cobaltstrike | 67bd4b7962765fb20a55627e2782cf6f77e0df1d25030fe93217b74e266fd78f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

842b22c8caa1954b39a0c8cd655e9dca
SHA1

b0e94151aaadda902005aa442437bdb002cdae6d
SHA256

67bd4b7962765fb20a55627e2782cf6f77e0df1d25030fe93217b74e266fd78f
SHA512

4985446ff58d6822a9623f8c079d9bd0385bbb0b87f8ce1a0012c0d65320a56906ef168cc9c9d2dadba613d2d61fc70f0065ec41d203c1857a78aa351658be7c
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibd56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023ba7-4.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c97-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-78.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c95-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4328-60-0x00007FF603FF0000-0x00007FF604341000-memory.dmp	xmrig
behavioral2/memory/2948-86-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp	xmrig
behavioral2/memory/2316-117-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp	xmrig
behavioral2/memory/684-122-0x00007FF746CD0000-0x00007FF747021000-memory.dmp	xmrig
behavioral2/memory/2096-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	xmrig
behavioral2/memory/1256-125-0x00007FF7E5A70000-0x00007FF7E5DC1000-memory.dmp	xmrig
behavioral2/memory/3420-121-0x00007FF6472F0000-0x00007FF647641000-memory.dmp	xmrig
behavioral2/memory/3428-118-0x00007FF6E66E0000-0x00007FF6E6A31000-memory.dmp	xmrig
behavioral2/memory/3120-105-0x00007FF7556E0000-0x00007FF755A31000-memory.dmp	xmrig
behavioral2/memory/3816-98-0x00007FF773340000-0x00007FF773691000-memory.dmp	xmrig
behavioral2/memory/2860-95-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp	xmrig
behavioral2/memory/2916-77-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	xmrig
behavioral2/memory/2072-76-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp	xmrig
behavioral2/memory/1924-58-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp	xmrig
behavioral2/memory/2760-51-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp	xmrig
behavioral2/memory/1428-128-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	xmrig
behavioral2/memory/4060-129-0x00007FF793250000-0x00007FF7935A1000-memory.dmp	xmrig
behavioral2/memory/3648-138-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp	xmrig
behavioral2/memory/1076-132-0x00007FF679650000-0x00007FF6799A1000-memory.dmp	xmrig
behavioral2/memory/4428-130-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp	xmrig
behavioral2/memory/4920-147-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp	xmrig
behavioral2/memory/3980-145-0x00007FF614110000-0x00007FF614461000-memory.dmp	xmrig
behavioral2/memory/1428-150-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	xmrig
behavioral2/memory/1428-151-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	xmrig
behavioral2/memory/4060-210-0x00007FF793250000-0x00007FF7935A1000-memory.dmp	xmrig
behavioral2/memory/4428-217-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp	xmrig
behavioral2/memory/2072-219-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp	xmrig
behavioral2/memory/1076-221-0x00007FF679650000-0x00007FF6799A1000-memory.dmp	xmrig
behavioral2/memory/2760-223-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp	xmrig
behavioral2/memory/2916-225-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	xmrig
behavioral2/memory/1924-227-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp	xmrig
behavioral2/memory/2948-229-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp	xmrig
behavioral2/memory/4328-231-0x00007FF603FF0000-0x00007FF604341000-memory.dmp	xmrig
behavioral2/memory/3648-235-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp	xmrig
behavioral2/memory/2860-233-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp	xmrig
behavioral2/memory/3816-240-0x00007FF773340000-0x00007FF773691000-memory.dmp	xmrig
behavioral2/memory/3428-241-0x00007FF6E66E0000-0x00007FF6E6A31000-memory.dmp	xmrig
behavioral2/memory/2316-237-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp	xmrig
behavioral2/memory/3120-246-0x00007FF7556E0000-0x00007FF755A31000-memory.dmp	xmrig
behavioral2/memory/3420-251-0x00007FF6472F0000-0x00007FF647641000-memory.dmp	xmrig
behavioral2/memory/3980-252-0x00007FF614110000-0x00007FF614461000-memory.dmp	xmrig
behavioral2/memory/1256-254-0x00007FF7E5A70000-0x00007FF7E5DC1000-memory.dmp	xmrig
behavioral2/memory/2096-256-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	xmrig
behavioral2/memory/684-249-0x00007FF746CD0000-0x00007FF747021000-memory.dmp	xmrig
behavioral2/memory/4920-258-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4060	WQbYaQa.exe
4428	ademiar.exe
2072	ocZZlis.exe
1076	XBddbpn.exe
2760	MJiuwSY.exe
2916	vtPICxp.exe
1924	CrCAyhx.exe
2948	iOlVOdM.exe
4328	QgupkNa.exe
3648	TJgOqkb.exe
2860	IWMZgmT.exe
3816	eJKGqaX.exe
2316	jVbdEKB.exe
3120	KfOvEkU.exe
3428	jNlPdpa.exe
3420	GvCbHch.exe
3980	ncfsxyE.exe
684	bsPXsBj.exe
4920	KpxUJVl.exe
1256	JHUvGni.exe
2096	tFfmJys.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1428-0-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	upx
behavioral2/files/0x000c000000023ba7-4.dat	upx
behavioral2/files/0x0008000000023c97-10.dat	upx
behavioral2/files/0x0007000000023c9a-32.dat	upx
behavioral2/files/0x0007000000023c9b-33.dat	upx
behavioral2/files/0x0007000000023c9c-45.dat	upx
behavioral2/files/0x0007000000023c9e-53.dat	upx
behavioral2/memory/4328-60-0x00007FF603FF0000-0x00007FF604341000-memory.dmp	upx
