cobaltstrike | 39a31e8fa6e9a88b8352bb9bccb56334e867a1b05df3b482b8588f6c81586a0d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1cc558ec67aa955e292376b214a9e213
SHA1

12f39c3034803ee0195243b0436560c76b4fb168
SHA256

39a31e8fa6e9a88b8352bb9bccb56334e867a1b05df3b482b8588f6c81586a0d
SHA512

018abbf7390cdf80ace583f073220aa8430f207d74faf4bbd2d97f594cff4c5e7b9a2e79f7b412f1056a251c6ef98bee3adb9ccb422f7f0de474af2bc17d7f31
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023c94-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9b-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c95-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-134.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-69.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/1708-103-0x00007FF75F700000-0x00007FF75FA51000-memory.dmp	xmrig
behavioral2/memory/2860-132-0x00007FF768390000-0x00007FF7686E1000-memory.dmp	xmrig
behavioral2/memory/3572-129-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp	xmrig
behavioral2/memory/1924-128-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp	xmrig
behavioral2/memory/4740-118-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp	xmrig
behavioral2/memory/1636-115-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp	xmrig
behavioral2/memory/4732-113-0x00007FF6CB480000-0x00007FF6CB7D1000-memory.dmp	xmrig
behavioral2/memory/1076-111-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp	xmrig
behavioral2/memory/4552-102-0x00007FF6A34A0000-0x00007FF6A37F1000-memory.dmp	xmrig
behavioral2/memory/1224-93-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	xmrig
behavioral2/memory/2784-67-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	xmrig
behavioral2/memory/3648-136-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp	xmrig
behavioral2/memory/2784-137-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	xmrig
behavioral2/memory/220-150-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	xmrig
behavioral2/memory/320-149-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp	xmrig
behavioral2/memory/1804-148-0x00007FF7204B0000-0x00007FF720801000-memory.dmp	xmrig
behavioral2/memory/4512-147-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	xmrig
behavioral2/memory/1000-152-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp	xmrig
behavioral2/memory/2752-161-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp	xmrig
behavioral2/memory/2444-160-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp	xmrig
behavioral2/memory/1932-158-0x00007FF768080000-0x00007FF7683D1000-memory.dmp	xmrig
behavioral2/memory/4912-156-0x00007FF784100000-0x00007FF784451000-memory.dmp	xmrig
behavioral2/memory/4396-159-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp	xmrig
behavioral2/memory/2784-162-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	xmrig
behavioral2/memory/1224-212-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	xmrig
behavioral2/memory/1076-215-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp	xmrig
behavioral2/memory/1636-217-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp	xmrig
behavioral2/memory/4740-219-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp	xmrig
behavioral2/memory/1924-233-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp	xmrig
behavioral2/memory/3572-235-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp	xmrig
behavioral2/memory/3648-237-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp	xmrig
behavioral2/memory/4512-239-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	xmrig
behavioral2/memory/2860-241-0x00007FF768390000-0x00007FF7686E1000-memory.dmp	xmrig
behavioral2/memory/1804-243-0x00007FF7204B0000-0x00007FF720801000-memory.dmp	xmrig
behavioral2/memory/4552-245-0x00007FF6A34A0000-0x00007FF6A37F1000-memory.dmp	xmrig
behavioral2/memory/1708-252-0x00007FF75F700000-0x00007FF75FA51000-memory.dmp	xmrig
behavioral2/memory/320-255-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp	xmrig
behavioral2/memory/220-254-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	xmrig
behavioral2/memory/1000-257-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp	xmrig
behavioral2/memory/4396-259-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp	xmrig
behavioral2/memory/4912-264-0x00007FF784100000-0x00007FF784451000-memory.dmp	xmrig
behavioral2/memory/4732-265-0x00007FF6CB480000-0x00007FF6CB7D1000-memory.dmp	xmrig
behavioral2/memory/2444-267-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp	xmrig
behavioral2/memory/2752-269-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp	xmrig
behavioral2/memory/1932-262-0x00007FF768080000-0x00007FF7683D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1224	quqZufu.exe
1076	CTTGIwR.exe
1636	kSzidxx.exe
4740	MIwKKfJ.exe
1924	wsLAzpA.exe
3572	RiZhRcA.exe
3648	LSYKaqk.exe
2860	CmzBEMW.exe
4512	fOXlyvF.exe
1804	hQAkvvH.exe
320	ksXBNjl.exe
1000	JmYSAEV.exe
220	WXwzvfo.exe
4552	HBwiUJb.exe
1708	GssDTfz.exe
4732	bHtQlvN.exe
4912	wUosWmG.exe
1932	WfXUFiU.exe
4396	FbbPylH.exe
2444	ZyNHETv.exe
2752	VDMhOHs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2784-0-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	upx
behavioral2/files/0x0008000000023c94-4.dat	upx
behavioral2/memory/1224-8-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-10.dat	upx
behavioral2/files/0x0007000000023c9a-20.dat	upx
