cobaltstrike | 576d9a34f89e6f9edfbdbc7d119e5035598c7b9814ce56c92b56952b42dec065

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/09/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

615a686480c1fc11ff80476c48f7a2c1
SHA1

ec5db36d6c4c0d87ad52c9bb14266b4941028de5
SHA256

576d9a34f89e6f9edfbdbc7d119e5035598c7b9814ce56c92b56952b42dec065
SHA512

58844f3ff24ffa54702628b1d271662d13d0de48eba4ed98d5d03b14a0080ac9a4f874cc75ce53ea4d6d854466a3aaa7652454bf2bb038ccd64bd8ffabdc10a2
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibf56utgpPFotBER/mQ32lUb

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234e2-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e7-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e6-9.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e3-22.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-38.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-54.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-82.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f5-107.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f6-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f7-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f8-128.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fa-140.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f9-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2040-72-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp	xmrig
behavioral2/memory/4620-71-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp	xmrig
behavioral2/memory/4820-67-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp	xmrig
behavioral2/memory/2488-59-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	xmrig
behavioral2/memory/5012-79-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	xmrig
behavioral2/memory/4444-86-0x00007FF712320000-0x00007FF712671000-memory.dmp	xmrig
behavioral2/memory/1708-98-0x00007FF66FAB0000-0x00007FF66FE01000-memory.dmp	xmrig
behavioral2/memory/3612-105-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	xmrig
behavioral2/memory/3732-104-0x00007FF610E20000-0x00007FF611171000-memory.dmp	xmrig
behavioral2/memory/3748-95-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp	xmrig
behavioral2/memory/4352-90-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp	xmrig
behavioral2/memory/1948-125-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp	xmrig
behavioral2/memory/2416-120-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp	xmrig
behavioral2/memory/4520-111-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp	xmrig
behavioral2/memory/4792-134-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp	xmrig
behavioral2/memory/2488-142-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	xmrig
behavioral2/memory/1840-146-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp	xmrig
behavioral2/memory/1676-155-0x00007FF601D20000-0x00007FF602071000-memory.dmp	xmrig
behavioral2/memory/3520-157-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp	xmrig
behavioral2/memory/5056-159-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	xmrig
behavioral2/memory/3832-161-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp	xmrig
behavioral2/memory/1820-167-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp	xmrig
behavioral2/memory/1796-170-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp	xmrig
behavioral2/memory/2488-171-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	xmrig
behavioral2/memory/4620-220-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp	xmrig
behavioral2/memory/4820-222-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp	xmrig
behavioral2/memory/2040-233-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp	xmrig
behavioral2/memory/5012-235-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	xmrig
behavioral2/memory/4444-237-0x00007FF712320000-0x00007FF712671000-memory.dmp	xmrig
behavioral2/memory/3748-239-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp	xmrig
behavioral2/memory/4352-241-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp	xmrig
behavioral2/memory/3612-243-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	xmrig
behavioral2/memory/3732-247-0x00007FF610E20000-0x00007FF611171000-memory.dmp	xmrig
behavioral2/memory/4520-246-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp	xmrig
behavioral2/memory/2416-251-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp	xmrig
behavioral2/memory/1948-250-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp	xmrig
behavioral2/memory/4792-254-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp	xmrig
behavioral2/memory/1708-260-0x00007FF66FAB0000-0x00007FF66FE01000-memory.dmp	xmrig
behavioral2/memory/1840-262-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp	xmrig
behavioral2/memory/1676-264-0x00007FF601D20000-0x00007FF602071000-memory.dmp	xmrig
behavioral2/memory/3520-268-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp	xmrig
behavioral2/memory/5056-270-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	xmrig
behavioral2/memory/3832-272-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp	xmrig
behavioral2/memory/1820-276-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp	xmrig
behavioral2/memory/1796-279-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4820	iIwnvQF.exe
4620	QEAvdFb.exe
2040	aueGycd.exe
5012	TFOxJsr.exe
4444	iaAmSnN.exe
4352	oJGnXWW.exe
3748	ghorMEP.exe
3732	xcsogsJ.exe
3612	xkhUGhw.exe
4520	PWhIEEm.exe
2416	WhnlhVv.exe
1948	ntybaWp.exe
4792	RqmEaxN.exe
1708	NFaVMQW.exe
1840	vCeulOY.exe
1676	VVlbBFh.exe
3520	KjxNodv.exe
5056	XyrsqbB.exe
3832	ATdWEBI.exe
1820	FIzTReP.exe
