cobaltstrike | d4459576d0974d44a93cbff1fc38e327adaf85af1c6803e67e69dbc054afb43b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0d5b1a5547e152107e5e2ec63343fbbf
SHA1

a147dd2df2649038eb258c1dc38617dcec4ebe51
SHA256

d4459576d0974d44a93cbff1fc38e327adaf85af1c6803e67e69dbc054afb43b
SHA512

9dfd4c076610b9123065caab67680c3b86b2ddac211d2ca251f4e741b7aa269c9518d9887d9a3be4fc5988896774dc60a999991b7d7aece92db9eda22722de85
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l9:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233db-4.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002343d-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-48.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-25.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-97.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343f-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023454-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023453-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3524-38-0x00007FF68CF70000-0x00007FF68D2C1000-memory.dmp	xmrig
behavioral2/memory/3832-62-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	xmrig
behavioral2/memory/2964-60-0x00007FF6EEEF0000-0x00007FF6EF241000-memory.dmp	xmrig
behavioral2/memory/1660-55-0x00007FF76FC80000-0x00007FF76FFD1000-memory.dmp	xmrig
behavioral2/memory/3128-32-0x00007FF623250000-0x00007FF6235A1000-memory.dmp	xmrig
behavioral2/memory/3312-20-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp	xmrig
behavioral2/memory/756-84-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	xmrig
behavioral2/memory/3128-106-0x00007FF623250000-0x00007FF6235A1000-memory.dmp	xmrig
behavioral2/memory/2780-108-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp	xmrig
behavioral2/memory/4848-102-0x00007FF637180000-0x00007FF6374D1000-memory.dmp	xmrig
behavioral2/memory/3312-93-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp	xmrig
behavioral2/memory/2800-91-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp	xmrig
behavioral2/memory/3536-134-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp	xmrig
behavioral2/memory/4928-128-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp	xmrig
behavioral2/memory/1176-122-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp	xmrig
behavioral2/memory/3796-137-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp	xmrig
behavioral2/memory/2864-138-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	xmrig
behavioral2/memory/756-139-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	xmrig
behavioral2/memory/796-154-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp	xmrig
behavioral2/memory/4892-155-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp	xmrig
behavioral2/memory/2380-156-0x00007FF740D20000-0x00007FF741071000-memory.dmp	xmrig
behavioral2/memory/5028-160-0x00007FF652F00000-0x00007FF653251000-memory.dmp	xmrig
behavioral2/memory/60-161-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp	xmrig
behavioral2/memory/548-165-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp	xmrig
behavioral2/memory/4960-164-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp	xmrig
behavioral2/memory/756-166-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	xmrig
behavioral2/memory/2800-223-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp	xmrig
behavioral2/memory/3312-225-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp	xmrig
behavioral2/memory/4848-227-0x00007FF637180000-0x00007FF6374D1000-memory.dmp	xmrig
behavioral2/memory/3524-229-0x00007FF68CF70000-0x00007FF68D2C1000-memory.dmp	xmrig
behavioral2/memory/3128-231-0x00007FF623250000-0x00007FF6235A1000-memory.dmp	xmrig
behavioral2/memory/1660-233-0x00007FF76FC80000-0x00007FF76FFD1000-memory.dmp	xmrig
behavioral2/memory/3832-237-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	xmrig
behavioral2/memory/2964-236-0x00007FF6EEEF0000-0x00007FF6EF241000-memory.dmp	xmrig
behavioral2/memory/1176-247-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp	xmrig
behavioral2/memory/4928-248-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp	xmrig
behavioral2/memory/3536-245-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp	xmrig
behavioral2/memory/3796-250-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp	xmrig
behavioral2/memory/2780-243-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp	xmrig
behavioral2/memory/2864-255-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	xmrig
behavioral2/memory/796-258-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp	xmrig
behavioral2/memory/4892-260-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp	xmrig
behavioral2/memory/2380-262-0x00007FF740D20000-0x00007FF741071000-memory.dmp	xmrig
behavioral2/memory/5028-267-0x00007FF652F00000-0x00007FF653251000-memory.dmp	xmrig
behavioral2/memory/60-269-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp	xmrig
behavioral2/memory/548-271-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp	xmrig
behavioral2/memory/4960-273-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2800	jKXkXXu.exe
3312	sFgaZGF.exe
4848	xaqOfvC.exe
3128	dRpfYGL.exe
3524	qRErUNl.exe
1660	zUowHEH.exe
2780	LGgKqjk.exe
2964	VBUZVxN.exe
3832	uSoeaDI.exe
4928	ddrjsMV.exe
1176	LWbdxsO.exe
3536	EEUYmeO.exe
3796	VHZPLIO.exe
2864	thyvEFS.exe
796	LgwBgta.exe
4892	HnQCYcy.exe
2380	RWAjnoP.exe
5028	iNNixyw.exe
60	euuctCI.exe
548	FGfhOea.exe
4960	ZxIEBEB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/756-0-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	upx
behavioral2/files/0x00090000000233db-4.dat	upx
behavioral2/memory/2800-8-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp	upx