behavioral2/memory/1636-21-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-23.dat	upx
behavioral2/memory/4740-22-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp	upx
behavioral2/memory/1076-18-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-28.dat	upx
behavioral2/files/0x0008000000023c95-35.dat	upx
behavioral2/memory/3572-41-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp	upx
behavioral2/memory/3648-42-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-43.dat	upx
behavioral2/files/0x0007000000023c9d-47.dat	upx
behavioral2/memory/1924-32-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp	upx
behavioral2/memory/2860-50-0x00007FF768390000-0x00007FF7686E1000-memory.dmp	upx
behavioral2/files/0x0007000000023c9f-56.dat	upx
behavioral2/files/0x0007000000023ca1-63.dat	upx
behavioral2/files/0x0007000000023ca3-74.dat	upx
behavioral2/files/0x0007000000023ca5-82.dat	upx
behavioral2/memory/1708-103-0x00007FF75F700000-0x00007FF75FA51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-109.dat	upx
behavioral2/files/0x0007000000023ca9-120.dat	upx
behavioral2/files/0x0007000000023caa-124.dat	upx
behavioral2/files/0x0007000000023cab-134.dat	upx
behavioral2/memory/2752-133-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp	upx
behavioral2/memory/2860-132-0x00007FF768390000-0x00007FF7686E1000-memory.dmp	upx
behavioral2/memory/3572-129-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp	upx
behavioral2/memory/1924-128-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp	upx
behavioral2/memory/2444-126-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp	upx
behavioral2/memory/4396-119-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp	upx
behavioral2/memory/4740-118-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp	upx
behavioral2/memory/1636-115-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp	upx
behavioral2/memory/4732-113-0x00007FF6CB480000-0x00007FF6CB7D1000-memory.dmp	upx
behavioral2/memory/1076-111-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-108.dat	upx
behavioral2/memory/1932-105-0x00007FF768080000-0x00007FF7683D1000-memory.dmp	upx
behavioral2/memory/4912-104-0x00007FF784100000-0x00007FF784451000-memory.dmp	upx
behavioral2/memory/4552-102-0x00007FF6A34A0000-0x00007FF6A37F1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-99.dat	upx
behavioral2/memory/1000-96-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-94.dat	upx
behavioral2/memory/1224-93-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	upx
behavioral2/memory/220-83-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	upx
behavioral2/memory/320-80-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-78.dat	upx
behavioral2/files/0x0007000000023ca0-69.dat	upx
behavioral2/memory/2784-67-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	upx
behavioral2/memory/1804-68-0x00007FF7204B0000-0x00007FF720801000-memory.dmp	upx
behavioral2/memory/4512-60-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	upx
behavioral2/memory/3648-136-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp	upx
behavioral2/memory/2784-137-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	upx
behavioral2/memory/220-150-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp	upx
behavioral2/memory/320-149-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp	upx
behavioral2/memory/1804-148-0x00007FF7204B0000-0x00007FF720801000-memory.dmp	upx
behavioral2/memory/4512-147-0x00007FF797070000-0x00007FF7973C1000-memory.dmp	upx
behavioral2/memory/1000-152-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp	upx
behavioral2/memory/2752-161-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp	upx
behavioral2/memory/2444-160-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp	upx
behavioral2/memory/1932-158-0x00007FF768080000-0x00007FF7683D1000-memory.dmp	upx
behavioral2/memory/4912-156-0x00007FF784100000-0x00007FF784451000-memory.dmp	upx
behavioral2/memory/4396-159-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp	upx
behavioral2/memory/2784-162-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HBwiUJb.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\quqZufu.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wsLAzpA.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RiZhRcA.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LSYKaqk.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmzBEMW.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JmYSAEV.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXwzvfo.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MIwKKfJ.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQAkvvH.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUosWmG.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VDMhOHs.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSzidxx.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fOXlyvF.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FbbPylH.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CTTGIwR.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ksXBNjl.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GssDTfz.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bHtQlvN.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WfXUFiU.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZyNHETv.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1224	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2784 wrote to memory of 1224	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2784 wrote to memory of 1076	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2784 wrote to memory of 1076	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2784 wrote to memory of 1636	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2784 wrote to memory of 1636	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2784 wrote to memory of 4740	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2784 wrote to memory of 4740	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2784 wrote to memory of 1924	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2784 wrote to memory of 1924	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2784 wrote to memory of 3572	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2784 wrote to memory of 3572	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2784 wrote to memory of 3648	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2784 wrote to memory of 3648	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2784 wrote to memory of 2860	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2784 wrote to memory of 2860	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2784 wrote to memory of 4512	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2784 wrote to memory of 4512	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2784 wrote to memory of 1804	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2784 wrote to memory of 1804	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2784 wrote to memory of 320	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2784 wrote to memory of 320	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2784 wrote to memory of 1000	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2784 wrote to memory of 1000	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2784 wrote to memory of 220	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2784 wrote to memory of 220	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2784 wrote to memory of 4552	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2784 wrote to memory of 4552	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2784 wrote to memory of 1708	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2784 wrote to memory of 1708	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2784 wrote to memory of 4912	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2784 wrote to memory of 4912	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2784 wrote to memory of 4732	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2784 wrote to memory of 4732	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2784 wrote to memory of 1932	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2784 wrote to memory of 1932	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2784 wrote to memory of 4396	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2784 wrote to memory of 4396	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2784 wrote to memory of 2444	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2784 wrote to memory of 2444	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2784 wrote to memory of 2752	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2784 wrote to memory of 2752	2784	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System\quqZufu.exe
  C:\Windows\System\quqZufu.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\CTTGIwR.exe
  C:\Windows\System\CTTGIwR.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\kSzidxx.exe
  C:\Windows\System\kSzidxx.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\MIwKKfJ.exe
  C:\Windows\System\MIwKKfJ.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\wsLAzpA.exe
  C:\Windows\System\wsLAzpA.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\RiZhRcA.exe
  C:\Windows\System\RiZhRcA.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\LSYKaqk.exe
  C:\Windows\System\LSYKaqk.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\CmzBEMW.exe
  C:\Windows\System\CmzBEMW.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\fOXlyvF.exe
  C:\Windows\System\fOXlyvF.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\hQAkvvH.exe
  C:\Windows\System\hQAkvvH.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\ksXBNjl.exe
  C:\Windows\System\ksXBNjl.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\JmYSAEV.exe
  C:\Windows\System\JmYSAEV.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\WXwzvfo.exe
  C:\Windows\System\WXwzvfo.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\HBwiUJb.exe
  C:\Windows\System\HBwiUJb.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\GssDTfz.exe
  C:\Windows\System\GssDTfz.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\wUosWmG.exe
  C:\Windows\System\wUosWmG.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\bHtQlvN.exe
  C:\Windows\System\bHtQlvN.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\WfXUFiU.exe
  C:\Windows\System\WfXUFiU.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\FbbPylH.exe
  C:\Windows\System\FbbPylH.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\ZyNHETv.exe
  C:\Windows\System\ZyNHETv.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\VDMhOHs.exe
  C:\Windows\System\VDMhOHs.exe
  2⤵
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CTTGIwR.exe

