cobaltstrike | 94108ae141756c28184b6367a7da949ff3cfd5c83fba845cadedc56b1f2aa72b

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

95413702ac19c117e5288721001d8716
SHA1

8693fcd8e13ee45c9326a38f4699753e71e64386
SHA256

94108ae141756c28184b6367a7da949ff3cfd5c83fba845cadedc56b1f2aa72b
SHA512

91d0c4b0b474ae92f04e032535283d88723a95361a0d20a4fd9b580af9ce8536080e621f9607f7391667ca79eb5ad30e9f0c1404aa974547c4111ee7505f446c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023452-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023455-16.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-37.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023465-92.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023456-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-61.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-127.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2844-76-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp	xmrig
behavioral2/memory/5028-108-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp	xmrig
behavioral2/memory/4624-107-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp	xmrig
behavioral2/memory/2236-98-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp	xmrig
behavioral2/memory/1564-83-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp	xmrig
behavioral2/memory/3196-77-0x00007FF71D100000-0x00007FF71D451000-memory.dmp	xmrig
behavioral2/memory/3168-70-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	xmrig
behavioral2/memory/872-119-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp	xmrig
behavioral2/memory/2624-132-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp	xmrig
behavioral2/memory/528-131-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	xmrig
behavioral2/memory/2776-123-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp	xmrig
behavioral2/memory/1468-138-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp	xmrig
behavioral2/memory/3564-139-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp	xmrig
behavioral2/memory/1364-140-0x00007FF746170000-0x00007FF7464C1000-memory.dmp	xmrig
behavioral2/memory/3168-141-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	xmrig
behavioral2/memory/4200-148-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp	xmrig
behavioral2/memory/2036-147-0x00007FF6425F0000-0x00007FF642941000-memory.dmp	xmrig
behavioral2/memory/1944-160-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp	xmrig
behavioral2/memory/4056-161-0x00007FF61E120000-0x00007FF61E471000-memory.dmp	xmrig
behavioral2/memory/4108-162-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp	xmrig
behavioral2/memory/216-164-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	xmrig
behavioral2/memory/3324-165-0x00007FF789030000-0x00007FF789381000-memory.dmp	xmrig
behavioral2/memory/4432-168-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp	xmrig
behavioral2/memory/3168-169-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	xmrig
behavioral2/memory/2844-226-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp	xmrig
behavioral2/memory/1564-228-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp	xmrig
behavioral2/memory/2236-230-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp	xmrig
behavioral2/memory/4624-232-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp	xmrig
behavioral2/memory/5028-234-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp	xmrig
behavioral2/memory/872-236-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp	xmrig
behavioral2/memory/2776-246-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp	xmrig
behavioral2/memory/1468-249-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp	xmrig
behavioral2/memory/528-252-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	xmrig
behavioral2/memory/3196-251-0x00007FF71D100000-0x00007FF71D451000-memory.dmp	xmrig
behavioral2/memory/2624-256-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp	xmrig
behavioral2/memory/3564-255-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp	xmrig
behavioral2/memory/1364-258-0x00007FF746170000-0x00007FF7464C1000-memory.dmp	xmrig
behavioral2/memory/2036-260-0x00007FF6425F0000-0x00007FF642941000-memory.dmp	xmrig
behavioral2/memory/4108-263-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp	xmrig
behavioral2/memory/1944-264-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp	xmrig
behavioral2/memory/4200-266-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp	xmrig
behavioral2/memory/4056-268-0x00007FF61E120000-0x00007FF61E471000-memory.dmp	xmrig
behavioral2/memory/216-272-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	xmrig
behavioral2/memory/4432-274-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp	xmrig
behavioral2/memory/3324-276-0x00007FF789030000-0x00007FF789381000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2844	xEhvxxp.exe
1564	LLbvQVm.exe
2236	irfeKKr.exe
4624	kJCgNFj.exe
5028	dcVoIdN.exe
872	WdorWbb.exe
2776	xcROURi.exe
528	xvsCasR.exe
1468	jXxnDDD.exe
2624	YxGiMQd.exe
3196	AinhkEN.exe
1364	LvnUyds.exe
3564	IlgREYG.exe
2036	twFObBj.exe
4200	KuBbvni.exe
1944	QiQmhmE.exe
4108	yzNTJeP.exe
4056	IOLwzME.exe
216	KBYNzzJ.exe
3324	qiCnXxC.exe
4432	HEwvMqC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3168-0-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	upx
behavioral2/files/0x0008000000023452-4.dat	upx
behavioral2/memory/2844-9-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp	upx
behavioral2/files/0x0007000000023459-10.dat	upx
behavioral2/memory/2236-17-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp	upx
