cobaltstrike | 3b3c7cebe77af74c7644cdec1d13f54980a12490178ffb59a21ba8ca4b582c15

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b2a46e0e8b49270dd16c3a0e5e9e084e
SHA1

815f7f3161bc331b4e4cc0e8565f0615f14c1cce
SHA256

3b3c7cebe77af74c7644cdec1d13f54980a12490178ffb59a21ba8ca4b582c15
SHA512

62283d2d05e6d27d8f25c6a074986fbc4ceea5c66aea7c399102d3b6947ef253a77d39e617790b5cf932daca6c9a5c71791ce2d1426fe326495a4fc42d49d467
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023493-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023495-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023497-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023499-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023498-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349b-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349c-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349d-78.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a0-86.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023491-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349f-81.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349e-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349a-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023496-34.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a2-105.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a4-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-137.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-129.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a3-122.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a1-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4704-88-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	xmrig
behavioral2/memory/5064-95-0x00007FF745450000-0x00007FF7457A1000-memory.dmp	xmrig
behavioral2/memory/4052-94-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp	xmrig
behavioral2/memory/1868-100-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp	xmrig
behavioral2/memory/3856-124-0x00007FF7220C0000-0x00007FF722411000-memory.dmp	xmrig
behavioral2/memory/1908-140-0x00007FF600450000-0x00007FF6007A1000-memory.dmp	xmrig
behavioral2/memory/3144-138-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	xmrig
behavioral2/memory/4840-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp	xmrig
behavioral2/memory/1428-135-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp	xmrig
behavioral2/memory/4576-127-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp	xmrig
behavioral2/memory/2124-126-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp	xmrig
behavioral2/memory/3940-115-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp	xmrig
behavioral2/memory/4984-114-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp	xmrig
behavioral2/memory/4744-99-0x00007FF6953D0000-0x00007FF695721000-memory.dmp	xmrig
behavioral2/memory/4980-142-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp	xmrig
behavioral2/memory/4704-143-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	xmrig
behavioral2/memory/2784-151-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp	xmrig
behavioral2/memory/1068-160-0x00007FF735220000-0x00007FF735571000-memory.dmp	xmrig
behavioral2/memory/736-161-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp	xmrig
behavioral2/memory/1920-163-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp	xmrig
behavioral2/memory/3120-162-0x00007FF631510000-0x00007FF631861000-memory.dmp	xmrig
behavioral2/memory/3324-168-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp	xmrig
behavioral2/memory/2456-169-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp	xmrig
behavioral2/memory/4704-170-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	xmrig
behavioral2/memory/4052-227-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp	xmrig
behavioral2/memory/4744-231-0x00007FF6953D0000-0x00007FF695721000-memory.dmp	xmrig
behavioral2/memory/4984-233-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp	xmrig
behavioral2/memory/1868-235-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp	xmrig
behavioral2/memory/3940-237-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp	xmrig
behavioral2/memory/3856-239-0x00007FF7220C0000-0x00007FF722411000-memory.dmp	xmrig
behavioral2/memory/5064-229-0x00007FF745450000-0x00007FF7457A1000-memory.dmp	xmrig
behavioral2/memory/2124-245-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp	xmrig
behavioral2/memory/4840-247-0x00007FF78C320000-0x00007FF78C671000-memory.dmp	xmrig
behavioral2/memory/4576-249-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp	xmrig
behavioral2/memory/3144-255-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	xmrig
behavioral2/memory/1908-254-0x00007FF600450000-0x00007FF6007A1000-memory.dmp	xmrig
behavioral2/memory/4980-259-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp	xmrig
behavioral2/memory/2784-257-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp	xmrig