Filesize
5.2MB

MD5
3d37cd286a5b69efa768eea1179aba2b

SHA1
8e5b3b09564da8391834c201a6a8f1b6f653808d

SHA256
eeee8e7b20846c7d7096b6a8423aaabe2691b5e47263406e95187301f3973206

SHA512
a5b6ca222d4777954bfacc5c312e9db50da496fcdbd32fa8101b83fc36a16ad3611e0e122228f57699b7cefd214bd4a058f8d367c4891ea59fd7ca3da72ca689

Download Submit
C:\Windows\System\CmzBEMW.exe

Filesize
5.2MB

MD5
ffe21b1c4f52ab30c8e433e9d8e044c7

SHA1
f7010b68fd1bffde551e0b3b43ae808668bec21a

SHA256
6b0b4362dfce64e09f69602b0bff298da8d7ea80e986308649355416cf0007f5

SHA512
02be4e7f26351b3af9dc8909f8cc9e691aea7ca5d2cd95aa4d8d1dfb3958c1586694e8127dbacdace23fac8d99f98b4936525499018f39ebea6473fcbffa1482

Download Submit
C:\Windows\System\FbbPylH.exe

Filesize
5.2MB

MD5
ab516500fa2d5c55faf3d7d084cffb75

SHA1
376ca5213ec74fdb719462e760a65b589560db1e

SHA256
6dfa9aea1bee734e6c743e6bc80362312203e1a3b4c7eee4ca791a8d06f30b0d

SHA512
13d41b0db607262a67a325d3de7808ed266d2b960a38fc03891673709770d3e5df03cafe3dd45076b68d9dd8ff95d832a166367f7eeba69518f51788f1357958

Download Submit
C:\Windows\System\GssDTfz.exe

Filesize
5.2MB

MD5
4b58ccddf6bcdc7f0c101884e8ff31a3

SHA1
b7ef9f0a85d32a130b94149e13a2a5d2c1803145

SHA256
31a02034191b42ea3b52a51c104c78e4cfaa3cd87a63ba2ff118620bd1c5e25e

SHA512
3a53508778ecfc6af76fefbc46a73042476c949272107ff7d8a96fd050de59a9e99ca8e152e507048cd3e89dc259bb206043a54ad33395920bc38e3f4feac4a3

Download Submit
C:\Windows\System\HBwiUJb.exe

Filesize
5.2MB

MD5
c8c01fc48d0ead4d66cebc7a6e7bd5b8

SHA1
691f8f7c6d9cf40026aff4af2cbf778bf0493c54

SHA256
3e0db6ac3b187dbf3f693dc9c55de93df4d70512c02fa324870c2165f74eeeef

SHA512
5abe39e372c0771e8703ef401bc7f11723633b1a68af14f84ae05302d277c401713fdc11b75e31322123ea7d61a5460119312ae1b68db3fb9a6cb37e5806d474

Download Submit
C:\Windows\System\JmYSAEV.exe

Filesize
5.2MB

MD5
cc3411361de3a39b38e77d067434c24d

SHA1
6c8019e050a6da990822aa6e09cee9b93239abce

SHA256
9e558dd054f83ac633e9b0b0dafd1e7cdf2c126c0f21f349f5e0517af689e98d

SHA512
2697049d374deea3dc4e954ee0a5cfe0667e8a270372822f839722e9e783754e42b1ab0f72753744cfcac2ac7146516cfb10f15d5a9157b68b9d953a9e4ff222

Download Submit
C:\Windows\System\LSYKaqk.exe

Filesize
5.2MB

MD5
3be4b121e2833fccce57077e85165f11

SHA1
7f2d9a751af732b5bb154dd9f0403dc8e4859677

SHA256
b80725015dee2e360f7ecd9d29b7ca739a94bd6cfcd76ca28822f48b6592cdfb

SHA512
82d1039dd349b930675918244830a3f26ed8d3744094533022947694e80a29f468f295073dfeca504aa8d15cbdd462812a94cd3772383c96f2d7cd93032b3af5

Download Submit
C:\Windows\System\MIwKKfJ.exe

Filesize
5.2MB

MD5
c0843f2ad5e831c0e8e631cbc7957890

SHA1
290927669ef723a3a4c6ab1795040f0e40a3cead

SHA256
e4300d9b29fdf00cfadcd4b0f99ec434c443afb7008c5149cea541e26bdce4f5

SHA512
b74b726ff91eaf9881c967b500ec5056326b9d9b83d80a083fa1a64e6641ad18c2b17787c0b91e858b70adee84240c20da8dc108ba651441ff12cb0cd5578e6c

