3764-252-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp	xmrig
behavioral2/memory/1960-262-0x00007FF62EF80000-0x00007FF62F2D1000-memory.dmp	xmrig
behavioral2/memory/3696-265-0x00007FF6C5340000-0x00007FF6C5691000-memory.dmp	xmrig
behavioral2/memory/3712-264-0x00007FF743BA0000-0x00007FF743EF1000-memory.dmp	xmrig
behavioral2/memory/2496-263-0x00007FF6C7490000-0x00007FF6C77E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2560	xkVbxGq.exe
3692	rZbJGOH.exe
4164	PJvKepB.exe
1256	PJkbEBm.exe
4712	leGEZHH.exe
1468	vLQWCjF.exe
1436	EBKwQgm.exe
3448	MzVOKHh.exe
1364	yDWhtsG.exe
4376	SehkqDf.exe
4908	RpLvkQn.exe
1276	zFILAEu.exe
2416	SgAUNLb.exe
4200	gGvkqjy.exe
216	LfKnpVf.exe
3764	KPMPWqd.exe
5064	cKkKUYY.exe
3696	HJLFxde.exe
2496	TxFISXi.exe
1960	LYGxWHD.exe
3712	SVqFJyj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/904-0-0x00007FF731730000-0x00007FF731A81000-memory.dmp	upx
behavioral2/files/0x0008000000023455-4.dat	upx
behavioral2/memory/2560-7-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp	upx
behavioral2/files/0x000700000002345a-9.dat	upx
behavioral2/files/0x0007000000023459-16.dat	upx
behavioral2/memory/3692-14-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp	upx
behavioral2/files/0x000700000002345c-28.dat	upx
behavioral2/memory/1256-32-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp	upx
behavioral2/files/0x000700000002345f-39.dat	upx
behavioral2/files/0x0007000000023460-45.dat	upx
behavioral2/memory/1436-51-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp	upx
behavioral2/files/0x0007000000023464-71.dat	upx
behavioral2/files/0x0007000000023463-75.dat	upx
behavioral2/files/0x0007000000023465-83.dat	upx
behavioral2/memory/4200-85-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp	upx
behavioral2/memory/2416-80-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp	upx
behavioral2/memory/216-96-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp	upx
behavioral2/memory/4164-103-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	upx
behavioral2/files/0x0007000000023468-111.dat	upx
behavioral2/files/0x000700000002346a-118.dat	upx
behavioral2/files/0x000700000002346c-127.dat	upx
behavioral2/files/0x000700000002346b-125.dat	upx
behavioral2/memory/1256-117-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-107.dat	upx
behavioral2/memory/5064-106-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp	upx
behavioral2/files/0x0007000000023466-104.dat	upx
behavioral2/memory/3692-102-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp	upx
behavioral2/memory/3764-98-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp	upx
behavioral2/files/0x0008000000023456-100.dat	upx
behavioral2/memory/2560-97-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp	upx
behavioral2/memory/904-92-0x00007FF731730000-0x00007FF731A81000-memory.dmp	upx
behavioral2/memory/1276-77-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp	upx
behavioral2/memory/4908-72-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	upx
behavioral2/files/0x0007000000023461-68.dat	upx
behavioral2/files/0x0007000000023462-66.dat	upx
behavioral2/memory/4376-62-0x00007FF617770000-0x00007FF617AC1000-memory.dmp	upx
behavioral2/files/0x000700000002345e-54.dat	upx
behavioral2/memory/1364-52-0x00007FF673B20000-0x00007FF673E71000-memory.dmp	upx
behavioral2/files/0x000700000002345d-48.dat	upx
behavioral2/memory/3448-46-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp	upx
behavioral2/memory/4712-41-0x00007FF792EC0000-0x00007FF793211000-memory.dmp	upx
behavioral2/files/0x000700000002345b-35.dat	upx
behavioral2/memory/1468-33-0x00007FF687290000-0x00007FF6875E1000-memory.dmp	upx
behavioral2/memory/4164-25-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp	upx
behavioral2/memory/904-129-0x00007FF731730000-0x00007FF731A81000-memory.dmp	upx
behavioral2/memory/3696-133-0x00007FF6C5340000-0x00007FF6C5691000-memory.dmp	upx
behavioral2/memory/1960-134-0x00007FF62EF80000-0x00007FF62F2D1000-memory.dmp	upx
behavioral2/memory/3712-135-0x00007FF743BA0000-0x00007FF743EF1000-memory.dmp	upx
behavioral2/memory/3448-140-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp	upx
behavioral2/memory/4712-139-0x00007FF792EC0000-0x00007FF793211000-memory.dmp	upx
behavioral2/memory/1468-137-0x00007FF687290000-0x00007FF6875E1000-memory.dmp	upx
behavioral2/memory/2496-141-0x00007FF6C7490000-0x00007FF6C77E1000-memory.dmp	upx
behavioral2/memory/1436-143-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp	upx
behavioral2/memory/1276-148-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp	upx
behavioral2/memory/2416-149-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp	upx
behavioral2/memory/5064-153-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp	upx
behavioral2/memory/216-151-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp	upx
behavioral2/memory/4200-150-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp	upx
behavioral2/memory/4908-147-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp	upx
behavioral2/memory/4376-146-0x00007FF617770000-0x00007FF617AC1000-memory.dmp	upx
behavioral2/memory/3764-152-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp	upx
behavioral2/memory/1364-145-0x00007FF673B20000-0x00007FF673E71000-memory.dmp	upx
behavioral2/memory/904-158-0x00007FF731730000-0x00007FF731A81000-memory.dmp	upx
