cobaltstrike | f42bf14d86ae90a9c1bf61962cf600178e4df35f67cc59a50f8bbd8fbca303bd

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0377dae8b56e14612cd9bcf9ae8b7ec7
SHA1

d81ea2b3e2b0f78732a03112777ac038585d1bde
SHA256

f42bf14d86ae90a9c1bf61962cf600178e4df35f67cc59a50f8bbd8fbca303bd
SHA512

6d90df723f0fb6da2518486c5a7328b5b88fb52f0dc231b99cc41b4390ffb1488ab435bad31b0cc4afc3e71f5046f806952bbd0a9062f080adcc87f1484f2b43
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002346b-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346f-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-10.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002346c-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-86.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022d14-90.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233a7-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-113.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-118.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022ab1-130.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022d12-134.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233a4-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1468-73-0x00007FF655950000-0x00007FF655CA1000-memory.dmp	xmrig
behavioral2/memory/4104-68-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	xmrig
behavioral2/memory/4668-77-0x00007FF666640000-0x00007FF666991000-memory.dmp	xmrig
behavioral2/memory/2116-95-0x00007FF6C5FC0000-0x00007FF6C6311000-memory.dmp	xmrig
behavioral2/memory/3352-97-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp	xmrig
behavioral2/memory/3188-103-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp	xmrig
behavioral2/memory/3428-111-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp	xmrig
behavioral2/memory/3068-110-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp	xmrig
behavioral2/memory/1912-109-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp	xmrig
behavioral2/memory/2416-106-0x00007FF625EA0000-0x00007FF6261F1000-memory.dmp	xmrig
behavioral2/memory/4492-92-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp	xmrig
behavioral2/memory/1100-82-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp	xmrig
behavioral2/memory/512-121-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp	xmrig
behavioral2/memory/1836-120-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp	xmrig
behavioral2/memory/2892-132-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp	xmrig
behavioral2/memory/4560-125-0x00007FF6B4D90000-0x00007FF6B50E1000-memory.dmp	xmrig
behavioral2/memory/2644-141-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp	xmrig
behavioral2/memory/4104-142-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	xmrig
behavioral2/memory/1872-155-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp	xmrig
behavioral2/memory/3508-157-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp	xmrig
behavioral2/memory/184-163-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp	xmrig
behavioral2/memory/4176-167-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp	xmrig
behavioral2/memory/4512-166-0x00007FF702500000-0x00007FF702851000-memory.dmp	xmrig
behavioral2/memory/4104-168-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	xmrig
behavioral2/memory/1468-216-0x00007FF655950000-0x00007FF655CA1000-memory.dmp	xmrig
behavioral2/memory/4668-222-0x00007FF666640000-0x00007FF666991000-memory.dmp	xmrig
behavioral2/memory/1100-224-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp	xmrig
behavioral2/memory/3352-235-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp	xmrig
behavioral2/memory/4492-233-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp	xmrig
behavioral2/memory/3188-237-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp	xmrig
behavioral2/memory/1912-239-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp	xmrig
behavioral2/memory/3068-241-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp	xmrig
behavioral2/memory/1836-243-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp	xmrig
behavioral2/memory/3428-245-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp	xmrig
behavioral2/memory/512-247-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp	xmrig
behavioral2/memory/2892-249-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp	xmrig
behavioral2/memory/2644-256-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp	xmrig
behavioral2/memory/2116-258-0x00007FF6C5FC0000-0x00007FF6C6311000-memory.dmp	xmrig
behavioral2/memory/2416-260-0x00007FF625EA0000-0x00007FF6261F1000-memory.dmp	xmrig
behavioral2/memory/1872-262-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp	xmrig
behavioral2/memory/3508-264-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp	xmrig
behavioral2/memory/4560-268-0x00007FF6B4D90000-0x00007FF6B50E1000-memory.dmp	xmrig
behavioral2/memory/184-271-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp	xmrig
behavioral2/memory/4176-273-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp	xmrig
behavioral2/memory/4512-275-0x00007FF702500000-0x00007FF702851000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1468	sHJMhMH.exe
4668	gRIsxZn.exe
1100	MxHEkiq.exe
4492	HzeQelo.exe
3352	GOaykrf.exe
3188	MfiiRrP.exe
1912	ZwBphUK.exe
3068	mFwlsMn.exe
1836	RUgJnjB.exe
3428	PuBDCmE.exe
512	vjYhyZv.exe
2892	JjCZDLs.exe
2644	gzKxDWq.exe
1872	kddfszZ.exe
2116	ozCTCbw.exe
2416	TWGoOzC.exe
3508	eXIAyNA.exe
4560	RLolCOy.exe
184	qLyLyrM.exe
4176	dHKvbFO.exe
4512	hsxjQPU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	upx