behavioral2/memory/3648-70-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-67.dat	upx
behavioral2/files/0x0007000000023ca3-75.dat	upx
behavioral2/files/0x0007000000023ca2-78.dat	upx
behavioral2/memory/2948-86-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp	upx
behavioral2/files/0x0008000000023c95-92.dat	upx
behavioral2/files/0x0007000000023ca7-102.dat	upx
behavioral2/memory/3980-111-0x00007FF614110000-0x00007FF614461000-memory.dmp	upx
behavioral2/memory/2316-117-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp	upx
behavioral2/memory/684-122-0x00007FF746CD0000-0x00007FF747021000-memory.dmp	upx
behavioral2/memory/2096-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	upx
behavioral2/memory/1256-125-0x00007FF7E5A70000-0x00007FF7E5DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-123.dat	upx
behavioral2/memory/3420-121-0x00007FF6472F0000-0x00007FF647641000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-119.dat	upx
behavioral2/memory/3428-118-0x00007FF6E66E0000-0x00007FF6E6A31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-113.dat	upx
behavioral2/memory/4920-112-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp	upx
behavioral2/memory/3120-105-0x00007FF7556E0000-0x00007FF755A31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-100.dat	upx
behavioral2/memory/3816-98-0x00007FF773340000-0x00007FF773691000-memory.dmp	upx
behavioral2/memory/2860-95-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-80.dat	upx
behavioral2/memory/2916-77-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/memory/2072-76-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-63.dat	upx
behavioral2/files/0x0007000000023c9f-62.dat	upx
behavioral2/memory/1924-58-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp	upx
behavioral2/memory/2760-51-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-47.dat	upx
behavioral2/memory/1076-36-0x00007FF679650000-0x00007FF6799A1000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-28.dat	upx
behavioral2/files/0x0007000000023c98-24.dat	upx
behavioral2/memory/4428-19-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp	upx
behavioral2/memory/4060-9-0x00007FF793250000-0x00007FF7935A1000-memory.dmp	upx
behavioral2/memory/1428-128-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	upx
behavioral2/memory/4060-129-0x00007FF793250000-0x00007FF7935A1000-memory.dmp	upx
behavioral2/memory/3648-138-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp	upx
behavioral2/memory/1076-132-0x00007FF679650000-0x00007FF6799A1000-memory.dmp	upx
behavioral2/memory/4428-130-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp	upx
behavioral2/memory/4920-147-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp	upx
behavioral2/memory/3980-145-0x00007FF614110000-0x00007FF614461000-memory.dmp	upx
behavioral2/memory/1428-150-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	upx
behavioral2/memory/1428-151-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp	upx
behavioral2/memory/4060-210-0x00007FF793250000-0x00007FF7935A1000-memory.dmp	upx
behavioral2/memory/4428-217-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp	upx
behavioral2/memory/2072-219-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp	upx
behavioral2/memory/1076-221-0x00007FF679650000-0x00007FF6799A1000-memory.dmp	upx
behavioral2/memory/2760-223-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp	upx
behavioral2/memory/2916-225-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp	upx
behavioral2/memory/1924-227-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp	upx
behavioral2/memory/2948-229-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp	upx
behavioral2/memory/4328-231-0x00007FF603FF0000-0x00007FF604341000-memory.dmp	upx
behavioral2/memory/3648-235-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp	upx
behavioral2/memory/2860-233-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp	upx
behavioral2/memory/3816-240-0x00007FF773340000-0x00007FF773691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MJiuwSY.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vtPICxp.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jVbdEKB.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocZZlis.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KfOvEkU.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tFfmJys.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XBddbpn.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CrCAyhx.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iOlVOdM.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TJgOqkb.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWMZgmT.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJKGqaX.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ncfsxyE.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHUvGni.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WQbYaQa.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ademiar.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QgupkNa.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNlPdpa.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GvCbHch.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bsPXsBj.