behavioral2/files/0x000700000002345a-23.dat	upx
behavioral2/memory/4624-26-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp	upx
behavioral2/files/0x0008000000023455-16.dat	upx
behavioral2/memory/1564-15-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp	upx
behavioral2/files/0x000700000002345b-29.dat	upx
behavioral2/files/0x000700000002345d-37.dat	upx
behavioral2/memory/872-39-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp	upx
behavioral2/memory/528-50-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	upx
behavioral2/files/0x000700000002345f-65.dat	upx
behavioral2/memory/2844-76-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp	upx
behavioral2/files/0x0007000000023463-85.dat	upx
behavioral2/memory/2036-90-0x00007FF6425F0000-0x00007FF642941000-memory.dmp	upx
behavioral2/files/0x0007000000023464-84.dat	upx
behavioral2/files/0x0007000000023465-92.dat	upx
behavioral2/files/0x0008000000023456-105.dat	upx
behavioral2/memory/4108-110-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp	upx
behavioral2/files/0x0007000000023467-115.dat	upx
behavioral2/files/0x0007000000023466-113.dat	upx
behavioral2/memory/5028-108-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp	upx
behavioral2/memory/4624-107-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp	upx
behavioral2/memory/4056-106-0x00007FF61E120000-0x00007FF61E471000-memory.dmp	upx
behavioral2/memory/1944-104-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp	upx
behavioral2/memory/4200-103-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp	upx
behavioral2/memory/2236-98-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp	upx
behavioral2/memory/1564-83-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp	upx
behavioral2/memory/1364-82-0x00007FF746170000-0x00007FF7464C1000-memory.dmp	upx
behavioral2/memory/3564-78-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp	upx
behavioral2/memory/3196-77-0x00007FF71D100000-0x00007FF71D451000-memory.dmp	upx
behavioral2/files/0x0007000000023462-74.dat	upx
behavioral2/files/0x0007000000023460-72.dat	upx
behavioral2/memory/3168-70-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	upx
behavioral2/memory/2624-69-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp	upx
behavioral2/files/0x0007000000023461-61.dat	upx
behavioral2/files/0x000700000002345e-59.dat	upx
behavioral2/memory/1468-57-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp	upx
behavioral2/memory/2776-48-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp	upx
behavioral2/files/0x000700000002345c-45.dat	upx
behavioral2/memory/5028-34-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp	upx
behavioral2/memory/872-119-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp	upx
behavioral2/files/0x0007000000023469-124.dat	upx
behavioral2/files/0x0007000000023468-127.dat	upx
behavioral2/memory/2624-132-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp	upx
behavioral2/files/0x000700000002346a-134.dat	upx
behavioral2/memory/4432-133-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp	upx
behavioral2/memory/3324-126-0x00007FF789030000-0x00007FF789381000-memory.dmp	upx
behavioral2/memory/528-131-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp	upx
behavioral2/memory/216-125-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	upx
behavioral2/memory/2776-123-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp	upx
behavioral2/memory/1468-138-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp	upx
behavioral2/memory/3564-139-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp	upx
behavioral2/memory/1364-140-0x00007FF746170000-0x00007FF7464C1000-memory.dmp	upx
behavioral2/memory/3168-141-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp	upx
behavioral2/memory/4200-148-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp	upx
behavioral2/memory/2036-147-0x00007FF6425F0000-0x00007FF642941000-memory.dmp	upx
behavioral2/memory/1944-160-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp	upx
behavioral2/memory/4056-161-0x00007FF61E120000-0x00007FF61E471000-memory.dmp	upx
behavioral2/memory/4108-162-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp	upx
behavioral2/memory/216-164-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp	upx
behavioral2/memory/3324-165-0x00007FF789030000-0x00007FF789381000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xvsCasR.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jXxnDDD.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KuBbvni.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IOLwzME.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xEhvxxp.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WdorWbb.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YxGiMQd.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\twFObBj.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yzNTJeP.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KBYNzzJ.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HEwvMqC.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kJCgNFj.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dcVoIdN.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xcROURi.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AinhkEN.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IlgREYG.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLbvQVm.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LvnUyds.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QiQmhmE.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qiCnXxC.