behavioral2/files/0x000900000002343d-11.dat	upx
behavioral2/files/0x0007000000023442-16.dat	upx
behavioral2/files/0x0007000000023445-35.dat	upx
behavioral2/memory/3524-38-0x00007FF68CF70000-0x00007FF68D2C1000-memory.dmp	upx
behavioral2/files/0x0007000000023447-45.dat	upx
behavioral2/files/0x0007000000023448-48.dat	upx
behavioral2/files/0x000700000002344a-59.dat	upx
behavioral2/memory/3832-62-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp	upx
behavioral2/files/0x000700000002344b-73.dat	upx
behavioral2/memory/3796-78-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp	upx
behavioral2/files/0x000700000002344c-79.dat	upx
behavioral2/memory/3536-72-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp	upx
behavioral2/files/0x0007000000023449-64.dat	upx
behavioral2/memory/4928-63-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp	upx
behavioral2/memory/1176-61-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp	upx
behavioral2/memory/2964-60-0x00007FF6EEEF0000-0x00007FF6EF241000-memory.dmp	upx
behavioral2/memory/1660-55-0x00007FF76FC80000-0x00007FF76FFD1000-memory.dmp	upx
behavioral2/files/0x0007000000023446-54.dat	upx
behavioral2/memory/2780-44-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp	upx
behavioral2/memory/3128-32-0x00007FF623250000-0x00007FF6235A1000-memory.dmp	upx
behavioral2/files/0x0007000000023444-30.dat	upx
behavioral2/files/0x0007000000023443-25.dat	upx
behavioral2/memory/4848-21-0x00007FF637180000-0x00007FF6374D1000-memory.dmp	upx
behavioral2/memory/3312-20-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp	upx
behavioral2/files/0x000700000002344d-83.dat	upx
behavioral2/memory/756-84-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	upx
behavioral2/files/0x000700000002344e-97.dat	upx
behavioral2/files/0x000800000002343f-99.dat	upx
behavioral2/memory/4892-103-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp	upx
behavioral2/memory/3128-106-0x00007FF623250000-0x00007FF6235A1000-memory.dmp	upx
behavioral2/files/0x000700000002344f-109.dat	upx
behavioral2/memory/2780-108-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp	upx
behavioral2/memory/2380-105-0x00007FF740D20000-0x00007FF741071000-memory.dmp	upx
behavioral2/memory/4848-102-0x00007FF637180000-0x00007FF6374D1000-memory.dmp	upx
behavioral2/memory/796-98-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp	upx
behavioral2/memory/3312-93-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp	upx
behavioral2/memory/2800-91-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp	upx
behavioral2/memory/2864-88-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	upx
behavioral2/files/0x0007000000023450-113.dat	upx
behavioral2/files/0x0007000000023452-117.dat	upx
behavioral2/memory/5028-116-0x00007FF652F00000-0x00007FF653251000-memory.dmp	upx
behavioral2/files/0x0007000000023454-127.dat	upx
behavioral2/memory/548-130-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp	upx
behavioral2/files/0x0007000000023453-131.dat	upx
behavioral2/memory/4960-133-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp	upx
behavioral2/memory/3536-134-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp	upx
behavioral2/memory/4928-128-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp	upx
behavioral2/memory/60-123-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp	upx
behavioral2/memory/1176-122-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp	upx
behavioral2/memory/3796-137-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp	upx
behavioral2/memory/2864-138-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp	upx
behavioral2/memory/756-139-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	upx
behavioral2/memory/796-154-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp	upx
behavioral2/memory/4892-155-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp	upx
behavioral2/memory/2380-156-0x00007FF740D20000-0x00007FF741071000-memory.dmp	upx
behavioral2/memory/5028-160-0x00007FF652F00000-0x00007FF653251000-memory.dmp	upx
behavioral2/memory/60-161-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp	upx
behavioral2/memory/548-165-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp	upx
behavioral2/memory/4960-164-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp	upx
behavioral2/memory/756-166-0x00007FF628DF0000-0x00007FF629141000-memory.dmp	upx
behavioral2/memory/2800-223-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\thyvEFS.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGfhOea.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZxIEBEB.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VBUZVxN.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dRpfYGL.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uSoeaDI.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EEUYmeO.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LgwBgta.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\euuctCI.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaqOfvC.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWbdxsO.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHZPLIO.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HnQCYcy.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWAjnoP.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iNNixyw.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qRErUNl.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sFgaZGF.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUowHEH.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGgKqjk.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ddrjsMV.