1796	tFgQaJY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-0-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	upx
behavioral2/files/0x00080000000234e2-4.dat	upx
behavioral2/files/0x00070000000234e7-10.dat	upx
behavioral2/memory/4620-13-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-9.dat	upx
behavioral2/memory/4820-6-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp	upx
behavioral2/files/0x00080000000234e3-22.dat	upx
behavioral2/memory/5012-26-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	upx
behavioral2/files/0x00070000000234ea-36.dat	upx
behavioral2/files/0x00070000000234e9-33.dat	upx
behavioral2/memory/4444-28-0x00007FF712320000-0x00007FF712671000-memory.dmp	upx
behavioral2/memory/2040-23-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-38.dat	upx
behavioral2/memory/4352-40-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp	upx
behavioral2/memory/3732-51-0x00007FF610E20000-0x00007FF611171000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-56.dat	upx
behavioral2/memory/4520-60-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp	upx
behavioral2/files/0x00070000000234ef-66.dat	upx
behavioral2/memory/2416-68-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp	upx
behavioral2/files/0x00070000000234f0-76.dat	upx
behavioral2/memory/1948-75-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp	upx
behavioral2/memory/2040-72-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp	upx
behavioral2/memory/4620-71-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp	upx
behavioral2/memory/4820-67-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp	upx
behavioral2/memory/2488-59-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-57.dat	upx
behavioral2/files/0x00070000000234ed-54.dat	upx
behavioral2/memory/3612-53-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	upx
behavioral2/memory/3748-43-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp	upx
behavioral2/memory/5012-79-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-82.dat	upx
behavioral2/memory/4792-83-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp	upx
behavioral2/memory/4444-86-0x00007FF712320000-0x00007FF712671000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-89.dat	upx
behavioral2/memory/1708-98-0x00007FF66FAB0000-0x00007FF66FE01000-memory.dmp	upx
behavioral2/memory/1676-106-0x00007FF601D20000-0x00007FF602071000-memory.dmp	upx
behavioral2/files/0x00070000000234f5-107.dat	upx
behavioral2/memory/3612-105-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp	upx
behavioral2/memory/3732-104-0x00007FF610E20000-0x00007FF611171000-memory.dmp	upx
behavioral2/memory/1840-99-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-97.dat	upx
behavioral2/memory/3748-95-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp	upx
behavioral2/memory/4352-90-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp	upx
behavioral2/files/0x00070000000234f6-114.dat	upx
behavioral2/files/0x00070000000234f7-118.dat	upx
behavioral2/memory/1948-125-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp	upx
behavioral2/files/0x00070000000234f8-128.dat	upx
behavioral2/memory/3832-127-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp	upx
behavioral2/memory/5056-123-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	upx
behavioral2/memory/2416-120-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp	upx
behavioral2/memory/3520-113-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp	upx
behavioral2/memory/4520-111-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp	upx
behavioral2/memory/4792-134-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp	upx
behavioral2/memory/1820-135-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-140.dat	upx
behavioral2/memory/1796-138-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp	upx
behavioral2/files/0x00070000000234f9-133.dat	upx
behavioral2/memory/2488-142-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp	upx
behavioral2/memory/1840-146-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp	upx
behavioral2/memory/1676-155-0x00007FF601D20000-0x00007FF602071000-memory.dmp	upx
behavioral2/memory/3520-157-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp	upx
behavioral2/memory/5056-159-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp	upx
behavioral2/memory/3832-161-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp	upx
behavioral2/memory/1820-167-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xcsogsJ.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWhIEEm.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFaVMQW.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCeulOY.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIwnvQF.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFOxJsr.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oJGnXWW.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ghorMEP.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVlbBFh.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KjxNodv.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ATdWEBI.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aueGycd.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iaAmSnN.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WhnlhVv.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqmEaxN.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QEAvdFb.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FIzTReP.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tFgQaJY.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xkhUGhw.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ntybaWp.