behavioral2/memory/2560-218-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SehkqDf.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RpLvkQn.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPMPWqd.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HJLFxde.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TxFISXi.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xkVbxGq.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZbJGOH.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vLQWCjF.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yDWhtsG.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYGxWHD.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SVqFJyj.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leGEZHH.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EBKwQgm.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MzVOKHh.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SgAUNLb.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gGvkqjy.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LfKnpVf.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cKkKUYY.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJvKepB.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJkbEBm.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zFILAEu.exe	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2560	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 904 wrote to memory of 2560	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 904 wrote to memory of 3692	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 904 wrote to memory of 3692	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 904 wrote to memory of 4164	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 904 wrote to memory of 4164	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 904 wrote to memory of 1256	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 904 wrote to memory of 1256	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 904 wrote to memory of 4712	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 904 wrote to memory of 4712	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 904 wrote to memory of 1468	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 904 wrote to memory of 1468	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 904 wrote to memory of 1436	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 904 wrote to memory of 1436	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 904 wrote to memory of 3448	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 904 wrote to memory of 3448	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 904 wrote to memory of 1364	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 904 wrote to memory of 1364	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 904 wrote to memory of 4376	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 904 wrote to memory of 4376	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 904 wrote to memory of 4908	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 904 wrote to memory of 4908	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 904 wrote to memory of 1276	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 904 wrote to memory of 1276	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 904 wrote to memory of 2416	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 904 wrote to memory of 2416	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 904 wrote to memory of 4200	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 904 wrote to memory of 4200	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 904 wrote to memory of 216	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 904 wrote to memory of 216	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 904 wrote to memory of 3764	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 904 wrote to memory of 3764	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 904 wrote to memory of 5064	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 904 wrote to memory of 5064	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 904 wrote to memory of 3696	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 904 wrote to memory of 3696	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 904 wrote to memory of 2496	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 904 wrote to memory of 2496	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 904 wrote to memory of 1960	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 904 wrote to memory of 1960	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 904 wrote to memory of 3712	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 904 wrote to memory of 3712	904	2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_aedf99c03f75bed657e10527d3721c70_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System\xkVbxGq.exe
  C:\Windows\System\xkVbxGq.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\rZbJGOH.exe
  C:\Windows\System\rZbJGOH.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\PJvKepB.exe
  C:\Windows\System\PJvKepB.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\PJkbEBm.exe
  C:\Windows\System\PJkbEBm.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\leGEZHH.exe
  C:\Windows\System\leGEZHH.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\vLQWCjF.exe
  C:\Windows\System\vLQWCjF.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\EBKwQgm.exe
  C:\Windows\System\EBKwQgm.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\MzVOKHh.exe
  C:\Windows\System\MzVOKHh.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\yDWhtsG.exe
  C:\Windows\System\yDWhtsG.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\SehkqDf.exe
  C:\Windows\System\SehkqDf.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\RpLvkQn.exe
  C:\Windows\System\RpLvkQn.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\zFILAEu.exe
  C:\Windows\System\zFILAEu.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\SgAUNLb.exe
  C:\Windows\System\SgAUNLb.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\gGvkqjy.exe
  C:\Windows\System\gGvkqjy.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\LfKnpVf.exe
  C:\Windows\System\LfKnpVf.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\KPMPWqd.exe
  C:\Windows\System\KPMPWqd.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\cKkKUYY.exe
  C:\Windows\System\cKkKUYY.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\HJLFxde.exe
  C:\Windows\System\HJLFxde.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\TxFISXi.exe
  C:\Windows\System\TxFISXi.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\LYGxWHD.exe
  C:\Windows\System\LYGxWHD.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\SVqFJyj.exe
  C:\Windows\System\SVqFJyj.exe
  2⤵
  - Executes dropped EXE
  PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EBKwQgm.exe