behavioral2/files/0x000800000002346b-4.dat	upx
behavioral2/memory/1468-8-0x00007FF655950000-0x00007FF655CA1000-memory.dmp	upx
behavioral2/files/0x000700000002346f-11.dat	upx
behavioral2/memory/4668-12-0x00007FF666640000-0x00007FF666991000-memory.dmp	upx
behavioral2/files/0x0007000000023470-10.dat	upx
behavioral2/memory/1100-20-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp	upx
behavioral2/files/0x000800000002346c-23.dat	upx
behavioral2/files/0x0007000000023471-27.dat	upx
behavioral2/memory/3352-31-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp	upx
behavioral2/memory/4492-25-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp	upx
behavioral2/files/0x0007000000023472-35.dat	upx
behavioral2/files/0x0007000000023474-42.dat	upx
behavioral2/memory/3188-36-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp	upx
behavioral2/memory/1912-45-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp	upx
behavioral2/files/0x0007000000023476-55.dat	upx
behavioral2/files/0x0007000000023475-51.dat	upx
behavioral2/files/0x0007000000023477-56.dat	upx
behavioral2/memory/3428-64-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp	upx
behavioral2/files/0x0007000000023478-70.dat	upx
behavioral2/memory/2892-74-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp	upx
behavioral2/memory/1468-73-0x00007FF655950000-0x00007FF655CA1000-memory.dmp	upx
behavioral2/files/0x0007000000023479-75.dat	upx
behavioral2/memory/512-69-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp	upx
behavioral2/memory/4104-68-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	upx
behavioral2/memory/1836-57-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp	upx
behavioral2/memory/3068-49-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp	upx
behavioral2/memory/4668-77-0x00007FF666640000-0x00007FF666991000-memory.dmp	upx
behavioral2/files/0x000700000002347a-80.dat	upx
behavioral2/memory/2644-85-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp	upx
behavioral2/files/0x000700000002347b-86.dat	upx
behavioral2/files/0x0002000000022d14-90.dat	upx
behavioral2/memory/2116-95-0x00007FF6C5FC0000-0x00007FF6C6311000-memory.dmp	upx
behavioral2/memory/3352-97-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp	upx
behavioral2/files/0x000a0000000233a7-101.dat	upx
behavioral2/memory/3188-103-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp	upx
behavioral2/memory/3428-111-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp	upx
behavioral2/files/0x000700000002347c-113.dat	upx
behavioral2/memory/3508-112-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp	upx
behavioral2/memory/3068-110-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp	upx
behavioral2/memory/1912-109-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp	upx
behavioral2/memory/2416-106-0x00007FF625EA0000-0x00007FF6261F1000-memory.dmp	upx
behavioral2/memory/1872-94-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp	upx
behavioral2/memory/4492-92-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp	upx
behavioral2/memory/1100-82-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp	upx
behavioral2/files/0x000700000002347d-118.dat	upx
behavioral2/memory/512-121-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp	upx
behavioral2/memory/1836-120-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp	upx
behavioral2/memory/184-126-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp	upx
behavioral2/files/0x0003000000022ab1-130.dat	upx
behavioral2/files/0x0002000000022d12-134.dat	upx
behavioral2/memory/4176-133-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp	upx
behavioral2/files/0x000a0000000233a4-137.dat	upx
behavioral2/memory/4512-138-0x00007FF702500000-0x00007FF702851000-memory.dmp	upx
behavioral2/memory/2892-132-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp	upx
behavioral2/memory/4560-125-0x00007FF6B4D90000-0x00007FF6B50E1000-memory.dmp	upx
behavioral2/memory/2644-141-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp	upx
behavioral2/memory/4104-142-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	upx
behavioral2/memory/1872-155-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp	upx
behavioral2/memory/3508-157-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp	upx
behavioral2/memory/184-163-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp	upx
behavioral2/memory/4176-167-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp	upx
behavioral2/memory/4512-166-0x00007FF702500000-0x00007FF702851000-memory.dmp	upx
behavioral2/memory/4104-168-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ozCTCbw.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLyLyrM.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHJMhMH.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HzeQelo.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUgJnjB.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuBDCmE.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjYhyZv.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRIsxZn.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOaykrf.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZwBphUK.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TWGoOzC.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eXIAyNA.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MfiiRrP.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mFwlsMn.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzKxDWq.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dHKvbFO.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsxjQPU.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxHEkiq.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JjCZDLs.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kddfszZ.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLolCOy.exe	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1468	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 1468	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4104 wrote to memory of 4668	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 4668	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4104 wrote to memory of 1100	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 1100	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4104 wrote to memory of 4492	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 4492	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4104 wrote to memory of 3352	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 3352	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4104 wrote to memory of 3188	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 3188	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4104 wrote to memory of 1912	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 1912	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4104 wrote to memory of 3068	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 3068	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4104 wrote to memory of 1836	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 1836	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4104 wrote to memory of 3428	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4104 wrote to memory of 3428	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4104 wrote to memory of 512	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4104 wrote to memory of 512	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4104 wrote to memory of 2892	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 2892	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4104 wrote to memory of 2644	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 2644	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4104 wrote to memory of 1872	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4104 wrote to memory of 1872	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4104 wrote to memory of 2116	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 2116	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4104 wrote to memory of 2416	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 2416	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4104 wrote to memory of 3508	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4104 wrote to memory of 3508	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4104 wrote to memory of 4560	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4104 wrote to memory of 4560	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4104 wrote to memory of 184	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4104 wrote to memory of 184	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4104 wrote to memory of 4176	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4104 wrote to memory of 4176	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4104 wrote to memory of 4512	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4104 wrote to memory of 4512	4104	2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_0377dae8b56e14612cd9bcf9ae8b7ec7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System\sHJMhMH.exe
  C:\Windows\System\sHJMhMH.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\gRIsxZn.exe
  C:\Windows\System\gRIsxZn.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\MxHEkiq.exe
  C:\Windows\System\MxHEkiq.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\HzeQelo.exe
  C:\Windows\System\HzeQelo.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\GOaykrf.exe
  C:\Windows\System\GOaykrf.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\MfiiRrP.exe
  C:\Windows\System\MfiiRrP.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\ZwBphUK.exe
  C:\Windows\System\ZwBphUK.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\mFwlsMn.exe
  C:\Windows\System\mFwlsMn.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\RUgJnjB.exe
  C:\Windows\System\RUgJnjB.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\PuBDCmE.exe
  C:\Windows\System\PuBDCmE.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\vjYhyZv.exe
  C:\Windows\System\vjYhyZv.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\JjCZDLs.exe
  C:\Windows\System\JjCZDLs.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\gzKxDWq.exe
  C:\Windows\System\gzKxDWq.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\kddfszZ.exe
  C:\Windows\System\kddfszZ.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\ozCTCbw.exe
  C:\Windows\System\ozCTCbw.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\TWGoOzC.exe
  C:\Windows\System\TWGoOzC.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\eXIAyNA.exe
  C:\Windows\System\eXIAyNA.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\RLolCOy.exe
  C:\Windows\System\RLolCOy.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\qLyLyrM.exe
  C:\Windows\System\qLyLyrM.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\dHKvbFO.exe
  C:\Windows\System\dHKvbFO.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\hsxjQPU.exe
  C:\Windows\System\hsxjQPU.exe
  2⤵
  - Executes dropped EXE
  PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GOaykrf.exe