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XyrsqbB.exe	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4820	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2488 wrote to memory of 4820	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2488 wrote to memory of 4620	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2488 wrote to memory of 4620	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2488 wrote to memory of 2040	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2488 wrote to memory of 2040	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2488 wrote to memory of 5012	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2488 wrote to memory of 5012	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2488 wrote to memory of 4444	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2488 wrote to memory of 4444	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2488 wrote to memory of 4352	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2488 wrote to memory of 4352	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2488 wrote to memory of 3748	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2488 wrote to memory of 3748	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2488 wrote to memory of 3612	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2488 wrote to memory of 3612	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2488 wrote to memory of 3732	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2488 wrote to memory of 3732	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2488 wrote to memory of 4520	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2488 wrote to memory of 4520	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2488 wrote to memory of 2416	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2488 wrote to memory of 2416	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2488 wrote to memory of 1948	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2488 wrote to memory of 1948	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2488 wrote to memory of 4792	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2488 wrote to memory of 4792	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2488 wrote to memory of 1708	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2488 wrote to memory of 1708	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2488 wrote to memory of 1840	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2488 wrote to memory of 1840	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2488 wrote to memory of 1676	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2488 wrote to memory of 1676	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2488 wrote to memory of 3520	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2488 wrote to memory of 3520	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2488 wrote to memory of 5056	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2488 wrote to memory of 5056	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2488 wrote to memory of 3832	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2488 wrote to memory of 3832	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2488 wrote to memory of 1820	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2488 wrote to memory of 1820	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2488 wrote to memory of 1796	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2488 wrote to memory of 1796	2488	2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_615a686480c1fc11ff80476c48f7a2c1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\System\iIwnvQF.exe
  C:\Windows\System\iIwnvQF.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\QEAvdFb.exe
  C:\Windows\System\QEAvdFb.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\aueGycd.exe
  C:\Windows\System\aueGycd.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\TFOxJsr.exe
  C:\Windows\System\TFOxJsr.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\iaAmSnN.exe
  C:\Windows\System\iaAmSnN.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\oJGnXWW.exe
  C:\Windows\System\oJGnXWW.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\ghorMEP.exe
  C:\Windows\System\ghorMEP.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\xkhUGhw.exe
  C:\Windows\System\xkhUGhw.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\xcsogsJ.exe
  C:\Windows\System\xcsogsJ.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\PWhIEEm.exe
  C:\Windows\System\PWhIEEm.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\WhnlhVv.exe
  C:\Windows\System\WhnlhVv.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\ntybaWp.exe
  C:\Windows\System\ntybaWp.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\RqmEaxN.exe
  C:\Windows\System\RqmEaxN.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\NFaVMQW.exe
  C:\Windows\System\NFaVMQW.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\vCeulOY.exe
  C:\Windows\System\vCeulOY.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\VVlbBFh.exe
  C:\Windows\System\VVlbBFh.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\KjxNodv.exe
  C:\Windows\System\KjxNodv.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\XyrsqbB.exe
  C:\Windows\System\XyrsqbB.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\ATdWEBI.exe
  C:\Windows\System\ATdWEBI.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\FIzTReP.exe
  C:\Windows\System\FIzTReP.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\tFgQaJY.exe
  C:\Windows\System\tFgQaJY.exe
  2⤵
  - Executes dropped EXE
  PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ATdWEBI.exe