Download Submit
C:\Windows\System\RiZhRcA.exe

Filesize
5.2MB

MD5
a65dd67047df3c13356f273ce5692ddd

SHA1
d8a66983054ce3b4177a81f5208dff0ad0cf6c46

SHA256
d170d77b3bab2dff7a18bd5f879d535e15e359f409c9f25bb595f55e49fc3301

SHA512
6cd68d860bced8755dcb26b0f8249cc3156779b392ae2eee3af10b80721630e9bd85776f48f617f8d669d6a68ea2748a7d8510fa20359987f01ce7b36e7089bf

Download Submit
C:\Windows\System\VDMhOHs.exe

Filesize
5.2MB

MD5
ccf12aac574b5d33f00b5115f3f75228

SHA1
36fdfd06952d5e788017d5adb525d23a96968fb6

SHA256
ecb88fac971994820577878d39f6b69ca177e45ff2518db2224f083e34260371

SHA512
948d01e279b47ad538c453daf6d66edde91256c3d9274bd5d6f77b6b866978b3e81cb7eb5ee1418790bc3fb1714b0b9a183532b94dddc54efbc93342e3c794bb

Download Submit
C:\Windows\System\WXwzvfo.exe

Filesize
5.2MB

MD5
e096442ffd2120dcb84afa764166a2e7

SHA1
da6d78fbc5def0757bff9654e3ba31a19982a5aa

SHA256
35311649574dda936447058122f9f64dab8f8bebca919828a4c42d98f3809e09

SHA512
61a9e4ff02fd06b7f780255758fb2130897170fdebbb2ab74c81bac45e3246575afa5941d561e2a04ca6744ab39469e1a0ddb376efd2250e54daa1cdcd970e2e

Download Submit
C:\Windows\System\WfXUFiU.exe

Filesize
5.2MB

MD5
0d8bb097b4f50f5c5025d6d6d1c0cc2b

SHA1
deffb0ce98057fc978d5d451cb0316600b60f711

SHA256
909609dc0dbf9fb36766655fa18a11eb216f72b0040d44510fe5e71f6ed7bf21

SHA512
209308e2e819b91fbfe4cfdae574badcabc544e159570db28c5ba16c288dfdd3edeb4b91e41e9e373876d878143a0f4fa386b78ef82b7fc8f35bf2f9e1eeb902

Download Submit
C:\Windows\System\ZyNHETv.exe

Filesize
5.2MB

MD5
98c80d2b5ee5147025c9cfb14d08481b

SHA1
39fad332c135643133084b8f4666bcfae98b7ee5

SHA256
c6057a6aac3fd75beab0c49e0cc55c591324e063650da11d9d6b3557182f66e0

SHA512
f40fae0935d2638ddbc254b3880ae9aac291b2116df67093e372483af216b658692829cd4546fa98f67cd2ccdf10135e59863b02504bc68a51a797b231fc2e83

Download Submit
C:\Windows\System\bHtQlvN.exe

Filesize
5.2MB

MD5
574431ca0127baf2abc322cf4d1df5dc

SHA1
1f7e373767e20e01e23525557084dc4f3f88f8de

SHA256
90e17e3c9ce5d5205235f4a1277c676702f59bcbc8b63e335e41daaff7082563

SHA512
24966ba51ebb286169369eda6f90793076cc3a62bda5c5b28f9e195ac61d3e14edaba44f9db2dd2de9671dd132cd0385bc1c14183d23f68e26827e3cb449c2c8

Download Submit
C:\Windows\System\fOXlyvF.exe

Filesize
5.2MB

MD5
324e3c40a10ffbc363fbc6b5dc48397b

SHA1
417295c6de22a3d466fc059a3dd2642fd84d6e97

SHA256
34361e998ab97f4dac82d15def5a53baa6868b5428f716993b25e04c71fe998b

SHA512
4220b5a70d4b9aab7d1163f0f9d924b0c5d623dae44fb96ad7dba39b2d03cc490247a59fadfc21c794cba039b60073ef99640fc4a612fa6b6b6d16bf3134391b