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KpxUJVl.exe	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4060	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1428 wrote to memory of 4060	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1428 wrote to memory of 4428	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1428 wrote to memory of 4428	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1428 wrote to memory of 2072	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1428 wrote to memory of 2072	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1428 wrote to memory of 1076	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1428 wrote to memory of 1076	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1428 wrote to memory of 2760	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1428 wrote to memory of 2760	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1428 wrote to memory of 2916	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1428 wrote to memory of 2916	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1428 wrote to memory of 1924	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1428 wrote to memory of 1924	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1428 wrote to memory of 2948	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1428 wrote to memory of 2948	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1428 wrote to memory of 4328	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1428 wrote to memory of 4328	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1428 wrote to memory of 3648	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1428 wrote to memory of 3648	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1428 wrote to memory of 2860	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1428 wrote to memory of 2860	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1428 wrote to memory of 3816	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1428 wrote to memory of 3816	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1428 wrote to memory of 2316	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1428 wrote to memory of 2316	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1428 wrote to memory of 3120	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1428 wrote to memory of 3120	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1428 wrote to memory of 3428	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1428 wrote to memory of 3428	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1428 wrote to memory of 3420	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1428 wrote to memory of 3420	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1428 wrote to memory of 3980	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1428 wrote to memory of 3980	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1428 wrote to memory of 684	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1428 wrote to memory of 684	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1428 wrote to memory of 4920	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1428 wrote to memory of 4920	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1428 wrote to memory of 1256	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1428 wrote to memory of 1256	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1428 wrote to memory of 2096	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1428 wrote to memory of 2096	1428	2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_842b22c8caa1954b39a0c8cd655e9dca_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\System\WQbYaQa.exe
  C:\Windows\System\WQbYaQa.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\ademiar.exe
  C:\Windows\System\ademiar.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\ocZZlis.exe
  C:\Windows\System\ocZZlis.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\XBddbpn.exe
  C:\Windows\System\XBddbpn.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\MJiuwSY.exe
  C:\Windows\System\MJiuwSY.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\vtPICxp.exe
  C:\Windows\System\vtPICxp.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\CrCAyhx.exe
  C:\Windows\System\CrCAyhx.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\iOlVOdM.exe
  C:\Windows\System\iOlVOdM.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\QgupkNa.exe
  C:\Windows\System\QgupkNa.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\TJgOqkb.exe
  C:\Windows\System\TJgOqkb.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\IWMZgmT.exe
  C:\Windows\System\IWMZgmT.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\eJKGqaX.exe
  C:\Windows\System\eJKGqaX.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\jVbdEKB.exe
  C:\Windows\System\jVbdEKB.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\KfOvEkU.exe
  C:\Windows\System\KfOvEkU.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\jNlPdpa.exe
  C:\Windows\System\jNlPdpa.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\GvCbHch.exe
  C:\Windows\System\GvCbHch.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\ncfsxyE.exe
  C:\Windows\System\ncfsxyE.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\bsPXsBj.exe
  C:\Windows\System\bsPXsBj.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\KpxUJVl.exe
  C:\Windows\System\KpxUJVl.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\JHUvGni.exe
  C:\Windows\System\JHUvGni.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\tFfmJys.exe
  C:\Windows\System\tFfmJys.exe
  2⤵
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CrCAyhx.exe