Filesize
5.2MB

MD5
dbc03a755ea5383d54f48aa570bd37ac

SHA1
e7603b1e5738843969e6c38479a5008923c676f3

SHA256
5b1f962b3e0c4c476a8010793dffaebec4d766786e96c385e022fab217f04797

SHA512
31b83717fe6f2a9ffaea3ecdd06dc02b28221422989b0a02794a588a001ec18ec30df871c4cf470f88ff7938afab134afce79c1af6af6a6b8790e27562d615c3

Download Submit
C:\Windows\System\FIzTReP.exe

Filesize
5.2MB

MD5
b4243b1f6f21c6acaa67aac9fff56ba6

SHA1
bfde78f0c8a7c0e56be4ec01377e0f36b7012b2a

SHA256
8362cdc125882c39432a9a7116f36fb0ec9ea6a6baddeecf2496085e47a856a4

SHA512
589391866cc96fda9075439481353e1eed2004849b1199fc446a1bef776390cf2fcb01e2365019a42bc09ed6bdb5d81a60c2123456cc9c2fc752abbc9370cd6c

Download Submit
C:\Windows\System\KjxNodv.exe

Filesize
5.2MB

MD5
00a3b3036f3ef835ce9e22036999b8f7

SHA1
8e3fe0aaa989ab3a52908d9fd160eecf585b5888

SHA256
ef67f060efec8bf176fa87a44eafd7522d3c384e91d8fbcc4cab1b092c214d52

SHA512
239ec52b51a8e41fea68a7237dc6827c31f95ac78e2d99f2cf4a274b33d888dfc996096a6407a482bba3142cb3f056e0a104c78d90577e3548261ee4c1e0a0f5

Download Submit
C:\Windows\System\NFaVMQW.exe

Filesize
5.2MB

MD5
68d5cc8cf9f1f8203347f4172a9e803c

SHA1
9b161d85194edd2cde140ae19b3b7248e974ddcd

SHA256
be29698e189c6d82c9e439269106713c2074a604fc5d9aef53d3a0dcf0eac559

SHA512
34c00808ea34c39b696eb13d42b29846b7db0f875b763aaf0e12e8c813f93568c070c6252166901b9646bcaaef7b02d4b5ecf3b74b0da48f05ac5ec17ece0cd4

Download Submit
C:\Windows\System\PWhIEEm.exe

Filesize
5.2MB

MD5
fcf9998072d9af2026f82e71561286e8

SHA1
3d46864b61c231cf921de7bfdbd6f6048bc0c872

SHA256
e474e36f9438467cc7bb9b196ec72b0ba54717bad08fedd4ecc2a07348db67d7

SHA512
ba432e086dff1efb81601f7df1dd09647b1c05676587cfbac947b4559ad32a2b6eeee4e2a43ee34675cd00b6ce8dd93bc688c17b211f5b8e6de8b0f492cc13f5

Download Submit
C:\Windows\System\QEAvdFb.exe

Filesize
5.2MB

MD5
227c1ce6c5ec645a0c694797351bcbdd

SHA1
e02c6b9feba74f930bc884e3720bc7147ea4296c

SHA256
eae24b198545392970b77a375ebb61048fc061e4cb77e70c0969d82861b5578f

SHA512
e1590c451bdd009a1a74ca4ddcb437b9e17afe337fb08fc3214054bf7263b1c4049a9763564fcf15bea2c997d60ac84c4544d5dedf48efe98306bd596d5a11b6

Download Submit
C:\Windows\System\RqmEaxN.exe

Filesize
5.2MB

MD5
1fc71f0b50f021492170801b9cb9c370

SHA1
9496b85ccf4a420d25b1c4b778d01a44fd2c7509

SHA256
3a2cf08c5361c0d904d3e4bf27e248360ad4867bce4c3147aa18de2f78ed7172

SHA512
01a25d1fb647ba3d005a21c1275e676c18f0dc052714a80678b3b6dad4053b09f8644f5faccc973eba51f1761eb8da9ea3f3ba24e9f5d2ccf6d4dee78f3bf830

Download Submit
C:\Windows\System\TFOxJsr.exe

Filesize
5.2MB

MD5
ea0915adffdd2aa9c1a4daaa1522a8ad

SHA1
d2a65287ad965e94e0fbcc397e58bb9969e1b197

SHA256
bb1e8572c66bed2592cfeaa80c09cc3ea02f212fa22b3be22324afb5cecfebf3

SHA512
aea89220c3a709492e0cc90e4092d980dd623d81d6374c477580904285c37518497b4e8a4708f988ebb94d6a5d29c329b8bc0817c1dac4681edd5fdb79a7f7c7