Filesize
5.2MB

MD5
353aabc14af94df3f47d8d7021b428e2

SHA1
b63b6cb1b2746b103c869c381e3536a722f9c4c4

SHA256
87c75a753e587a39d703acdde3223e76d33eca7d443a546d295da0766e2c2798

SHA512
9821f17e0d41715681bb18568319da4eba9e59b63e45c6274337250e399e30ce5b37093805fa6f62a4213c8b18547e5667260ae9c20d61d7f297627a55fa864b

Download Submit
C:\Windows\System\HzeQelo.exe

Filesize
5.2MB

MD5
4a45baf090b74903ba69f649803d718e

SHA1
6e943d516258cb2f1f6a03b18674d6476573d372

SHA256
dfbe7a47a9fa4229dd910e47968a0a07bc81de1c65951ac78b1a4060d9554f1f

SHA512
bdb5da1fd252496754aa181c7a06193a6d7ff8d42a151f4c363ec0a3d12789939906fddaa1621d4cedd5081531c5907841bababdb4d5699072459113935d9321

Download Submit
C:\Windows\System\JjCZDLs.exe

Filesize
5.2MB

MD5
5e4b2a3c087179818147f90837168717

SHA1
0c562556873d39b87399ebec2ca9fcfd50ec2a5e

SHA256
c64d225395a5ac4f7a78fcd039e618a48afcd18a1e56eb79c2cb8f52f2e979fa

SHA512
bebfec2425c6a57f1638a57f06e4348b49b5478a77ea73b06a8727f19fe120960a08b72b6616e49de36792099bd8eee6fd17532a8d75af2a8d24dcde55bdedea

Download Submit
C:\Windows\System\MfiiRrP.exe

Filesize
5.2MB

MD5
3a44cfd3a7f047f2691547000a05024a

SHA1
54bb08f2915ca2344de261a94e0fa0448797ff3a

SHA256
14636b8472ad41b8a4c629b5de22c8296f4e09bc6ea85bb75e661273d6949d31

SHA512
0fa9559a9697982f921ea18a5abd8f725ddc32e4d79df8c4eb79f3b5f26ab3ab5c00f6e9eb49f615790060fc837032227e46012ee84f64136c8093e530cd3ca5

Download Submit
C:\Windows\System\MxHEkiq.exe

Filesize
5.2MB

MD5
41cd6b747b9b5d742fe199be7f817002

SHA1
22438a2a63a1cac023ad835c561a525017047f32

SHA256
368f52b2205bb0e74c615011b2c29e482663d0173a444fb03782ff8a0ef32a44

SHA512
07c065cbec19ddf8eb51436c6897b72562c03cc5c4838af4dd9b997956aa3f2e054b4e4f94b81cc8d2fa7e51a31e45d7970d050f4f1d584c028de2a9ce4d6ebf

Download Submit
C:\Windows\System\PuBDCmE.exe

Filesize
5.2MB

MD5
848aacb4eb8ca69ebce05294e7e3687c

SHA1
51777b5244c3a7b20cf5091b8ada19e5a399bd76

SHA256
d7d048cbeada5d703a6cb8b03d3655e47c54898e4a678b2a557cb374e21626d5

SHA512
19ec4370d7c00203d396b7933c166b1d13909af3dd7061bba14724785568b0b4f17992b005a6a1e7e1fdc0e4b7bb0ab47733be01bc3d6523737ee0e04ed01e75

Download Submit
C:\Windows\System\RLolCOy.exe

Filesize
5.2MB

MD5
3e43fd52b2b16657f09ea63792341303

SHA1
63e11d860fb9095e761a79806a8a2d5f216202d6

SHA256
ce69e3dab4209828320883c428d80cadb6434b4fccca0d544cadffd2260b3b57

SHA512
6c169d797c8c49a65627609a304a99e18fec551082402f18652b7ce7a7c98cb5fe10255d98f27787619c740316f08984f09fa7a22d0b45e22d8d544d74b8d94c

Download Submit
C:\Windows\System\RUgJnjB.exe

Filesize
5.2MB

MD5
c47f99cc85f56b35912231c769137526

SHA1
14db5f6883d11b43577b4110aba844ffc8fc776f

SHA256
155c94181272202bed23aba0c0e95062aaf3eb575aa565f38379127bb4f800f0

SHA512
697632f6754ba53afd1606af74be54d1704ec111022f65a0c8de99a5095c64ecb45d87411117fde25cfd6118c187d1a9225cc91962f032bf4359a6b187a30f7c