Filesize
5.2MB

MD5
6056a5e970fe88a0e44148b3fbcadd9a

SHA1
58d6f741d69d09b2b9bceb3e006930164be0bac4

SHA256
4c46211bd50e1417c9fe2f7be1cac439add0e8391c46f8c6206f8deeae0c95a7

SHA512
944d39ed8cacbaa084e7491710fdea2ee49d1c9882bde3011a5e4ed33cbc230fefc06636b6f152855effc3fbcda8af3833731872aa7a3dd958c40507705db8cb

Download Submit
C:\Windows\System\HJLFxde.exe

Filesize
5.2MB

MD5
6be80a1228526ac66695c57b3bc5becd

SHA1
86deead7152b60f80243474fffdaa0d761ebe563

SHA256
d2ebf03fdc0e655619ed8f88d96a2a2ce58be8b7c6245f4e19d4be1973fb2d99

SHA512
ba2a8e5b9af5b758322b5765278482c5561ecac08ef21476b2a101617dea89f863ca49d178ea982f92fb81255003c715e15687729cfb0c9455b1080f01e99725

Download Submit
C:\Windows\System\KPMPWqd.exe

Filesize
5.2MB

MD5
5de2b3f2c434dfd5989e9343cc6f6314

SHA1
5554d517ba7892e7406e821d16ed4cf0c37dbfef

SHA256
b5f7e6a2e003a89cbaf2fbf31965e91191a17e19c7b7e01581ff395783b89bb9

SHA512
95fee318739bf9037f690797337d9efc1685a45cee9a96b45a55aa632bf10cd0aa986ddbb34bab16ea45cf9beeb2832b6195e17ec049faefac82fcc26f8464c5

Download Submit
C:\Windows\System\LYGxWHD.exe

Filesize
5.2MB

MD5
b0d65b3b42afc6da8bd1ca52840224bb

SHA1
4cd2be1efb0a20a2f49041d40c1a00b222fcbe5d

SHA256
412d16dbdf358c2509958b056a0c01cf9a1302e2a036377fa09f3860a3d224cd

SHA512
61411612b7cd666d5fd48f3f5cd0f096388872477a0d835278a2c2fd1f8a72b6b3ce222554de336f00aa951707ef9b655d53ec83fac2a214f58028cbf62cfafd

Download Submit
C:\Windows\System\LfKnpVf.exe

Filesize
5.2MB

MD5
d3b5b310daf27c8eb4178dfc240c2f9f

SHA1
33b50f715ea266a5d664d17f28ba5f2c602fcae4

SHA256
460c3a4feef925ef65327043d4cbbacf1f44b5266a14c91848858daa6bbd5096

SHA512
63f17d7d290a33371415b059f6012ba76133ff4b75e46e2b3c3e9f7977ef920a96041aae35361fabd8fda6681273c2052091d5b3cf47087633be1262c7c5b0f9

Download Submit
C:\Windows\System\MzVOKHh.exe

Filesize
5.2MB

MD5
cb15f3b8934f7c2e29b2f49eb4a26a5b

SHA1
2bd56beb4ce00d4b2ceb02648ccaf1e419ffe699

SHA256
f5e03a565406cf3001eda6dd1ae08044aba66148b8f29fae246e7fef5f08e5c5

SHA512
812265f106e6b7172a4cb4e7d9310365242c5aae88309e5162146f9aea479ccfad5b505952ba488084032a63b1c645138608894d26401eb069be98313bdb2aa0

Download Submit
C:\Windows\System\PJkbEBm.exe

Filesize
5.2MB

MD5
93cad07024ecf446877de3bf2adc80c6

SHA1
241143439197051a78479aca07a4345a10f329e6

SHA256
66329779f8c1926af5a84082cc3b4b99ee1c2156c365136843bb9b7e54a56899

SHA512
7e360e59b4a379ea0d7ac882c99a6ec6b1b0b691b14336324e111c75aeda11438f4b87388bf16c075a090952eee17af99154950d54bfc814b90892808e96f8e9