Download Submit
C:\Windows\System\VVlbBFh.exe

Filesize
5.2MB

MD5
23afa68fdb62d781eb6d4e7fe29336dd

SHA1
a827eab49490df096f137c0416c633604e7eeec4

SHA256
3a66bc8d3cb17c6f59c9e22a89e036ca74526f9edf897771847f6023759e3ad5

SHA512
5245b239575c1f38bead8dd34579b27bfc352fbd6fdf50292ba48163ea327c25ccdc2dc8291b1cfcf4282103fcabe39f84c8b35bc4016151be024515184e167b

Download Submit
C:\Windows\System\WhnlhVv.exe

Filesize
5.2MB

MD5
52ed49da1bad563eac483a68e281e015

SHA1
ab8aff062a28b7609074f74e6c03331266d1e18a

SHA256
b054f98dcaf97b65eeb7e1f0b18856f4c8200bae501e073e286f986da61e1227

SHA512
d8e2b23162c9a04708c77cef6e9fbfd2118dfb119718b5493e98124798dcab5c7102565c3701e02ca21d6cf8a5a4a955b95d84beeb6bcc90c55daadcebee51b4

Download Submit
C:\Windows\System\XyrsqbB.exe

Filesize
5.2MB

MD5
c8dc03a5de8050061d4ee734d109d0bd

SHA1
4630f1466faef3bc3b63a983f94c8d94a651d851

SHA256
e7c57aebf77c89ff3f35943642295a552564fb4c148cb9161cb1dfe5f6156709

SHA512
d5fadabba8c62e70e78cae69e1cfa7cf61a7e07d33cb1defa81d522ff588ffef0214cc7937d775892436493160f7bfffd1f65f8de2b4c198fc6bf887cf38df16

Download Submit
C:\Windows\System\aueGycd.exe

Filesize
5.2MB

MD5
0c4f01f65227e137d15f957cb3f72419

SHA1
788414a70b1351f817148f2fb78676a814d253f5

SHA256
e9d89ab935a891c37f5e2e2f469f9db23179421f3333eef4a01b1798ca4b2500

SHA512
77e4db18c9e0cb4b550d23c08f4f910986b81e8e3e41fb45ea8f626b237300f0ed08c7679af16918a18df459b82f11f908fea0e8b32e74b9c3d73259f2e1a09b

Download Submit
C:\Windows\System\ghorMEP.exe

Filesize
5.2MB

MD5
f9b65c5877eadbd488744c302407a112

SHA1
f06ce5e12b61f539e371f9966e7e3fc90200d570

SHA256
afddcdc502bd49ec61a1a6ded7ff8102c4bfa994b05c2223bee92ff9427cb90e

SHA512
9dd5bc56649052d073289b41b1b20207edd2175e2e17ab252b687ee87fc3e3d8a549d2fc3c16db9c692d9151b49026258658a2dde522dbee8580ef04140e4b1b

Download Submit
C:\Windows\System\iIwnvQF.exe

Filesize
5.2MB

MD5
8de21c585b2d96c2edb2b7aa431ee1fe

SHA1
ca0653c287d07477e81fc538c9d8a4586c4d1151

SHA256
bf5056750ab81d6926cf7293138a8556e3c4a1abd092a8a191d54ac0807d0693

SHA512
25a52a255b4a680f5358328a561e5a48f7d0d39de09cfcaff197e12ad87d97886414340d3588d15d3a14bce6abc71670a8cc07765c11d6a1242c1299cad8116d

Download Submit
C:\Windows\System\iaAmSnN.exe

Filesize
5.2MB

MD5
c804672c0dc88347f0fa717ee32cfdd4

SHA1
3a54dd07b39d2613637e24227510d88e6cd177ba

SHA256
ca2b56a7777a92b3143b6943d8dd14e06be9c39683ff11cfd1c703cc11a2f56c

SHA512
b6c45598fe547c13f60ddbc8133fe4419c18c775cb8fd8768803633dc30717eb99422bc45ba6f699845bb1d9fdf0f1ea65779b449e22b3960bb86dfd82d633d1