Filesize
5.2MB

MD5
6d3c573beafc243bd8bb51e839e70eb4

SHA1
f56ac2c249e4ddbea8eed94eba6b26753c97d965

SHA256
1dd26a27ebe01362f176008c2e21b16c76ed5d396bbfb6997c725179de1eec1b

SHA512
89f6a0ee0609e11da2d6fd592e50271c06f453014310a30b7408635dc45abe0520646fb220045a9a6559a55654f60a7d2b882772f175bc6d13c4f2444fc53cc0

Download Submit
C:\Windows\System\GvCbHch.exe

Filesize
5.2MB

MD5
32f63d93f11495bf4210c32480d57fe1

SHA1
11ac847efe02c93644d5036ea5a254e3aa9fb8fd

SHA256
266141994ce6f96b03e661a57818bfcb3b37da545465a1fbca494bbfddaa1c72

SHA512
8dab270b86b334a9d9cf2fcd15ca7bf235a92fdf3a77ddffcf08a088e143b6e477c1aef38afaaf4e5e03440910dd2b8a71af45d7c0d44263d2abcd9779aee948

Download Submit
C:\Windows\System\IWMZgmT.exe

Filesize
5.2MB

MD5
2f9bea83ba62b143714a06acfcd8a044

SHA1
e311ef4c63e87cd90b17ed0c1b8eac4cb6451e29

SHA256
8daf9ddee221deefc318efc8b30a695a8e64f799901c020b37bf36ed8184b7ba

SHA512
e3dd191526d3aa68a0af9bfbe889d4ff52dcfd64506968ad10d2762abfda67b8c1c2501fb71443ea083c2d65ea852033264b61730fc9c8f3c237cea5e45d55b6

Download Submit
C:\Windows\System\JHUvGni.exe

Filesize
5.2MB

MD5
3899adb6d343f695e40a7873344e4589

SHA1
3ae8c559ee87fdb0abcb0e44fc68f0531b7c4d27

SHA256
2ae0b49c643c86c147e195f8eddd4e47398ff6a2bc47939aa2f51792da7304e2

SHA512
d1ef5bbaac9b717287a288a980977c6cf2b0025e1ebde0ad1a4788f54ead9f2eb9d017cac83ffe3cce98da6b30d159bcb9189a252d54769b70e654fc89ef6dc5

Download Submit
C:\Windows\System\KfOvEkU.exe

Filesize
5.2MB

MD5
ef1ab8d8d9bc1b8d653d6db777d18a1b

SHA1
d2efaa415e9e557efa55ed06ea56aba956b0a183

SHA256
182873aee2e2ac2d3f440364ac219eee495bba4e4d22d2dd34537655792f22f5

SHA512
c9e3972a0a18cd9c59ceb996c702d48db3550eb34acabd47010eb8c12e0b3ec08085bd4c15377b44f70571fa0a8e7b16688866b5ba911f0c1a6220505114aa0b

Download Submit
C:\Windows\System\KpxUJVl.exe

Filesize
5.2MB

MD5
8e44043c8e39e2f116cbb1b83c4499f7

SHA1
9fd1a64b1f97a201cb459a08b9bc810933c9c54e

SHA256
23f17f221e09eb1ad7dad8adbc3e5b73074657c122e005624ef08743311a11e9

SHA512
4d1bdc984f89b8e843f6187e86c2cc930314bc68d2933cade7ee3eb6a9d7b7ddd1f8c107900473c68a25e6c342115e572b09a3926114dc3543e609d8cb4b627b

Download Submit
C:\Windows\System\MJiuwSY.exe

Filesize
5.2MB

MD5
3dddf5632606cf8c88230fc909100a3f

SHA1
bb22438bd5153f027b6f9c0508ae76f55aa27ef3

SHA256
d6d898f8046073ff03536d5ebbcdaaadb34baf0f7714e228de234024cbd5d561

SHA512
6457276625e5e996fbfc2d21e56b03643ae899678316a94dd27cd0cc610f66b9ef30a0becc29aa64e2de3ae5a512f772e5ddd6168241a83216f025bde1780a41