Download Submit
C:\Windows\System\PJvKepB.exe

Filesize
5.2MB

MD5
000cf44d74e07e81dc005722f4d0dabc

SHA1
fc2154817bfc37ae83b07c6cb040b21343aeb8da

SHA256
2d93cb53321c4a2c1da65ddf28942fd9f79e91363c29234ff4c220285cc5e489

SHA512
90f3c818eeb7d67b3b62dbb1dee810b395478dfba1c4ca5bcc2cce7f34f5bf960676b7338b43c00795a3d0482c7c8e66603e8b58fb64dfef0144c3c3338f1811

Download Submit
C:\Windows\System\RpLvkQn.exe

Filesize
5.2MB

MD5
77dc39c45dcc5e9f97a9c5fbbd02cc0e

SHA1
54084abee5c8679f5aecc40803276c4f9ef7df85

SHA256
17872269666c003f0d43d086e61796e73cf965b28d477baf97910d6b0128fea6

SHA512
b0c1ef935f6322ac7b5c1183f6e12d24bdb4a0e14f1a2a23d5a498722c6c353555a014cb25c90b022d1a60a61126be954a1f169f39409b809115c2bb3188fc57

Download Submit
C:\Windows\System\SVqFJyj.exe

Filesize
5.2MB

MD5
f984bb9eb6523479f4e57fd353feacde

SHA1
25ae9646d4cb5646a1e5e5dfd6b462bcc018a4f6

SHA256
353bf0ce362514a6de70df351fdabe6b0c5f7bb6ffb92398f50245ca8e0879a8

SHA512
164a6e58db7bcb37476470a558d882eaa784a3fdf7935b25d1b1f6cbc2a5aaddcb37359e31bef5d3d17a480021a426821747e8c4ba8fcc6aff4a8c38c96b9445

Download Submit
C:\Windows\System\SehkqDf.exe

Filesize
5.2MB

MD5
d96ecb9722bf356d52b0946977af4ab6

SHA1
82a164470711c0baefbeb56bb31fa706bd06d58d

SHA256
975f3cfe8ea8e094813945227793cc78dc1c56c32e2ef143e690f4f5a1c4639f

SHA512
c78344ba9998a5e17a713329c3f7ec18a7ad243c85a3df611e143973db8fcc2df75f43309b46d093ea323cf739a8529e1d137c61e1851876cb6bef8dde642c55

Download Submit
C:\Windows\System\SgAUNLb.exe

Filesize
5.2MB

MD5
69454e0d44b8c9cd3245db8512c1fa33

SHA1
0cfbcf1f1df9b2b5993af60bd719f76ed78f9ab9

SHA256
9bf5fa2e8dadebec191e31f0e9114cdf74c64b7f8e8bfc636113dec9dfbe8b5e

SHA512
33f4ad27d4c13dfa9a404f0821bf2847b8da64a3e5f6f3e657b8584ae6896ba3fd155c2a56f65b4faeb4e92b2e36d8fc576438383dbabfe0d281877e534ea598

Download Submit
C:\Windows\System\TxFISXi.exe

Filesize
5.2MB

MD5
0fa49cbefe5d9abd4e6c6c3bb6f62daf

SHA1
beab55a40f0f5684618e1a2d09b0cbe3e1b139b1

SHA256
1a07c3dc967f441a1a4400ef6382069af9ad9f928826fac0f4749b7cdc6bb2e5

SHA512
972360b455fe1575eb324ff82f780e3e4381e436ec0efd5be76277d306039b5bb7f09aec42acd3c9a29d3c032a9db5ecc338057d07ff740658848de6d6f9069d

Download Submit
C:\Windows\System\cKkKUYY.exe

Filesize
5.2MB

MD5
b954b58a1cc0fbc2ff496431c0f4e173

SHA1
7ab612506709d37aeb99163ef42c676f68667709

SHA256
30e531d0755673d90cbb5b1faf957c215e924eade11744dd5a615ba4f007de99

SHA512
08e73d834729a7ca1c6a43dec806e96eb5fd7596f59e4ef270ed4ad27c1aa50c886213d6efe2dcfe760364f78c4a0e2d6b40b75edd93674eb91ad5bab69fba22