Download Submit
C:\Windows\System\ntybaWp.exe

Filesize
5.2MB

MD5
3080a3ad4f810eeacc8cd7fbec529aa5

SHA1
ce0395504277f8513afda6242cfe550656abc159

SHA256
eabe6dfdf792e4a613f84778705b2d082a8a1ff5d0ca6b4cc4979cd9c0d2fadb

SHA512
559147c2554cd8b51655b5a2d2aece064fd5d5ceb352b7194603ff3d7fdab89e629c3cdf5dafd09c77452419a6938f5bc28a884919235d71ac094d3f7975f19c

Download Submit
C:\Windows\System\oJGnXWW.exe

Filesize
5.2MB

MD5
75ceae12f2ed7e70d23d0161c3b07144

SHA1
ffd5b2c485ec92ea5f452555d56ca78ff9ebb6af

SHA256
62849b389ecdb38e16dac1c741880eb7c5c785f4a79239f61d1d5f3df0d0a013

SHA512
76e27f48fea510dbb751d4a57ed9d0787e369455e4a85a9f5715ac33e7cace2f6fa43a869f80ea8005f2084176e9e1652884f75698467968157857de44387a7f

Download Submit
C:\Windows\System\tFgQaJY.exe

Filesize
5.2MB

MD5
6370cecfe2365ed5fc2671edfb32df59

SHA1
1bc6e6b51d03abce8130d009940582850adcfd59

SHA256
5654731bb18600f5b3eb4fccd98db8c35332f4776156bc9c8b18347cc4514aeb

SHA512
f95bba05351535781e984538e8f9cdf0b17e8f46d37fa1edb1cfc0e49e8792bc281e4606cd2aed8781bf973602ff6f5ed351b544ab804324103e1954e7e9d550

Download Submit
C:\Windows\System\vCeulOY.exe

Filesize
5.2MB

MD5
eecae3464a5c3da19cdea48965755c2d

SHA1
271f499af2f51d6080944e92ff95235de7f5d44b

SHA256
d46d8c283b9b1c9af9ded9463d15d7a502556771423ca5a050a0f6846afbb1da

SHA512
ca7fefc0deb26be6285e922077823064c698a9a7af85eeca60da551290655c3f3ea5e3e3844a8ce01d8fae18013c583321d89d296d2eaa0b9c7a45846d4a3619

Download Submit
C:\Windows\System\xcsogsJ.exe

Filesize
5.2MB

MD5
56f328f1334f16b39dd504bf48fff6a7

SHA1
c5e208ab315be149025be222b4921a5d82bdf786

SHA256
f1b19cda02967077f5c62cde824c2e15cc66854bc2cbb4e82159ac4abee4d381

SHA512
8978a7435ee3349bf303a8d82b07e1e8f4ee31a179ccf56fcbba294635bd0be2535bb6631a13323a6de1aa2bdf3dbb69f3a4558e04da895a502bf95314d237d0

Download Submit
C:\Windows\System\xkhUGhw.exe

Filesize
5.2MB

MD5
b2a86fd38cc98cbc6885986700443830

SHA1
c7427648fe2a21672f0136cd01e4c5f7cf3d3444

SHA256
814476d051b0dfec33b40f8cadbce34cdd51a83fda90522c830e3706ebb55d97

SHA512
3bf515f3b018dcfeeb744de53acf6c45f07bdf7559291e7116b38b6edd897fdf6d3fa4ea6c456f53e32aa26c5ba417b2c66bb6c10ca91e88cca429af7bb61198

Download Submit
memory/1676-264-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/1676-155-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/1676-106-0x00007FF601D20000-0x00007FF602071000-memory.dmp

Filesize
3.3MB

Download
memory/1708-98-0x00007FF66FAB0000-0x00007FF66FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1708-260-0x00007FF66FAB0000-0x00007FF66FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1796-138-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp

Filesize
3.3MB

Download
memory/1796-279-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp

Filesize
3.3MB

Download
memory/1796-170-0x00007FF68D930000-0x00007FF68DC81000-memory.dmp

Filesize
3.3MB

Download
memory/1820-276-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp

Filesize
3.3MB

Download
memory/1820-167-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp

Filesize
3.3MB

Download
memory/1820-135-0x00007FF6727E0000-0x00007FF672B31000-memory.dmp

Filesize
3.3MB

Download
memory/1840-99-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-262-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-146-0x00007FF74D960000-0x00007FF74DCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-125-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-250-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-75-0x00007FF6E5A70000-0x00007FF6E5DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-72-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-23-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-233-0x00007FF75CA50000-0x00007FF75CDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-120-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp

Filesize
3.3MB

Download
memory/2416-251-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp

Filesize
3.3MB

Download
memory/2416-68-0x00007FF7ED4D0000-0x00007FF7ED821000-memory.dmp

Filesize
3.3MB

Download
memory/2488-59-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-1-0x0000024D24510000-0x0000024D24520000-memory.dmp

Filesize
64KB

Download
memory/2488-142-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-0-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-171-0x00007FF7F8800000-0x00007FF7F8B51000-memory.dmp

Filesize
3.3MB

Download
memory/3520-113-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp

Filesize
3.3MB

Download
memory/3520-157-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp

Filesize
3.3MB

Download
memory/3520-268-0x00007FF760AC0000-0x00007FF760E11000-memory.dmp

Filesize
3.3MB

Download
memory/3612-53-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/3612-243-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/3612-105-0x00007FF6A20F0000-0x00007FF6A2441000-memory.dmp

Filesize
3.3MB

Download
memory/3732-247-0x00007FF610E20000-0x00007FF611171000-memory.dmp

Filesize
3.3MB

Download
memory/3732-51-0x00007FF610E20000-0x00007FF611171000-memory.dmp

Filesize
3.3MB

Download
memory/3732-104-0x00007FF610E20000-0x00007FF611171000-memory.dmp

Filesize
3.3MB

Download
memory/3748-239-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp

Filesize
3.3MB

Download
memory/3748-95-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp

Filesize
3.3MB

Download
memory/3748-43-0x00007FF6F2320000-0x00007FF6F2671000-memory.dmp

Filesize
3.3MB

Download
memory/3832-127-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp

Filesize
3.3MB

Download
memory/3832-272-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp

Filesize
3.3MB

Download
memory/3832-161-0x00007FF7E0DF0000-0x00007FF7E1141000-memory.dmp

Filesize
3.3MB

Download
memory/4352-90-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp

Filesize
3.3MB

Download
memory/4352-241-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp

Filesize
3.3MB

Download
memory/4352-40-0x00007FF7106D0000-0x00007FF710A21000-memory.dmp

Filesize
3.3MB

Download
memory/4444-28-0x00007FF712320000-0x00007FF712671000-memory.dmp

Filesize
3.3MB

Download
memory/4444-86-0x00007FF712320000-0x00007FF712671000-memory.dmp

Filesize
3.3MB

Download
memory/4444-237-0x00007FF712320000-0x00007FF712671000-memory.dmp

Filesize
3.3MB

Download
memory/4520-60-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp

Filesize
3.3MB

Download
memory/4520-246-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp

Filesize
3.3MB

Download
memory/4520-111-0x00007FF7E9030000-0x00007FF7E9381000-memory.dmp

Filesize
3.3MB

Download
memory/4620-71-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-220-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-13-0x00007FF63AE70000-0x00007FF63B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-83-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-254-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-134-0x00007FF6DF880000-0x00007FF6DFBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4820-6-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp

Filesize
3.3MB

Download
memory/4820-67-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp

Filesize
3.3MB

Download
memory/4820-222-0x00007FF7A1C40000-0x00007FF7A1F91000-memory.dmp

Filesize
3.3MB

Download
memory/5012-235-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-26-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-79-0x00007FF64BDA0000-0x00007FF64C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-123-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-270-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download
memory/5056-159-0x00007FF6F79A0000-0x00007FF6F7CF1000-memory.dmp

Filesize
3.3MB

Download