Download Submit
C:\Windows\System\TWGoOzC.exe

Filesize
5.2MB

MD5
0d7d7595bd649b7950ecca5abf41bd69

SHA1
00c1995eeaee122a8e3350ab4c5e0cacf98eecb5

SHA256
12c83f81dd65c96e7f8841cad71046387f39beee9a7b8de0f34be7606942c292

SHA512
a83a9e376ea59bfe8c5f1d4fea0c9e38813b2dcf32142bf0a1cc95e3ccd2aedf3787dd7ab696e861225f171d991d58d9a37f716ea4a2711ae2688a359a29d61f

Download Submit
C:\Windows\System\ZwBphUK.exe

Filesize
5.2MB

MD5
df5f0a6ea79698b97cca1bdf26190061

SHA1
c8f76d71365f0901f345d45eb0731f90dfe43465

SHA256
d168b5bde2ebcbafac72c310aa3b9d5b6e258d831d06470cb0725c839a0eeeda

SHA512
77673c10522e801e975ff3c3e5b708fa416d39fbdbef112c28043873b47d95bb2287fcb2619bb1040e4a03eb2d741326f1eb2b4a9ab21eeb3013fe23373f6874

Download Submit
C:\Windows\System\dHKvbFO.exe

Filesize
5.2MB

MD5
60df6099d4e5791147d56afae4a49589

SHA1
bbbefdaecb783d3550bff633756f2c9f49b11fe7

SHA256
e5a53a076fae707e7a48dc776c02866370a1b87d7a462b5590986f04ab7bba00

SHA512
e9f83774e596dc5f1c4ffad9b925dfb13c37c3ac97b975cef10ebb55c5e7614dfda2b830ac733e3718d8698b776ee10a2bab3f1ce8702762eeec5dde0aff6413

Download Submit
C:\Windows\System\eXIAyNA.exe

Filesize
5.2MB

MD5
1a126f8b7c0a463a852df9d9a7c77f7b

SHA1
56190f327454037a45700c2da22414177433e43b

SHA256
ff74a3b93f6103f61c1c791d9eeea32452fb6e6e365712b5d9e7c22079700efe

SHA512
6fa4add9f3dec0cc0bbd004d005063ea02527d95493ff9044ea179d5a109e6d8d4c571f800e2ab8c6cfdefaaa1b2cb1be654d7abfd4eba599fe090021745dd63

Download Submit
C:\Windows\System\gRIsxZn.exe

Filesize
5.2MB

MD5
f273457c60e12fe9f42823fc89c4e797

SHA1
69c80af53c028f4b5ef6b9807aca0aef14073542

SHA256
31a85b45aa44485451da80dd9f5c253380186fec004bdb239a606e60456d3e5a

SHA512
b3ee4622d86ff77ba100f5dc37408ed8df8f14a9b8564aaedf81451125cafe4da71993a90520ff3a82b0c858680ae7bbfbbcf13df511c0e8e71a0d31285da139

Download Submit
C:\Windows\System\gzKxDWq.exe

Filesize
5.2MB

MD5
1f675934f7cf64d39bf5b22aa6d22bc6

SHA1
78989cac45c98db8113fa5e8fb4b10f31ea1d26b

SHA256
72ef9306469c899aef31f7f629a147f4d2d5539428c15ffb384126498cb5f923

SHA512
cd4a5247b948fc74fc1102dc801c5e5cb3bacfe45326479bd0c62c722fb98898a15b865f78730abe4b19f9f947aa41802af60fa0dc9fb42926b30e818ca11220

Download Submit
C:\Windows\System\hsxjQPU.exe

Filesize
5.2MB

MD5
5b7daef0582fa1635b6a1a4bb7792448

SHA1
e734b240a3f2199d7c1a5624a350b15d7955c840

SHA256
d01f79e8b9d9f61d1e2ad78c5612e7743079724cf7008e408fd5d00b2b2d368a

SHA512
05849bc6c6f719a9d6fd168519c1a33a72a5e4d3bd8071cb301c88d6f50c8b74554d66b76f3fb237e1259bb5ffcbc13cfa12f5bde86ac5cfc27d808809e8dd7d