Download Submit
C:\Windows\System\gGvkqjy.exe

Filesize
5.2MB

MD5
6c2279ccdaca87225a5f79d521f45771

SHA1
4f89dd3ab3724dff032ed06d00b4fc36c50b8fca

SHA256
060ff2031c2854d8eda477cb6b2969802aefe3b09fe27f2e58435f065380eeb3

SHA512
ea07654301149e9f8091991562972f1cdefc1addc1aef4711ac407fafd4699f0bd5bbea23055219c3b0267f8b8587053ac4b41b12b3686fb0a84e49c2400b555

Download Submit
C:\Windows\System\leGEZHH.exe

Filesize
5.2MB

MD5
ae9dc9b5a4179a7010f112409bc9acdc

SHA1
ab003e22f0bb0810187e6b235f8959ce0b814cf3

SHA256
d0d09e4dd24d93c42026a51564c6e84495d5338bba0bd8e5f1c681c6d092c190

SHA512
70f4c36b2ebb2725cf89f29b95c902dc16d6fb8fb5cd9607d87b719850268382dadbeb0d03cd0b26a3d8b5b0d58b0435e4b0bd7c87e35044e9fca864be62e832

Download Submit
C:\Windows\System\rZbJGOH.exe

Filesize
5.2MB

MD5
fc59ca639dcc15e10c6e03d9d37e0ddc

SHA1
4a80545faa3b7f2cf5b855e16724fce1463b7f70

SHA256
d9237f46520ff3e2f00aa2a22bd5ddad5c959109d77e10ad8d88d2b4283262e3

SHA512
4abd9228f470530854b718972cb0fbdfdec3c4fdaf8fc6c885df7060d392ed33ad2183111bac564aa0ddeb1f2bfbbc3f1dd3a8a6592411ba0655c2f4b2bec3ac

Download Submit
C:\Windows\System\vLQWCjF.exe

Filesize
5.2MB

MD5
5d5fffc61bbfe06f97caa43253b5b968

SHA1
92ace2468df2b8521854e9d44558c787fead4c8c

SHA256
da632bc7966aae6f6ab9bd49ee69c5fec35aa60d657255258160185fb6f3b1a7

SHA512
a2936b0c270c7b763114ec9ead5f30c93efb58c12f7a60132748946b00168fc0cff4563c0114154507621b2ca5c63b39ff29df3af98833ddb607ff7d31785d38

Download Submit
C:\Windows\System\xkVbxGq.exe

Filesize
5.2MB

MD5
6f8adf65855093c56ba70984d488feb5

SHA1
5eb90c08cec251a3d17b4b0fd1abddb3e865ae3f

SHA256
55d25909d28f5d360bb8e178e82db9d2fc21616325e97627cc2e75cf73cce0a0

SHA512
34fe08d8d001139f86a82a7980903c167d4665c2140b3d20a24f32c5f88d519967e2c1efa9364fde709547d38595f0cd4a02400593dd82e03e537af601944f04

Download Submit
C:\Windows\System\yDWhtsG.exe

Filesize
5.2MB

MD5
ff3d7853ae9a9ce1337b723a7e5e3a8b

SHA1
f577bc86a9deee239f0e1f989309399fb4708acc

SHA256
6278224507ec5721c707de5f86b6d08d622cad152d61059b399349755dc74622

SHA512
ea1c1dfe40ceb907ab78d4c7b12b4f9931f785d0f850dffe024340aa8fd2a4cc1d6ce2fd8f3071b1d57d13ce10e9d4cc9a47fa4ea56a5292780bee74543b33b4

Download Submit
C:\Windows\System\zFILAEu.exe

Filesize
5.2MB

MD5
3250be2a51fb476e572839c0199c7633

SHA1
15704cba89bad2d2f7c354af0e8704bc24d64d0a

SHA256
b9b2456d252aa8e15b0d3539844a92a8d69561fad89a911c08963a4ca6c9cfd1

SHA512
768e045a5305ba4f9d5036372a24f3fd96e21ab438ed8ae0de54849633a5c6d97fb74be47487a40cca85678883445ea92f650c943e736b36bbf647099424cfc0

Download Submit
memory/216-96-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp

Filesize
3.3MB

Download
memory/216-151-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp

Filesize
3.3MB

Download
memory/216-257-0x00007FF727AA0000-0x00007FF727DF1000-memory.dmp

Filesize
3.3MB

Download
memory/904-0-0x00007FF731730000-0x00007FF731A81000-memory.dmp

Filesize
3.3MB

Download
memory/904-129-0x00007FF731730000-0x00007FF731A81000-memory.dmp

Filesize
3.3MB

Download
memory/904-158-0x00007FF731730000-0x00007FF731A81000-memory.dmp

Filesize
3.3MB

Download
memory/904-92-0x00007FF731730000-0x00007FF731A81000-memory.dmp

Filesize
3.3MB

Download
memory/904-1-0x0000016836BE0000-0x0000016836BF0000-memory.dmp

Filesize
64KB

Download
memory/1256-117-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-226-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-32-0x00007FF788CA0000-0x00007FF788FF1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-148-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-77-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-242-0x00007FF7B1360000-0x00007FF7B16B1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-145-0x00007FF673B20000-0x00007FF673E71000-memory.dmp