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jKXkXXu.exe	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2800	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 756 wrote to memory of 2800	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 756 wrote to memory of 3312	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 756 wrote to memory of 3312	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 756 wrote to memory of 4848	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 756 wrote to memory of 4848	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 756 wrote to memory of 3128	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 756 wrote to memory of 3128	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 756 wrote to memory of 3524	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 756 wrote to memory of 3524	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 756 wrote to memory of 1660	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 756 wrote to memory of 1660	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 756 wrote to memory of 2780	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 756 wrote to memory of 2780	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 756 wrote to memory of 2964	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 756 wrote to memory of 2964	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 756 wrote to memory of 3832	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 756 wrote to memory of 3832	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 756 wrote to memory of 4928	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 756 wrote to memory of 4928	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 756 wrote to memory of 1176	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 756 wrote to memory of 1176	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 756 wrote to memory of 3536	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 756 wrote to memory of 3536	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 756 wrote to memory of 3796	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 756 wrote to memory of 3796	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 756 wrote to memory of 2864	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 756 wrote to memory of 2864	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 756 wrote to memory of 796	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 756 wrote to memory of 796	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 756 wrote to memory of 4892	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 756 wrote to memory of 4892	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 756 wrote to memory of 2380	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 756 wrote to memory of 2380	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 756 wrote to memory of 5028	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 756 wrote to memory of 5028	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 756 wrote to memory of 60	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 756 wrote to memory of 60	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 756 wrote to memory of 548	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 756 wrote to memory of 548	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 756 wrote to memory of 4960	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 756 wrote to memory of 4960	756	2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_0d5b1a5547e152107e5e2ec63343fbbf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\System\jKXkXXu.exe
  C:\Windows\System\jKXkXXu.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\sFgaZGF.exe
  C:\Windows\System\sFgaZGF.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\xaqOfvC.exe
  C:\Windows\System\xaqOfvC.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\dRpfYGL.exe
  C:\Windows\System\dRpfYGL.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\qRErUNl.exe
  C:\Windows\System\qRErUNl.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\zUowHEH.exe
  C:\Windows\System\zUowHEH.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\LGgKqjk.exe
  C:\Windows\System\LGgKqjk.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\VBUZVxN.exe
  C:\Windows\System\VBUZVxN.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\uSoeaDI.exe
  C:\Windows\System\uSoeaDI.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\ddrjsMV.exe
  C:\Windows\System\ddrjsMV.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\LWbdxsO.exe
  C:\Windows\System\LWbdxsO.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\EEUYmeO.exe
  C:\Windows\System\EEUYmeO.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\VHZPLIO.exe
  C:\Windows\System\VHZPLIO.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\thyvEFS.exe
  C:\Windows\System\thyvEFS.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\LgwBgta.exe
  C:\Windows\System\LgwBgta.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\HnQCYcy.exe
  C:\Windows\System\HnQCYcy.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\RWAjnoP.exe
  C:\Windows\System\RWAjnoP.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\iNNixyw.exe
  C:\Windows\System\iNNixyw.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\euuctCI.exe
  C:\Windows\System\euuctCI.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\FGfhOea.exe
  C:\Windows\System\FGfhOea.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\ZxIEBEB.exe
  C:\Windows\System\ZxIEBEB.exe
  2⤵
  - Executes dropped EXE
  PID:4960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EEUYmeO.exe