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irfeKKr.exe	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2844	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3168 wrote to memory of 2844	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3168 wrote to memory of 1564	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3168 wrote to memory of 1564	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3168 wrote to memory of 2236	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3168 wrote to memory of 2236	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3168 wrote to memory of 4624	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3168 wrote to memory of 4624	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3168 wrote to memory of 5028	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3168 wrote to memory of 5028	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3168 wrote to memory of 872	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3168 wrote to memory of 872	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3168 wrote to memory of 2776	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3168 wrote to memory of 2776	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3168 wrote to memory of 528	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3168 wrote to memory of 528	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3168 wrote to memory of 1468	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3168 wrote to memory of 1468	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3168 wrote to memory of 2624	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3168 wrote to memory of 2624	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3168 wrote to memory of 3196	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3168 wrote to memory of 3196	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3168 wrote to memory of 1364	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3168 wrote to memory of 1364	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3168 wrote to memory of 3564	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3168 wrote to memory of 3564	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3168 wrote to memory of 2036	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3168 wrote to memory of 2036	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3168 wrote to memory of 4200	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3168 wrote to memory of 4200	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3168 wrote to memory of 1944	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3168 wrote to memory of 1944	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3168 wrote to memory of 4108	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3168 wrote to memory of 4108	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3168 wrote to memory of 4056	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3168 wrote to memory of 4056	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3168 wrote to memory of 216	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3168 wrote to memory of 216	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3168 wrote to memory of 3324	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3168 wrote to memory of 3324	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3168 wrote to memory of 4432	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3168 wrote to memory of 4432	3168	2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_95413702ac19c117e5288721001d8716_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\System\xEhvxxp.exe
  C:\Windows\System\xEhvxxp.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\LLbvQVm.exe
  C:\Windows\System\LLbvQVm.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\irfeKKr.exe
  C:\Windows\System\irfeKKr.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\kJCgNFj.exe
  C:\Windows\System\kJCgNFj.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\dcVoIdN.exe
  C:\Windows\System\dcVoIdN.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\WdorWbb.exe
  C:\Windows\System\WdorWbb.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\xcROURi.exe
  C:\Windows\System\xcROURi.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\xvsCasR.exe
  C:\Windows\System\xvsCasR.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\jXxnDDD.exe
  C:\Windows\System\jXxnDDD.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\YxGiMQd.exe
  C:\Windows\System\YxGiMQd.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\AinhkEN.exe
  C:\Windows\System\AinhkEN.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\LvnUyds.exe
  C:\Windows\System\LvnUyds.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\IlgREYG.exe
  C:\Windows\System\IlgREYG.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\twFObBj.exe
  C:\Windows\System\twFObBj.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\KuBbvni.exe
  C:\Windows\System\KuBbvni.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\QiQmhmE.exe
  C:\Windows\System\QiQmhmE.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\yzNTJeP.exe
  C:\Windows\System\yzNTJeP.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\IOLwzME.exe
  C:\Windows\System\IOLwzME.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\KBYNzzJ.exe
  C:\Windows\System\KBYNzzJ.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\qiCnXxC.exe
  C:\Windows\System\qiCnXxC.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\HEwvMqC.exe
  C:\Windows\System\HEwvMqC.exe
  2⤵
  - Executes dropped EXE
  PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AinhkEN.exe