Filesize
3.3MB

Download
memory/1364-52-0x00007FF673B20000-0x00007FF673E71000-memory.dmp

Filesize
3.3MB

Download
memory/1364-230-0x00007FF673B20000-0x00007FF673E71000-memory.dmp

Filesize
3.3MB

Download
memory/1436-248-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-143-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-51-0x00007FF79EF70000-0x00007FF79F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-229-0x00007FF687290000-0x00007FF6875E1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-33-0x00007FF687290000-0x00007FF6875E1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-137-0x00007FF687290000-0x00007FF6875E1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-134-0x00007FF62EF80000-0x00007FF62F2D1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-262-0x00007FF62EF80000-0x00007FF62F2D1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-249-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp

Filesize
3.3MB

Download
memory/2416-149-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp

Filesize
3.3MB

Download
memory/2416-80-0x00007FF7C31C0000-0x00007FF7C3511000-memory.dmp

Filesize
3.3MB

Download
memory/2496-141-0x00007FF6C7490000-0x00007FF6C77E1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-263-0x00007FF6C7490000-0x00007FF6C77E1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-7-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

Filesize
3.3MB

Download
memory/2560-97-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

Filesize
3.3MB

Download
memory/2560-218-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

Filesize
3.3MB

Download
memory/3448-140-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp

Filesize
3.3MB

Download
memory/3448-232-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp

Filesize
3.3MB

Download
memory/3448-46-0x00007FF7539E0000-0x00007FF753D31000-memory.dmp

Filesize
3.3MB

Download
memory/3692-102-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp

Filesize
3.3MB

Download
memory/3692-14-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp

Filesize
3.3MB

Download
memory/3692-220-0x00007FF6C32E0000-0x00007FF6C3631000-memory.dmp

Filesize
3.3MB

Download
memory/3696-265-0x00007FF6C5340000-0x00007FF6C5691000-memory.dmp

Filesize
3.3MB

Download
memory/3696-133-0x00007FF6C5340000-0x00007FF6C5691000-memory.dmp

Filesize
3.3MB

Download
memory/3712-135-0x00007FF743BA0000-0x00007FF743EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3712-264-0x00007FF743BA0000-0x00007FF743EF1000-memory.dmp

Filesize
3.3MB

Download
memory/3764-252-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp

Filesize
3.3MB

Download
memory/3764-152-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp

Filesize
3.3MB

Download
memory/3764-98-0x00007FF6CC410000-0x00007FF6CC761000-memory.dmp

Filesize
3.3MB

Download
memory/4164-222-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp

Filesize
3.3MB

Download
memory/4164-103-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp

Filesize
3.3MB

Download
memory/4164-25-0x00007FF6DEFE0000-0x00007FF6DF331000-memory.dmp

Filesize
3.3MB

Download
memory/4200-85-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp

Filesize
3.3MB

Download
memory/4200-150-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp

Filesize
3.3MB

Download
memory/4200-255-0x00007FF77B1C0000-0x00007FF77B511000-memory.dmp

Filesize
3.3MB

Download
memory/4376-146-0x00007FF617770000-0x00007FF617AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-245-0x00007FF617770000-0x00007FF617AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-62-0x00007FF617770000-0x00007FF617AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4712-225-0x00007FF792EC0000-0x00007FF793211000-memory.dmp

Filesize
3.3MB

Download
memory/4712-139-0x00007FF792EC0000-0x00007FF793211000-memory.dmp

Filesize
3.3MB

Download
memory/4712-41-0x00007FF792EC0000-0x00007FF793211000-memory.dmp

Filesize
3.3MB

Download
memory/4908-244-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-147-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-72-0x00007FF68CB70000-0x00007FF68CEC1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-253-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp

Filesize
3.3MB

Download
memory/5064-153-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp

Filesize
3.3MB

Download
memory/5064-106-0x00007FF6A7A30000-0x00007FF6A7D81000-memory.dmp

Filesize
3.3MB

Download