Filesize
5.2MB

MD5
4623232ee20ad694c64c5a34ac792d26

SHA1
c75152173be80e336eb2c370f9a55a0e1b1fea24

SHA256
108a8010a1a93b288037455d299df51f6806a694fc22fd9914ceb3d45ba63608

SHA512
9a6c22f9803870e0491a52a20ecc4a2f1d10ecb7e15f31e27b0ee0386ca5cdcf88d012251c7aa423746638c18a57b0ac2bd172e196e09d88758ec86b37fe1cf2

Download Submit
C:\Windows\System\FGfhOea.exe

Filesize
5.2MB

MD5
07bdd5932619bdff897690025b3e5ef4

SHA1
9395e92ef2e0679957893fd8ccc408a25b9cb9d5

SHA256
0bd0ba5ab11dba7add5f074ca692d83df11b722d53a609e20c8ab4f8b12bf550

SHA512
c3723f2e2bec63058b2f4646a825de99c26056a0dae60814bb83fcb676018e8c9c3353be78c2d5b371547e22552511ac9f6d4448c00c755c021e4cbee29fab70

Download Submit
C:\Windows\System\HnQCYcy.exe

Filesize
5.2MB

MD5
15ad4c2b823d217df443253cd9795bd9

SHA1
ec06fd338ab123089c179ce510c8a579a8d5f9d9

SHA256
13eecc2115690737144e2bbd73fbe57ebe4e76a1f7c8dc174e8be5e471ad232d

SHA512
6791b65b4250d6c6ec1e418829e965a0a665c0c0729218ca59e562d5d11b1ddac8ab63854652b61a1269b167137191a70bc9fdd4ee04fce7def0b7f5f22d7e24

Download Submit
C:\Windows\System\LGgKqjk.exe

Filesize
5.2MB

MD5
84ec99a655b538bacf8d5c1d585a39d9

SHA1
ce0ef7cac64897968d6085cc1ed503fc93fa0a9f

SHA256
55c966dfdb65016cec5b6001ecb617c14e07cbae13c6150afdcf000d7c641ec1

SHA512
9ccd978723f736ccbbf4833982445d909eb0691607fd0c29778ebab36c79f4362da780fc368af284359468427da488c6d5d9128c3ae44fe857d8a03a7ebbeaa6

Download Submit
C:\Windows\System\LWbdxsO.exe

Filesize
5.2MB

MD5
4cdd45f1796493b2d21e406e22195b3a

SHA1
c65241b36a48cb65f3b89a928fb3ad3861732d34

SHA256
b02b6331553f334161d515397247688a44c4890554153925140fa3ca400c4bc4

SHA512
8f3150e68e8624ce31b2c41fc259e9b9b5f3a80dbb2c03041814b65feebf0f9fe69b0efaf45d78b3eeb3248031261fdd1686fef3ff79d20ef04b1c68eeb6e7d5

Download Submit
C:\Windows\System\LgwBgta.exe

Filesize
5.2MB

MD5
af8edcd55957cf9f0832b924dfded51b

SHA1
bbb606b278b6d6f42501359f5d948906d99640a1

SHA256
d60f59a9f405c02c38134a589dfaf86cb2316becbcff3e70ad2ef965c2609d8e

SHA512
3192f272ab4432c9acdc3359361a49f5160242be70ba5ba868cefaa3c620df33a6ee84d1103fe67c69a30e1d1d2e67ed5884ba62f99bd0b3dbc89fb87847f709

Download Submit
C:\Windows\System\RWAjnoP.exe

Filesize
5.2MB

MD5
3b419bb60c26cee3f38d7b19f1d8d841

SHA1
632c0e4e198208e4dbb6f442e0950edd8f454798

SHA256
ba1fdfe5078d8ec45ac0c89c4acc73c3b5fab1713266de235a8703f84774223c

SHA512
81151ddbc49e2a64e014e7f7e430b0f5cf1e7b11028de3f9597cc221dcf690329df6a4b5f6fe3aabce0130549eea7bd4c6154ebfb3af7dc070a7f21521422b49