Download Submit
C:\Windows\System\hQAkvvH.exe

Filesize
5.2MB

MD5
d16f82d113624d1866ea6d1ba161118a

SHA1
28dbebd99d99a7ac254566f36ba2be7abc1edfe8

SHA256
13ea50f072518d31f007c333bb71acd1cd7b26d978f4584048b7bbd0c7070621

SHA512
4c31ed9f2faab93f41561f9d9168af252eda3e2450ef3ea331af36f8e68036cbe562f0569c225bdc1ace1ac88df07c6fef55c5bc2c2ba88b876c64ae9d1fe620

Download Submit
C:\Windows\System\kSzidxx.exe

Filesize
5.2MB

MD5
2f7ae091bd5fe63bcbb1e7cc6e03a9a7

SHA1
9cfee46ff7ecde7175b66168c22060b1e4a55663

SHA256
c0127884dbbd78c6b33e7ac61743e076c2d438815520fc7a5c010af0179f8817

SHA512
963c8fd70fdebccb5ebaeba59c0fba97a2f22303b20d82944ba4ae7e17920e240a7f9526a1535c53fdbc927844e2540554313266eefd2cfd52b5c508d996bc29

Download Submit
C:\Windows\System\ksXBNjl.exe

Filesize
5.2MB

MD5
f2e61890834aa1587f11abe288eafd5e

SHA1
062be176dae3d96c38b324002ab482b003a9dc63

SHA256
b81d90ffc64da147934b7b688a15517300c323c1a9e402b2eace561fa3758c47

SHA512
83af98122691231dfe0d27f0c541cc8d085ef6b69a553e2f176a275a3d4bc95762424030be01441a559f9b4503e02d694e1cc376be23ffb68d35a40f065f0a3e

Download Submit
C:\Windows\System\quqZufu.exe

Filesize
5.2MB

MD5
c04c1f0b9bbbc12219e7ccf285ec90e6

SHA1
60d958a42ccc47c44b96ea22ef89e1ef390756fa

SHA256
23579d92a0023f13d720b314c6f3be0c9e34cf59316dff8e30b0b7c25175f57d

SHA512
a239b15da4b8effe2af88dabef31c2f8e97fa1f7fb88dac17477ba622dc2a5ed0b6621e1e1fc19556c7e95de8ec113decf18bc1de1727e206e9d72ad72ef4d67

Download Submit
C:\Windows\System\wUosWmG.exe

Filesize
5.2MB

MD5
0ee73f82a2cfb2684cbb24b32dfa8757

SHA1
3fce20c21eb6a2db9d2e5a3f798fdc95f42506c6

SHA256
01f364ed3e7334c1bcd2ec141026a5d5ca801d185aec9b803cf8115e4ab83de8

SHA512
6d3200992fda8d553ce4f19ab6d093ed715ee47dc288130bfdcc4c12ae57c5d163be74cf5f26d205b1a9e2d837034e7789d73d57a1261f22b4af1dfc1704f6b7

Download Submit
C:\Windows\System\wsLAzpA.exe

Filesize
5.2MB

MD5
90c37932a9e412205278a341534baf87

SHA1
d4c7139a871a757f4709874858c74f28895ec0fc

SHA256
64ed2f5a1be5624d54f9ee21b1a85690ddae6077e70a39329c7538502766f475

SHA512
003bb0fd2815af64535bb8ae00baa8574dd52faf9d0ab9aa0364875ff6a3fd2458f552a5c880efb8698322539da3888fec30194750bbb0d1edc2cf5b079129ea

Download Submit
memory/220-254-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp

Filesize
3.3MB

Download
memory/220-83-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp

Filesize
3.3MB

Download
memory/220-150-0x00007FF7B3180000-0x00007FF7B34D1000-memory.dmp

Filesize
3.3MB

Download
memory/320-80-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp

Filesize
3.3MB

Download
memory/320-255-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp

Filesize
3.3MB

Download
memory/320-149-0x00007FF7D2E80000-0x00007FF7D31D1000-memory.dmp

Filesize
3.3MB

Download
memory/1000-152-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp

Filesize
3.3MB

Download
memory/1000-257-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp

Filesize
3.3MB

Download
memory/1000-96-0x00007FF7DE900000-0x00007FF7DEC51000-memory.dmp

Filesize
3.3MB

Download
memory/1076-215-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp

Filesize
3.3MB

Download
memory/1076-111-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp

Filesize
3.3MB

Download
memory/1076-18-0x00007FF70BB10000-0x00007FF70BE61000-memory.dmp

Filesize
3.3MB

Download
memory/1224-93-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp

Filesize
3.3MB

Download
memory/1224-212-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp

Filesize
3.3MB

Download
memory/1224-8-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp

Filesize
3.3MB

Download
memory/1636-115-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp

Filesize
3.3MB

Download
memory/1636-217-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp

Filesize
3.3MB

Download
memory/1636-21-0x00007FF6BC540000-0x00007FF6BC891000-memory.dmp

Filesize
3.3MB

Download
memory/1708-252-0x00007FF75F700000-0x00007FF75FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1708-103-0x00007FF75F700000-0x00007FF75FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1804-148-0x00007FF7204B0000-0x00007FF720801000-memory.dmp

Filesize
3.3MB

Download
memory/1804-243-0x00007FF7204B0000-0x00007FF720801000-memory.dmp

Filesize
3.3MB

Download
memory/1804-68-0x00007FF7204B0000-0x00007FF720801000-memory.dmp

Filesize
3.3MB

Download
memory/1924-233-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-128-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-32-0x00007FF7E0B80000-0x00007FF7E0ED1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-105-0x00007FF768080000-0x00007FF7683D1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-158-0x00007FF768080000-0x00007FF7683D1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-262-0x00007FF768080000-0x00007FF7683D1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-267-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-126-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp

Filesize
3.3MB

Download
memory/2444-160-0x00007FF7C0350000-0x00007FF7C06A1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-133-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-161-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-269-0x00007FF78C750000-0x00007FF78CAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-67-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp

Filesize
3.3MB

Download
memory/2784-162-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp

Filesize
3.3MB

Download
memory/2784-137-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp

Filesize
3.3MB

Download
memory/2784-0-0x00007FF7F31D0000-0x00007FF7F3521000-memory.dmp

Filesize
3.3MB

Download
memory/2784-1-0x00000159AD330000-0x00000159AD340000-memory.dmp

Filesize
64KB

Download
memory/2860-50-0x00007FF768390000-0x00007FF7686E1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-132-0x00007FF768390000-0x00007FF7686E1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-241-0x00007FF768390000-0x00007FF7686E1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-129-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-235-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp

Filesize
3.3MB

Download
memory/3572-41-0x00007FF600D90000-0x00007FF6010E1000-memory.dmp

Filesize
3.3MB

Download
memory/3648-136-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp

Filesize
3.3MB

Download
memory/3648-42-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp

Filesize
3.3MB

Download
memory/3648-237-0x00007FF7F14D0000-0x00007FF7F1821000-memory.dmp

Filesize
3.3MB

Download
memory/4396-259-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp

Filesize
3.3MB

Download
memory/4396-159-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp

Filesize
3.3MB

Download
memory/4396-119-0x00007FF7E70F0000-0x00007FF7E7441000-memory.dmp

Filesize
3.3MB

Download
memory/4512-147-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-60-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-239-0x00007FF797070000-0x00007FF7973C1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-102-0x00007FF6A34A0000-0x00007FF6A37F1000-memory.dmp

Filesize
3.3MB

Download
memory/4552-245-0x00007FF6A34A0000-0x00007FF6A37F1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-265-0x00007FF6CB480000-0x00007FF6CB7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-113-0x00007FF6CB480000-0x00007FF6CB7D1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-118-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-219-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4740-22-0x00007FF66C080000-0x00007FF66C3D1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-104-0x00007FF784100000-0x00007FF784451000-memory.dmp

Filesize
3.3MB

Download
memory/4912-264-0x00007FF784100000-0x00007FF784451000-memory.dmp

Filesize
3.3MB

Download
memory/4912-156-0x00007FF784100000-0x00007FF784451000-memory.dmp

Filesize
3.3MB

Download