Filesize
5.2MB

MD5
76f35fff246cdd77b64d337775f2a135

SHA1
6e7334b1bd37312765370f698ef4522618463e32

SHA256
0ac3c32ab2101f0b1bfd057c4751a64ef85ce33fd52f50763a80fe4377149a0f

SHA512
b80404dfe73d3b10a0d92c34cb0193da5e4a7ebc9cb1365a204e8a66da419ef077685c7cec39a96e6dbffc9abd7f7b4c985b590872084d61f7e532c36868bd8f

Download Submit
C:\Windows\System\HEwvMqC.exe

Filesize
5.2MB

MD5
9263b90ac028baca0c28b70b2954046c

SHA1
d454ec3fa43184835ce54824ffa6a01ccd627d57

SHA256
8a8358fb194e37c60cdf0ff43b06af4b8df70650b42b142e5501155821610288

SHA512
d41536be7e9a7659c93ab46e945282de815e1d5ac1b6daeb95238d1ad79e7d0d32d65dc871eb95ec668fe53d873b19809534e01cd88e60b1173f1cbfa34a4ded

Download Submit
C:\Windows\System\IOLwzME.exe

Filesize
5.2MB

MD5
7a9182915a6fc3b22e89170714e71ce2

SHA1
9436c07217fe00ce191bad82cc68e1dadb8fb2f8

SHA256
45f1ff28a9f7c773853137f911497300df8fed26f895bb737177f1d48838156a

SHA512
e3c35bab16b89772eb711c61355394cf5585ff74f863ea1a543c63f89bf238ed9f09134825ae6a954f65f77751269e8e1798d095194dabf5abc70943de9ff956

Download Submit
C:\Windows\System\IlgREYG.exe

Filesize
5.2MB

MD5
0d864da425a2aa42de10b6e6f073d535

SHA1
b9187876afb9aaccd48b1f247ce1797b62220797

SHA256
ea8388998a4d0849c4a9d78c04a8fb89857832d26e6630feb97d24b4ff3f3228

SHA512
9f13dd543633ac943d8d6afbb3a11459e198e0ae9de849994c790e47cb8f80aae024acd569ef10cb6967721f4e0a17cff937ab799a968fb347a28df2351797d9

Download Submit
C:\Windows\System\KBYNzzJ.exe

Filesize
5.2MB

MD5
04c09ced42fcffd6288cbdfb51f32620

SHA1
1ceea4ac5af4523de07a8f1f14e53ba3992a487a

SHA256
0d23db0f3310b24063c68fddac67c96459de80e86cb8a90234dfd57b28b04dfa

SHA512
302492a54280aff415ff1976bd46911dd37a5f5986070dbf9e1623729b29bee5a250fe6dfa49a02f99c4893c952d10151e85cab4b310ff87c95aeaae4a7e4ffd

Download Submit
C:\Windows\System\KuBbvni.exe

Filesize
5.2MB

MD5
da7075e07c9621b185e647f8fe78ccea

SHA1
e5b94fb84028a08a580194dc84355a32f859c13f

SHA256
18cd2a1d63bc301b3d48e12483301afe941032082f908f317e162a142267de42

SHA512
cd02f5a2dde3468c47b0c946505746b82936f1735c312cfa32e6adaa16696b0a67356af9351589f33485ea198809e25fa32d9530aab42f4694e4ad835f00bef9

Download Submit
C:\Windows\System\LLbvQVm.exe

Filesize
5.2MB

MD5
d91e4fac875e5c420aa25514c9111f3b

SHA1
aac75daffddca6089f111465dcb6621916629ccb

SHA256
58c4d0d78d6b91db4d0121c3ec2be6ce3537e918ef17ff9da1d71d879af70fb9

SHA512
10bc664048c27f7121d72233f3a536330c6869d418db0c43463feeb9f8d06ab16bd274c7d03b473e3066fce492d0f9c3b58b414d5ec5762c75bb1f71d444d89c

Download Submit
C:\Windows\System\LvnUyds.exe

Filesize
5.2MB

MD5
d8f2a9de42bc461f1229dcc5501e7e66

SHA1
044db1e9412fa468838076663c1032913015a5fc

SHA256
8fc03fb238291e7b4ca9b6a3e240358210d5d50b5683bca06dd7d78ebfdf818b

SHA512
e6562e09f31af91e3594bd467018ec5673ae07c8f9bf3b33f9fb48ac1f85a2983a0cb1eb93e8177ea1949a4c71f92b2928171a873057f8b01009a0e62585b973