Download Submit
C:\Windows\System\kddfszZ.exe

Filesize
5.2MB

MD5
e0dc174dd293c25916c9e0c745738201

SHA1
4f6700fcc642b0eccba4dd91e7eeb6b7649bff31

SHA256
1153f21c4d5acd90a9a324740ea90f085668fffda16fd7a88d1519727277970a

SHA512
7e053a319711917cbf04267feada0eb3cb0ad7eae880db61e92520eefd57aec28714f829ace8c3fed236123999c01dfb9be4daf40b86ce5dada0322233aced29

Download Submit
C:\Windows\System\mFwlsMn.exe

Filesize
5.2MB

MD5
7f04b1af6a3c531f44d59a37b87ef32c

SHA1
12d84678a26b7f28b41f893ae21227a3e1f5d8c5

SHA256
be3361edbdf7e0181cdaa4703572025a71c633cfb7b6db7c0b756d89cb47ee7a

SHA512
92c04f769dd3e8050dea93ed5cb6916d33e35ccdad405a4bada149acf00edc705662d49b3402add2acfbab72feb6e4e2ef59a782b36dcfc67017464fbfcb0fb0

Download Submit
C:\Windows\System\ozCTCbw.exe

Filesize
5.2MB

MD5
bc26c05efa43cfb380f54cfa0416c237

SHA1
9cac426d450415e8177580c2721325549fc38733

SHA256
ce59db5d2a485900f73ac154c9916306ca046ff0024e81fe65f014dd601e2c62

SHA512
ac664dd3fca176346ad63cc6c9d960f2c572bb559345be1e8c338062cdb24183da0cda8558b14db71b8156fd11070122f960f364e823ba765e49d30e731cb919

Download Submit
C:\Windows\System\qLyLyrM.exe

Filesize
5.2MB

MD5
a3da9cbb5ae8bafb363440deb946841e

SHA1
fe35572e550eb3e0dabaa835b1db9a7c506558dc

SHA256
2442c0279d9d8e563d8c25e3a8dfb1433280eaa6c47a6829e57406cc6440220f

SHA512
81557387ff253687dc35f2cf8ad7b52fd4f85ef5d57fc17a091b0ca2cfe20a1b9360f45c4c24f831ef6e547c830a951dfa8fbd9123ce2f8079815ffcb31a7de6

Download Submit
C:\Windows\System\sHJMhMH.exe

Filesize
5.2MB

MD5
ae3bdc74d5557aea36efd0e2b670b945

SHA1
a9ecf85ef13fd39ef904a6373d2395871e1a726d

SHA256
913807aa34339b3a75f71c8372d61fb054c9b6b12fe7edcd8bfb766529fb0fd7

SHA512
51856d120db3665471623fa277c85938e66b37121ff7c425fed76c645b0f828e6ee76b8148604cd6b93bc6f7c8186ac240d8c683eb8cec796b9e942dfbcd122c

Download Submit
C:\Windows\System\vjYhyZv.exe

Filesize
5.2MB

MD5
43e2908458253578f886a2f37b45652b

SHA1
45f45b46ced92b336f08810572ce470473edbc1b

SHA256
a6a7e30cf0d7dd2e3713b6c14977fbd4bbd24d82efabae24c3dcf2a3bef983ed

SHA512
4342ede25a010fe268d43f6a835ed93267c8139e76d3da6c5ead14e38724a927e963888c35680100b7f449e5aa2d119ede3a6acf5833669674371f77938c8ab2

Download Submit
memory/184-163-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp

Filesize
3.3MB

Download
memory/184-126-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp

Filesize
3.3MB

Download
memory/184-271-0x00007FF7AFC30000-0x00007FF7AFF81000-memory.dmp

Filesize
3.3MB

Download
memory/512-121-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp

Filesize
3.3MB

Download
memory/512-69-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp

Filesize
3.3MB

Download
memory/512-247-0x00007FF6A9710000-0x00007FF6A9A61000-memory.dmp

Filesize
3.3MB

Download
memory/1100-224-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp

Filesize
3.3MB

Download
memory/1100-82-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp

Filesize
3.3MB

Download
memory/1100-20-0x00007FF6E3EF0000-0x00007FF6E4241000-memory.dmp

Filesize
3.3MB

Download
memory/1468-73-0x00007FF655950000-0x00007FF655CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-216-0x00007FF655950000-0x00007FF655CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-8-0x00007FF655950000-0x00007FF655CA1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-57-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp

Filesize
3.3MB

Download
memory/1836-120-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp

Filesize
3.3MB

Download
memory/1836-243-0x00007FF621AE0000-0x00007FF621E31000-memory.dmp

Filesize
3.3MB

Download
memory/1872-155-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-94-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-262-0x00007FF7C7170000-0x00007FF7C74C1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-109-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-239-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-45-0x00007FF602FA0000-0x00007FF6032F1000-memory.dmp

Filesize
3.3MB

Download
memory/2116-95-0x00007FF6C5FC0000-0x00007FF6C6311000-memory.dmp

Filesize
3.3MB

Download
memory/2116-258-0x00007FF6C5FC0000-0x00007FF6C6311000-memory.dmp

Filesize
3.3MB

Download
memory/2416-106-0x00007FF625EA0000-0x00007FF6261F1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-260-0x00007FF625EA0000-0x00007FF6261F1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-256-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-85-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-141-0x00007FF67C080000-0x00007FF67C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-74-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp

Filesize
3.3MB

Download
memory/2892-249-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp

Filesize
3.3MB

Download
memory/2892-132-0x00007FF627AB0000-0x00007FF627E01000-memory.dmp

Filesize
3.3MB

Download
memory/3068-49-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp

Filesize
3.3MB

Download
memory/3068-110-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp

Filesize
3.3MB

Download
memory/3068-241-0x00007FF7A1740000-0x00007FF7A1A91000-memory.dmp

Filesize
3.3MB

Download
memory/3188-36-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp

Filesize
3.3MB

Download
memory/3188-237-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp

Filesize
3.3MB

Download
memory/3188-103-0x00007FF7F7230000-0x00007FF7F7581000-memory.dmp

Filesize
3.3MB

Download
memory/3352-97-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp

Filesize
3.3MB

Download
memory/3352-235-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp

Filesize
3.3MB

Download
memory/3352-31-0x00007FF69BFC0000-0x00007FF69C311000-memory.dmp

Filesize
3.3MB

Download
memory/3428-64-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp

Filesize
3.3MB

Download
memory/3428-245-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp

Filesize
3.3MB

Download
memory/3428-111-0x00007FF6CB620000-0x00007FF6CB971000-memory.dmp

Filesize
3.3MB

Download
memory/3508-112-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp

Filesize
3.3MB

Download
memory/3508-157-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp

Filesize
3.3MB

Download
memory/3508-264-0x00007FF67C4D0000-0x00007FF67C821000-memory.dmp

Filesize
3.3MB

Download
memory/4104-168-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-142-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-1-0x00000232B7790000-0x00000232B77A0000-memory.dmp

Filesize
64KB

Download
memory/4104-68-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp

Filesize
3.3MB

Download
memory/4104-0-0x00007FF668D60000-0x00007FF6690B1000-memory.dmp

Filesize
3.3MB

Download
memory/4176-167-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp

Filesize
3.3MB

Download
memory/4176-133-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp

Filesize
3.3MB

Download
memory/4176-273-0x00007FF7FD9B0000-0x00007FF7FDD01000-memory.dmp

Filesize
3.3MB

Download
memory/4492-233-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-25-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-92-0x00007FF745C50000-0x00007FF745FA1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-166-0x00007FF702500000-0x00007FF702851000-memory.dmp

Filesize
3.3MB

Download
memory/4512-138-0x00007FF702500000-0x00007FF702851000-memory.dmp

Filesize
3.3MB

Download
memory/4512-275-0x00007FF702500000-0x00007FF702851000-memory.dmp

Filesize
3.3MB

Download
memory/4560-268-0x00007FF6B4D90000-0x00007FF6B50E1000-memory.dmp

Filesize
3.3MB

Download
memory/4560-125-0x00007FF6B4D90000-0x00007FF6B50E1000-memory.dmp

Filesize
3.3MB

Download
memory/4668-12-0x00007FF666640000-0x00007FF666991000-memory.dmp

Filesize
3.3MB

Download
memory/4668-77-0x00007FF666640000-0x00007FF666991000-memory.dmp

Filesize
3.3MB

Download
memory/4668-222-0x00007FF666640000-0x00007FF666991000-memory.dmp

Filesize
3.3MB

Download