Download Submit
C:\Windows\System\VBUZVxN.exe

Filesize
5.2MB

MD5
ac95943b3aa2b067f2e0f19cc8afc396

SHA1
1a731b01a7704f944ebe906ed7f2faa90ca067a0

SHA256
e37ddaeeeaf8ca1e186abdc04e5de7205d1092520ede1d311ca75c1c29ea2c60

SHA512
0ea906ac5385cd3a65c245e292079b4f446067522bbd0f783d7e78709719df7542321a1ead5d0902e23514aafd2d5903c0615ff606e6332d3d8caff376bacdd9

Download Submit
C:\Windows\System\VHZPLIO.exe

Filesize
5.2MB

MD5
d3233dbd649f91c665bce228a45b34d9

SHA1
ec127e9b19727c14669f9ef715b094547f4a026f

SHA256
df5bbf586d046be0ce1b90f8c9ce979ed5b5c4d2465551f0093450a850d1550b

SHA512
dd2f8ea41973a21e385f8702f4069bf9fae35db13bb65722abfd5dbb6a9af8528d97ea82f164db17cd644c66d3d49c953af6e3fc74efb3f5e9ecce6de3f75d26

Download Submit
C:\Windows\System\ZxIEBEB.exe

Filesize
5.2MB

MD5
41bb01fdd7b23836b97e488dbec2bb99

SHA1
a93c9cb5383b963d008358f93ee847699a552950

SHA256
ff7772a0b394670a1bf31ce169d8ec27a9075f6e80a8e1a0787c20e9bc09f22d

SHA512
4c80babb97fe3f402325de5af7e492fd1abe2f090ca9bfd950a64510220629871c4153a96bbfabca7257a8a0cfad5163d45c1661639a591e38dbaff5cd422bef

Download Submit
C:\Windows\System\dRpfYGL.exe

Filesize
5.2MB

MD5
d6cf7030759507016b5f87068e061c3b

SHA1
ac178d52851cc5906f47f81de9a6b13fccbeb8ea

SHA256
f379b4a8311b4d9092ddaef997747ff9bbbb438538fe87832c907da75ed5bd75

SHA512
b0acfd84f2d21d79e11cd7e28bbb14ced11224ccfad15299df209d2422fa6cfe4423124f2ebb1046da1a4d9cc515da8f03ce05006c9b5bf5b6b30789d96bec14

Download Submit
C:\Windows\System\ddrjsMV.exe

Filesize
5.2MB

MD5
1c664e3014e51f74e022feb4ad00b714

SHA1
9d5e515e39ef666cfab628caa684d772afbfac06

SHA256
fe17d2b05bb4c7e44520ad4ad540eaf0d77023f6f8bab978d7838cefdbbb3b00

SHA512
ee39ae081690b3021fbfda1980d2c2646e86433647fb873231c0f923c6b0d072eaa305458e1b98cb4a978e1c301117d8982e18a5921c67fef32c1fd006e53f0e

Download Submit
C:\Windows\System\euuctCI.exe

Filesize
5.2MB

MD5
e7ad9d219dccfece3c3371128d02d4a1

SHA1
ba1f71b086276840ac6d934e18755e2465e3fe3b

SHA256
4464a93b965036c6153cb9fb7f0a65e04e883d7f6a52277942b7b4bb378438a7

SHA512
9450fe4e80509879725ad29dbbc8d1472b3c66150a5beb70588f06decd87eab0fac195dee476555871b7f5d537ba29722663062f7b561e9c7213a06d6fdf30ae

Download Submit
C:\Windows\System\iNNixyw.exe

Filesize
5.2MB

MD5
9eececaeec2dbfd423ef9091eecd227a

SHA1
d425e80ae11766b3c8098428c8c3b0902637fc2f

SHA256
fe080b2202db0de5662a78b9a868d3a95178b78532825f4eb859118bb4d74d5f

SHA512
b0e6171c24f7569ba06e5c3a940cb9b509dfeb6607133845fcc3b9fc64d41576fef604d626827f4cdb9acb06b26dd3034d7eca414d579882cb4e26addff8a81d

Download Submit
C:\Windows\System\jKXkXXu.exe

Filesize
5.2MB

MD5
9ea1bac723d96d10a35620c0f1eebb57

SHA1
3e3cf9a7225b5ec7ded542c6074a3740a80249f0

SHA256
a11d999616528ba4ee2c6402d8ed76cd9f12996f49d9fd2528b987e6aef34f8f

SHA512
d434516b46e99d80f96763d6d4f02753516ad5657de335a3f3a5aae45782812421f82a14b9ba874c8b585de22be6477ac38c036f6d6db5941e5593fc5dedcef0