Download Submit
C:\Windows\System\QiQmhmE.exe

Filesize
5.2MB

MD5
f3cd63e1c1dd9f958f0debe4f8e7c897

SHA1
cd90868a6b06fbd799095c8405da434f50528a7c

SHA256
9e2448dfedddd87a4a5ff8d71183c3bf685c486f0d8e5164bb9bd28ccb600246

SHA512
fac6ea4fe79916b58e64297efd21f0ca5e53a152a496e9914e2d770755ba2af88b2b78a79f99b69e8932e7876b53977e1ed40e00a52ffb9ed9924416aa21822a

Download Submit
C:\Windows\System\WdorWbb.exe

Filesize
5.2MB

MD5
72ab8ef435a8aad4a593c6a9e684e26d

SHA1
8ea968c5f107f82d1009f9b0ee679498d71ba5df

SHA256
b6bc6d8e6751b3e7ca9d938425fba9da9a496aff78b630b360ad0fb2623be56d

SHA512
869b5262587e4359d1a7be56fad5264cc9a017aab0f7485d903c2e1fac25ad9ece6b2ea64107c8f6bcb6658c33872c0a694e560257e8c1c6a0e8c874348dae3c

Download Submit
C:\Windows\System\YxGiMQd.exe

Filesize
5.2MB

MD5
658cc479710d03f6296f8d52f796cc24

SHA1
57858a82b62d570aedeb4a39a4d05ba39f87c5dc

SHA256
b3b36900c47bc5de850798135d3e10d35bd45615c0d93f4fdb0e6c26f930138a

SHA512
8e4c5ed57e9fdb149aa58e41dd29746c51a64e6185ab073aaa38d0f17b85fdd60e7993873f8b6790ef30b4b57942709ed39cf40857ccf9e6ed5d82f9a62b87df

Download Submit
C:\Windows\System\dcVoIdN.exe

Filesize
5.2MB

MD5
1b7f35c10684d22999115884962fb394

SHA1
9b6d63c4f51f3bb733fa4939eaec34c0e113b2ba

SHA256
8bbffdf514d1ce923469e03fee2adb8aad44d5baa9c403fb852986e2e8ff3c9a

SHA512
90e8ca2626c081edc150db18d079f745343b19b93517ec079af50b115e849a8e59972fc96cdd3d22cfd1c52acb183e20a9e80394ecc4151f1d77e19948a1e1c7

Download Submit
C:\Windows\System\irfeKKr.exe

Filesize
5.2MB

MD5
be13a08675c9d59a0d6821ee7ab3b159

SHA1
d3433fb1cb15534b5078c1305b76e240a0137f99

SHA256
8d2f639c9e3538b3831cd6ef5558a445d979031b88105c689485b19cee482269

SHA512
f3b60e398dc558bacea827fdbc331159bdeec3671c396f35944f53cdf1afbed3507d6c4c7a6f46de5c58d970d618b8e52271aa327a505236d579efe769e3509e

Download Submit
C:\Windows\System\jXxnDDD.exe

Filesize
5.2MB

MD5
a52800e321c135657ba9261a9aa5c460

SHA1
ce75fa16bb08bfe14ada3652e0168a6ee0b947bc

SHA256
4a27906b373ca6736d42d246ba385cd61a23b7e8261155bdcb2d9525e895da8b

SHA512
5a5c0895ecb3b560857591392ccb64c96c681305cc2268ac2add061f127e3ed11a01302923cbdb379354662997cd1e09449d918ad253dc329f7b00a79df5c28e

Download Submit
C:\Windows\System\kJCgNFj.exe

Filesize
5.2MB

MD5
5e778ec8dacb7ee99ddd01be0a3dc796

SHA1
223193839e1a77b2cd41210a533a6515922a6dd9

SHA256
0d740d9834ad0154efed34d1fe84c95aedd9371d5741fdbaa354dce4fe5aa42a

SHA512
de5ed8629218d565923a82b0d468da4c429a733539c034912c02d692322abb11194d4b2bfe77e237e53400ad23a4fabddbad513ec8fd0310932cf4d496039bb9