Download Submit
C:\Windows\System\QgupkNa.exe

Filesize
5.2MB

MD5
b90e11a5a70e12b580f6182dc77c8b78

SHA1
8b80d33787ea52f24ceb62b2dc877e66795f83cf

SHA256
234aefb1c4c6d05eeabeadfeccf6c7295a2a49a07a8d4ef26a611f520d3c795f

SHA512
dfb78879ddb9bc70ff019627ed9b0ca879b43d94496069e5ce5ccdb853020dca3736a32dd6a3f8138da6de84b8379e0c3fda80346df76e97028b6117a623bbf8

Download Submit
C:\Windows\System\TJgOqkb.exe

Filesize
5.2MB

MD5
0faf0a37de41da5e3f49ad11c318c07b

SHA1
20c34dead72023255072b029a2ea02088f413ecc

SHA256
d632c8ff876d4de8bee38e00a1543103241bc41ba3f636183a4bc47c5df869cb

SHA512
d0bc2ca3c2c0a51ac53579f7932034fd9d43abb61084b8dc9b84a1f179e682e61050a503c08b638db7080800bd642a93b20335dbdd6c2af2b552fad39eb7be30

Download Submit
C:\Windows\System\WQbYaQa.exe

Filesize
5.2MB

MD5
ab45b9e1dcd22eb221be61900597c317

SHA1
b7da895037cc4ad806ba2270089570e85d467a90

SHA256
b6f47429d0c715b7fb96c42a3216b25520d0ca69646855b239336f3ade894399

SHA512
106e9eb275ad4b45cc001776583f147153c6e709146e4e48b0052502dfeae67b44d31b7ef2d885f1a438dca40049eb4c5d1daddf1d41c19279474654f5d82896

Download Submit
C:\Windows\System\XBddbpn.exe

Filesize
5.2MB

MD5
21ceee32afe7f8e0272c299266c6b0e2

SHA1
a3ef00dd73890e96c54d63e1a199bccec1021307

SHA256
ccd8483873746944fb09ab770390f7bb79c2f64f717081bd4d29060b79ec769f

SHA512
2fc93980aa0b96973e3515ee3748f5074d25823db7279fd1940f51ba18cd0c1ae0644c0989c077373dceefb85fbab185145151d48aa55d2acbd4fad256e4669f

Download Submit
C:\Windows\System\ademiar.exe

Filesize
5.2MB

MD5
f63b25fe4e81ca6f827ad09e57d43e03

SHA1
fc11eb66ffbf20c5899b6a805bb758efbfd8898a

SHA256
ce8f05e8fe5bb3300b3d487172553399c38f3d2c0472c5142e382f431d82b288

SHA512
da45bdbb685518c0eef3f204410c313458a65d195cf08d7b592de6b62078baf5bf053a84ff53fd0a069c9aec747bd6f56305d02db1e2eb1fc93f750d8fdbc211

Download Submit
C:\Windows\System\bsPXsBj.exe

Filesize
5.2MB

MD5
1197bf558100f7469327bb6fdc926088

SHA1
7e648f8f83e9b2ef246b33102a76a9dc4b1efb3c

SHA256
acbaf5e66fd9a95e95c668b40370e928262158db98cec73aaa1511f6b949ab40

SHA512
ec62f05a30238a7d5ad60d35c064b7efd187615457ee5179c080a77cba158e08405f78e817e098525907d5549914e4f853874688eb1dc77d39f7eac64478b5c6

Download Submit
C:\Windows\System\eJKGqaX.exe

Filesize
5.2MB

MD5
89ec30a3195a71f32f98ffb5cb31fbd8

SHA1
4d0a535dc5b09db224eaadfe5f50d29d2dbcdf4e

SHA256
278c2b73029808dd24b6562b81c8a95b363e45d2f053f00df6b763f8bdf9c346

SHA512
c5879fda525a3e968e4eb626cdba4226fdc2f868caadba2ff6665a3f370a1efe43d8a9e4d40b3de564c696f0c6606c042a3d4f153f1e213933b5560320a10800

Download Submit
C:\Windows\System\iOlVOdM.exe

Filesize
5.2MB

MD5
c84ae5c895d7b42ffb0412c7a2ad337b

SHA1
1da1e5af11e05d964e778c6904c4ae60056132f7

SHA256
039adc2235f11457650daa3d22a99e4d4c729053782902c5ef588fea97fa2b43

SHA512
f19a1ad5a5cc032204d675e7b4a461ae124c6bca7d297b1fdeb62a3c1300da2455eb48b4db7605301ef6e340d7911f6b5e109c87e003de30082db4a107ad03e3