Download Submit
C:\Windows\System\qRErUNl.exe

Filesize
5.2MB

MD5
db4be938a9082ebc5b9631792415ef13

SHA1
ba71eeaf377ffdc0e063c6855627b1cf16d9824d

SHA256
69277b3274bf1a88f5198b9a7b0c299304ded48aa196b7a8583408f998bfdad2

SHA512
08588502cece1728385e49370ecdfb9ee7b04aabbe588fd484264bbab9e3ef0ba2cec02b2e11d9b500f91ff04b75a08eeef0f0849a4c560957fcc3bffd801075

Download Submit
C:\Windows\System\sFgaZGF.exe

Filesize
5.2MB

MD5
d79bbeb0a9d42b9097e7c0168d0bb3f6

SHA1
bbadb582b780a1b8fed620d068b4561ca894eed9

SHA256
5c8b306d084be4cc292d5d59f4cd16046cdf4fc626698d545446c11e2725e891

SHA512
8ef893d7d3b83a80d2ccbb48a14d48e220ebde175822b96695ba5909ddff46e7c786c00cda9fb6cd292b2eea0a2eefb4309ff9c2ad8f8698f834b0534bb719ad

Download Submit
C:\Windows\System\thyvEFS.exe

Filesize
5.2MB

MD5
a0b18e0b0b560dbc8c78f732cae0e2e5

SHA1
14b4343e9ca26e837734f7ee58d93cbf1de47db0

SHA256
34d2aa11051147bc97fed37d13a8ebc2d0a637112ebcd4d61129890bc2eb439e

SHA512
c33b2f6a8a7cca31964d8e948310f9f7f179c5eef5a3261f408feec8891ccacfbd30352cb2bc85344b9198b7278bf7f248f70e47101ace425fa73cfd3aff43bd

Download Submit
C:\Windows\System\uSoeaDI.exe

Filesize
5.2MB

MD5
aef5dc0b4a3f57a2304fbb5404456827

SHA1
cd2b9a59032c0e43fe701903b4968ca8bbe3533d

SHA256
089a82f142717d5f4d851461069e768f1d79b3f804b0ba8a9eb77feb30b3656a

SHA512
28a7406bcc80c22568093998de24122d99bf24db01d8f06579f90735fad440e4916f1babda28851ed127657b7108bc62d2b3e676aba2dd68fc6fd85def7c7846

Download Submit
C:\Windows\System\xaqOfvC.exe

Filesize
5.2MB

MD5
159ce9a9026ad9f5e0ef9ff266cfd5c1

SHA1
02f2c0061ad796bcc1c2ea77625a512f45136700

SHA256
0d8bd7875d19fcc689793d6e9a601b9d1f1aa9855957e41d720b37581fb6cf48

SHA512
89b1d48ad4a50bd08fa86b6418ad568b4ab15114187e3078660d06eb7e02e5211bf8caaa8b0c9f09a414d3ed0355c3c6a01dc1b438ed61fa8012271dc7f4ddf7

Download Submit
C:\Windows\System\zUowHEH.exe

Filesize
5.2MB

MD5
a3f50c5a448090365b2c8efce34b221f

SHA1
a9642f8bd6b8496938e97859c7ab9d8144d1bd74

SHA256
5a60a9497dcb3bb125fa6402d746edf45e2d67cc7a4d9d1fe0ebec5938b807e9

SHA512
f5f0e12dcbcc46467072c372981e82dcb0de8b276cb71d1ec4d50753e927682c030774e5ddf8fc9eabb8a59491bc18eadce11f2dd50f8990749266a329f145db

Download Submit
memory/60-123-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp

Filesize
3.3MB

Download
memory/60-161-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp

Filesize
3.3MB

Download
memory/60-269-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp

Filesize
3.3MB

Download
memory/548-130-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp

Filesize
3.3MB

Download
memory/548-271-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp

Filesize
3.3MB

Download
memory/548-165-0x00007FF6A2810000-0x00007FF6A2B61000-memory.dmp

Filesize
3.3MB

Download
memory/756-139-0x00007FF628DF0000-0x00007FF629141000-memory.dmp

Filesize
3.3MB

Download
memory/756-0-0x00007FF628DF0000-0x00007FF629141000-memory.dmp

Filesize
3.3MB

Download
memory/756-1-0x000002B970FC0000-0x000002B970FD0000-memory.dmp

Filesize
64KB

Download
memory/756-84-0x00007FF628DF0000-0x00007FF629141000-memory.dmp

Filesize
3.3MB

Download
memory/756-166-0x00007FF628DF0000-0x00007FF629141000-memory.dmp

Filesize
3.3MB

Download
memory/796-258-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp

Filesize
3.3MB

Download
memory/796-154-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp

Filesize
3.3MB

Download
memory/796-98-0x00007FF64E810000-0x00007FF64EB61000-memory.dmp

Filesize
3.3MB

Download
memory/1176-247-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1176-61-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1176-122-0x00007FF60D180000-0x00007FF60D4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-55-0x00007FF76FC80000-0x00007FF76FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-233-0x00007FF76FC80000-0x00007FF76FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2380-105-0x00007FF740D20000-0x00007FF741071000-memory.dmp

Filesize
3.3MB

Download
memory/2380-156-0x00007FF740D20000-0x00007FF741071000-memory.dmp

Filesize
3.3MB

Download
memory/2380-262-0x00007FF740D20000-0x00007FF741071000-memory.dmp

Filesize
3.3MB

Download
memory/2780-108-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp

Filesize
3.3MB

Download
memory/2780-243-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp

Filesize
3.3MB

Download
memory/2780-44-0x00007FF6F2B40000-0x00007FF6F2E91000-memory.dmp

Filesize
3.3MB

Download
memory/2800-8-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp

Filesize
3.3MB

Download
memory/2800-223-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp

Filesize
3.3MB

Download
memory/2800-91-0x00007FF74A3E0000-0x00007FF74A731000-memory.dmp

Filesize
3.3MB

Download
memory/2864-138-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-88-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-255-0x00007FF7B2690000-0x00007FF7B29E1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-236-0x00007FF6EEEF0000-0x00007FF6EF241000-memory.dmp

Filesize
3.3MB

Download
memory/2964-60-0x00007FF6EEEF0000-0x00007FF6EF241000-memory.dmp

Filesize
3.3MB

Download
memory/3128-106-0x00007FF623250000-0x00007FF6235A1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-32-0x00007FF623250000-0x00007FF6235A1000-memory.dmp

Filesize
3.3MB

Download
memory/3128-231-0x00007FF623250000-0x00007FF6235A1000-memory.dmp

Filesize
3.3MB

Download
memory/3312-225-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp

Filesize
3.3MB

Download
memory/3312-20-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp

Filesize
3.3MB

Download
memory/3312-93-0x00007FF6707F0000-0x00007FF670B41000-memory.dmp

Filesize
3.3MB

Download
memory/3524-38-0x00007FF68CF70000-0x00007FF68D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3524-229-0x00007FF68CF70000-0x00007FF68D2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-134-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-72-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp

Filesize
3.3MB

Download
memory/3536-245-0x00007FF6D2270000-0x00007FF6D25C1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-78-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-137-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3796-250-0x00007FF62FC60000-0x00007FF62FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-62-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-237-0x00007FF6A9280000-0x00007FF6A95D1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-227-0x00007FF637180000-0x00007FF6374D1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-21-0x00007FF637180000-0x00007FF6374D1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-102-0x00007FF637180000-0x00007FF6374D1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-260-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-155-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4892-103-0x00007FF7E3670000-0x00007FF7E39C1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-128-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-248-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4928-63-0x00007FF7EC650000-0x00007FF7EC9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4960-164-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp

Filesize
3.3MB

Download
memory/4960-133-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp

Filesize
3.3MB

Download
memory/4960-273-0x00007FF7C4D40000-0x00007FF7C5091000-memory.dmp

Filesize
3.3MB

Download
memory/5028-160-0x00007FF652F00000-0x00007FF653251000-memory.dmp

Filesize
3.3MB

Download
memory/5028-267-0x00007FF652F00000-0x00007FF653251000-memory.dmp

Filesize
3.3MB

Download
memory/5028-116-0x00007FF652F00000-0x00007FF653251000-memory.dmp

Filesize
3.3MB

Download