Download Submit
C:\Windows\System\qiCnXxC.exe

Filesize
5.2MB

MD5
25f3b4bc7d2a4805590fb425dd1b3966

SHA1
7a98c7b7dbcc56bd0f100b3e3aa2f41d458fbd1e

SHA256
bb30b938324b31b72817e7f99de8bdbd9c10ff61de574ab884c792c1cf37788e

SHA512
64feec0c961c858823008e54ba8a75c7439c6ecec950c950e75dcc5f125d9ce4f5449dabe60639a79b8bef53b2fef7957a5e3de68cf7e1ebd06ef130479fd551

Download Submit
C:\Windows\System\twFObBj.exe

Filesize
5.2MB

MD5
f45ff35a5b2f6abc8fa119178c04de4a

SHA1
17c56a01fe401d8d8fcecfa7da877ac75ab020eb

SHA256
c8129163b8a21dd1f39e86ea9abaff5ea46bfe180a6238462484911639bd9086

SHA512
2ac55f866b09e8d8dc95b8722516586115193078f9d4187f2814986131ec04fd12bdbae524c3d30cc8ed9655bb6a62fc649c9ccda9454fd64a22a231b66a0d77

Download Submit
C:\Windows\System\xEhvxxp.exe

Filesize
5.2MB

MD5
7ee659ec26cbace67807a25f6de60cf4

SHA1
74a37caa27a0c619cacb6a2675b59aa972f28606

SHA256
864dd088dc6c4366a91cb50d44fb64e510cfb1c333d49a927bb43d566b26bf79

SHA512
bd24104ff62004078221d6e618ee6c127d1f6afa3b31288878547c946502cb86bf4a3f6a9082f83976e8e59adcbd30633eac5dfc83c52af83836bf9529bc9727

Download Submit
C:\Windows\System\xcROURi.exe

Filesize
5.2MB

MD5
ec66053a5935e598038fc5fa83eeb270

SHA1
81cc7e954d130f260688b6383a7e122ff70cd262

SHA256
5e6db0feefb24b8456cc2ce932166f116cf9090b2b7dbabcff5f5f5b077f46e9

SHA512
582799d8859634053b5b674e50eb6c0a347434ef9c528741b15fdaddfb0b025f118b29cc8058e936628a7570d571a09dcddb0d99d2f7d94016928bf454fad27d

Download Submit
C:\Windows\System\xvsCasR.exe

Filesize
5.2MB

MD5
cbb5b34fa3dba05492673fad3901936d

SHA1
684caec46ce4d9ee416b620fc15668d65f0dd307

SHA256
693c5ebc46ff60b01d77680914673f418f05ac290cd69a7adcd57e3082030091

SHA512
5150fbb134ee8d59f032d87f0ec0c041a00d369b007ce37a1df538ea0144336c7723fad8b3266b325eeedd019b8e951617afe6cfcc3a860e279cbc310932da25

Download Submit
C:\Windows\System\yzNTJeP.exe

Filesize
5.2MB

MD5
97cbb84ce5f132459d14e6a8916ccf0c

SHA1
864045a0699f4ecc18ecc6cd3b0b354ca5247a41

SHA256
4655af5d9248d4cb28d23b92707f2178bd357e2fb9b66918e21f93377cd09dfa

SHA512
e4e2a0adeb584a446f71d21ea79510a964d9d078404479cdb430666b95830dbd1119f7472edad0c44bd81025e444fe78173354915ac5ec9bc399398db9cde6b7

Download Submit
memory/216-125-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/216-164-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/216-272-0x00007FF7CB0B0000-0x00007FF7CB401000-memory.dmp

Filesize
3.3MB

Download
memory/528-50-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/528-131-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/528-252-0x00007FF7B54C0000-0x00007FF7B5811000-memory.dmp

Filesize
3.3MB

Download
memory/872-119-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp

Filesize
3.3MB

Download
memory/872-39-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp

Filesize
3.3MB

Download
memory/872-236-0x00007FF74D460000-0x00007FF74D7B1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-140-0x00007FF746170000-0x00007FF7464C1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-82-0x00007FF746170000-0x00007FF7464C1000-memory.dmp

Filesize
3.3MB

Download
memory/1364-258-0x00007FF746170000-0x00007FF7464C1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-249-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-138-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-57-0x00007FF6ADA50000-0x00007FF6ADDA1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-228-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp

Filesize
3.3MB

Download
memory/1564-83-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp

Filesize
3.3MB

Download
memory/1564-15-0x00007FF6F02F0000-0x00007FF6F0641000-memory.dmp

Filesize
3.3MB

Download
memory/1944-264-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp

Filesize
3.3MB

Download
memory/1944-160-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp

Filesize
3.3MB

Download
memory/1944-104-0x00007FF62BDD0000-0x00007FF62C121000-memory.dmp

Filesize
3.3MB

Download
memory/2036-260-0x00007FF6425F0000-0x00007FF642941000-memory.dmp

Filesize
3.3MB

Download
memory/2036-90-0x00007FF6425F0000-0x00007FF642941000-memory.dmp

Filesize
3.3MB

Download
memory/2036-147-0x00007FF6425F0000-0x00007FF642941000-memory.dmp

Filesize
3.3MB

Download
memory/2236-98-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-17-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-230-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-132-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2624-69-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2624-256-0x00007FF76CBB0000-0x00007FF76CF01000-memory.dmp

Filesize
3.3MB

Download
memory/2776-246-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp

Filesize
3.3MB

Download
memory/2776-123-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp

Filesize
3.3MB

Download
memory/2776-48-0x00007FF6D2300000-0x00007FF6D2651000-memory.dmp

Filesize
3.3MB

Download
memory/2844-226-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2844-76-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp

Filesize
3.3MB

Download
memory/2844-9-0x00007FF79A9C0000-0x00007FF79AD11000-memory.dmp

Filesize
3.3MB

Download
memory/3168-141-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

Filesize
3.3MB

Download
memory/3168-169-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

Filesize
3.3MB

Download
memory/3168-70-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

Filesize
3.3MB

Download
memory/3168-0-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

Filesize
3.3MB

Download
memory/3168-1-0x000001EC6D640000-0x000001EC6D650000-memory.dmp

Filesize
64KB

Download
memory/3196-251-0x00007FF71D100000-0x00007FF71D451000-memory.dmp

Filesize
3.3MB

Download
memory/3196-77-0x00007FF71D100000-0x00007FF71D451000-memory.dmp

Filesize
3.3MB

Download
memory/3324-276-0x00007FF789030000-0x00007FF789381000-memory.dmp

Filesize
3.3MB

Download
memory/3324-165-0x00007FF789030000-0x00007FF789381000-memory.dmp

Filesize
3.3MB

Download
memory/3324-126-0x00007FF789030000-0x00007FF789381000-memory.dmp

Filesize
3.3MB

Download
memory/3564-255-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-139-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3564-78-0x00007FF68E650000-0x00007FF68E9A1000-memory.dmp

Filesize
3.3MB

Download
memory/4056-161-0x00007FF61E120000-0x00007FF61E471000-memory.dmp

Filesize
3.3MB

Download
memory/4056-106-0x00007FF61E120000-0x00007FF61E471000-memory.dmp

Filesize
3.3MB

Download
memory/4056-268-0x00007FF61E120000-0x00007FF61E471000-memory.dmp

Filesize
3.3MB

Download
memory/4108-263-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-110-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp

Filesize
3.3MB

Download
memory/4108-162-0x00007FF6455A0000-0x00007FF6458F1000-memory.dmp

Filesize
3.3MB

Download
memory/4200-148-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp

Filesize
3.3MB

Download
memory/4200-266-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp

Filesize
3.3MB

Download
memory/4200-103-0x00007FF65BEF0000-0x00007FF65C241000-memory.dmp

Filesize
3.3MB

Download
memory/4432-168-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp

Filesize
3.3MB

Download
memory/4432-133-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp

Filesize
3.3MB

Download
memory/4432-274-0x00007FF642AC0000-0x00007FF642E11000-memory.dmp

Filesize
3.3MB

Download
memory/4624-107-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp

Filesize
3.3MB

Download
memory/4624-232-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp

Filesize
3.3MB

Download
memory/4624-26-0x00007FF6A1810000-0x00007FF6A1B61000-memory.dmp

Filesize
3.3MB

Download
memory/5028-108-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp

Filesize
3.3MB

Download
memory/5028-34-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp

Filesize
3.3MB

Download
memory/5028-234-0x00007FF7C5FD0000-0x00007FF7C6321000-memory.dmp

Filesize
3.3MB

Download