Download Submit
C:\Windows\System\jNlPdpa.exe

Filesize
5.2MB

MD5
3040b56920dd59c11a157c7ee7997fad

SHA1
426ab4f8c0937b65192823469d2a12bc2dac00d8

SHA256
e746f4941b05e63a35a581f428e5756942a2d1373608e2b5b487e44aaeda801c

SHA512
a262d84636122cf697700607f9723b23b7392e7a49134509acdc3c5d206c38509222ca96d37d513b80fa6883a200b6defade9bec81680040475ac00144fb00f6

Download Submit
C:\Windows\System\jVbdEKB.exe

Filesize
5.2MB

MD5
08d0841b429db69a95bd1a8129e1d89c

SHA1
cfff52813770787bf174b09cacf36f5c93251672

SHA256
902cd1d96864bcf3503af4c04dccdb7651313d8b737438652ea0cbee20ee1c02

SHA512
413623b809cb777c4085d236e6351933142634e29949b8c0809eb638dc1ea709078af0755367a718cded04c53a891a7d3c37c8a3af8499d2cc54a3707125a2f4

Download Submit
C:\Windows\System\ncfsxyE.exe

Filesize
5.2MB

MD5
e6a53584b7ddf81f34cd6e36834fe502

SHA1
5cdebc8d8eb95b3635c05a8f2a81f0e41c452a4c

SHA256
a6d1c8017b540bd5cd66d7def9aa8a0265da9f8325cd8ae72c6b66ed64e0c13d

SHA512
7dd112822ed5aa96193c9421c2cc58d1e782fdcea353c04db2f72f22a27810eb3e76ae7e10118746d591f723eebc74fb47f34f40fb6d92addcea0d4b6156936c

Download Submit
C:\Windows\System\ocZZlis.exe

Filesize
5.2MB

MD5
3d257f2ff8a00314b7f789d7ebb9f4c7

SHA1
0e6a91796975445bcf9b2dd4206b4513eccb4040

SHA256
ecb079ca113f2afc263cf9f228eb5f00eda2ce4c27c9356a17bb56e7387cc384

SHA512
bc4d7541ed803e0faab11a18e08f918ff64f07dc7ff0541217b76e67931ea419a7e3fff0961952fa5b8afea3824188f40208c4cda00e40d3548ebea907593b39

Download Submit
C:\Windows\System\tFfmJys.exe

Filesize
5.2MB

MD5
32bb97ef0d5bd6982633381084a96d40

SHA1
6b006db94889f9fe438fad106216e5833845b646

SHA256
cc76bbc29119cbb6d6b82159f8ceee8426b066cc7ce5c8a8f47e58311ddff059

SHA512
454c860529cf25a86fd43ff3bb2d5e9ede7514a8f11f1d2d2c675e7f4c6839a3264176ca63f672a249a2a1bb036025aa89636ae59178309495fa592ba5286ec4

Download Submit
C:\Windows\System\vtPICxp.exe

Filesize
5.2MB

MD5
fde59fc641b6078b87256b24efc50258

SHA1
8e6f1a08f15ceeb857c613a8f80ffa8f895ed4e2

SHA256
ce11dcf43278be2c6e6584148d17ee4f16d24c1bab136e26af5bf4e6942b67fc

SHA512
08186cc5fa38d2bb5b56ad4187a9246cac6b123cd5f413bb4af1188a411d8b4edc5dab93462c1f37885256dd61aaa33e2639e1eac0d8b34edd5c095c0d119e63

Download Submit
memory/684-122-0x00007FF746CD0000-0x00007FF747021000-memory.dmp

Filesize
3.3MB

Download
memory/684-249-0x00007FF746CD0000-0x00007FF747021000-memory.dmp

Filesize
3.3MB

Download
memory/1076-36-0x00007FF679650000-0x00007FF6799A1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-221-0x00007FF679650000-0x00007FF6799A1000-memory.dmp

Filesize
3.3MB

Download
memory/1076-132-0x00007FF679650000-0x00007FF6799A1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-254-0x00007FF7E5A70000-0x00007FF7E5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-125-0x00007FF7E5A70000-0x00007FF7E5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-128-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp

Filesize
3.3MB

Download
memory/1428-150-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp

Filesize
3.3MB

Download
memory/1428-151-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp

Filesize
3.3MB

Download
memory/1428-0-0x00007FF6E2D20000-0x00007FF6E3071000-memory.dmp

Filesize
3.3MB

Download
memory/1428-1-0x000001401F130000-0x000001401F140000-memory.dmp

Filesize
64KB

Download
memory/1924-227-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp

Filesize
3.3MB

Download
memory/1924-58-0x00007FF65F1D0000-0x00007FF65F521000-memory.dmp

Filesize
3.3MB

Download
memory/2072-219-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp

Filesize
3.3MB

Download
memory/2072-76-0x00007FF62EED0000-0x00007FF62F221000-memory.dmp

Filesize
3.3MB

Download
memory/2096-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-256-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-237-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-117-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-223-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp

Filesize
3.3MB

Download
memory/2760-51-0x00007FF7FB5E0000-0x00007FF7FB931000-memory.dmp

Filesize
3.3MB

Download
memory/2860-233-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp

Filesize
3.3MB

Download
memory/2860-95-0x00007FF6ABE30000-0x00007FF6AC181000-memory.dmp

Filesize
3.3MB

Download
memory/2916-225-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/2916-77-0x00007FF7FC710000-0x00007FF7FCA61000-memory.dmp

Filesize
3.3MB

Download
memory/2948-86-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp

Filesize
3.3MB

Download
memory/2948-229-0x00007FF6DCED0000-0x00007FF6DD221000-memory.dmp

Filesize
3.3MB

Download
memory/3120-105-0x00007FF7556E0000-0x00007FF755A31000-memory.dmp

Filesize
3.3MB

Download
memory/3120-246-0x00007FF7556E0000-0x00007FF755A31000-memory.dmp

Filesize
3.3MB

Download
memory/3420-121-0x00007FF6472F0000-0x00007FF647641000-memory.dmp

Filesize
3.3MB

Download
memory/3420-251-0x00007FF6472F0000-0x00007FF647641000-memory.dmp

Filesize
3.3MB

Download
memory/3428-118-0x00007FF6E66E0000-0x00007FF6E6A31000-memory.dmp

Filesize
3.3MB

Download
memory/3428-241-0x00007FF6E66E0000-0x00007FF6E6A31000-memory.dmp

Filesize
3.3MB

Download
memory/3648-235-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp

Filesize
3.3MB

Download
memory/3648-70-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp

Filesize
3.3MB

Download
memory/3648-138-0x00007FF7FBFF0000-0x00007FF7FC341000-memory.dmp

Filesize
3.3MB

Download
memory/3816-240-0x00007FF773340000-0x00007FF773691000-memory.dmp

Filesize
3.3MB

Download
memory/3816-98-0x00007FF773340000-0x00007FF773691000-memory.dmp

Filesize
3.3MB

Download
memory/3980-111-0x00007FF614110000-0x00007FF614461000-memory.dmp

Filesize
3.3MB

Download
memory/3980-145-0x00007FF614110000-0x00007FF614461000-memory.dmp

Filesize
3.3MB

Download
memory/3980-252-0x00007FF614110000-0x00007FF614461000-memory.dmp

Filesize
3.3MB

Download
memory/4060-9-0x00007FF793250000-0x00007FF7935A1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-210-0x00007FF793250000-0x00007FF7935A1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-129-0x00007FF793250000-0x00007FF7935A1000-memory.dmp

Filesize
3.3MB

Download
memory/4328-231-0x00007FF603FF0000-0x00007FF604341000-memory.dmp

Filesize
3.3MB

Download
memory/4328-60-0x00007FF603FF0000-0x00007FF604341000-memory.dmp

Filesize
3.3MB

Download
memory/4428-130-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp

Filesize
3.3MB

Download
memory/4428-217-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp

Filesize
3.3MB

Download
memory/4428-19-0x00007FF64D7F0000-0x00007FF64DB41000-memory.dmp

Filesize
3.3MB

Download
memory/4920-147-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-112-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-258-0x00007FF6A7E60000-0x00007FF6A81B1000-memory.dmp

Filesize
3.3MB

Download