behavioral2/memory/1428-251-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp	xmrig
behavioral2/memory/1068-267-0x00007FF735220000-0x00007FF735571000-memory.dmp	xmrig
behavioral2/memory/3120-269-0x00007FF631510000-0x00007FF631861000-memory.dmp	xmrig
behavioral2/memory/1920-275-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp	xmrig
behavioral2/memory/3324-273-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp	xmrig
behavioral2/memory/736-271-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp	xmrig
behavioral2/memory/2456-277-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4052	TAdqNKU.exe
5064	pHFpuJK.exe
4744	jBBPSnJ.exe
4984	CRjwBnz.exe
1868	zyUCQLl.exe
3940	nNCcnQT.exe
3856	TMdymvC.exe
2124	uCsFjsC.exe
4840	xypSPvJ.exe
4576	TMOZwPl.exe
1428	obNWOmb.exe
1908	kPYbGfG.exe
3144	uaMKZaW.exe
4980	NFZzdHY.exe
2784	lbrjsSY.exe
1068	ObeMgkx.exe
736	QlBcWBV.exe
3120	hcsVrvw.exe
1920	DbBjKBX.exe
3324	LhqEkKB.exe
2456	Pvzebgi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4704-0-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	upx
behavioral2/files/0x0008000000023493-4.dat	upx
behavioral2/files/0x0007000000023495-9.dat	upx
behavioral2/memory/4744-21-0x00007FF6953D0000-0x00007FF695721000-memory.dmp	upx
behavioral2/files/0x0007000000023494-11.dat	upx
behavioral2/memory/4052-10-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp	upx
behavioral2/memory/5064-17-0x00007FF745450000-0x00007FF7457A1000-memory.dmp	upx
behavioral2/files/0x0007000000023497-23.dat	upx
behavioral2/memory/4984-33-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp	upx
behavioral2/files/0x0007000000023499-39.dat	upx
behavioral2/files/0x0007000000023498-40.dat	upx
behavioral2/files/0x000700000002349b-51.dat	upx
behavioral2/files/0x000700000002349c-54.dat	upx
behavioral2/memory/4576-60-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp	upx
behavioral2/memory/4840-65-0x00007FF78C320000-0x00007FF78C671000-memory.dmp	upx
behavioral2/memory/3144-75-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	upx
behavioral2/files/0x000700000002349d-78.dat	upx
behavioral2/files/0x00070000000234a0-86.dat	upx
behavioral2/files/0x0008000000023491-90.dat	upx
behavioral2/memory/2784-89-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp	upx
behavioral2/memory/4704-88-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	upx
behavioral2/memory/4980-85-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp	upx
behavioral2/files/0x000700000002349f-81.dat	upx
behavioral2/files/0x000700000002349e-80.dat	upx
behavioral2/memory/1908-77-0x00007FF600450000-0x00007FF6007A1000-memory.dmp	upx
behavioral2/memory/1428-68-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp	upx
behavioral2/files/0x000700000002349a-57.dat	upx
behavioral2/memory/2124-48-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp	upx
behavioral2/memory/3856-42-0x00007FF7220C0000-0x00007FF722411000-memory.dmp	upx
behavioral2/memory/3940-38-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp	upx
behavioral2/files/0x0007000000023496-34.dat	upx
behavioral2/memory/1868-32-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp	upx
behavioral2/memory/5064-95-0x00007FF745450000-0x00007FF7457A1000-memory.dmp	upx
behavioral2/memory/4052-94-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp	upx
behavioral2/memory/1068-106-0x00007FF735220000-0x00007FF735571000-memory.dmp	upx
behavioral2/files/0x00070000000234a2-105.dat	upx
behavioral2/memory/1868-100-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-113.dat	upx
behavioral2/memory/3856-124-0x00007FF7220C0000-0x00007FF722411000-memory.dmp	upx
behavioral2/memory/1908-140-0x00007FF600450000-0x00007FF6007A1000-memory.dmp	upx
behavioral2/memory/2456-139-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp	upx
behavioral2/memory/3144-138-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp	upx
behavioral2/files/0x00070000000234a6-137.dat	upx
behavioral2/memory/4840-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp	upx
behavioral2/memory/1428-135-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-129.dat	upx
behavioral2/memory/3324-128-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp	upx
behavioral2/memory/4576-127-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp	upx
behavioral2/memory/2124-126-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp	upx
behavioral2/memory/1920-123-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-122.dat	upx
behavioral2/memory/3120-117-0x00007FF631510000-0x00007FF631861000-memory.dmp	upx
behavioral2/memory/3940-115-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp	upx
behavioral2/memory/4984-114-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp	upx
behavioral2/memory/736-109-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp	upx
behavioral2/files/0x00070000000234a1-107.dat	upx
behavioral2/memory/4744-99-0x00007FF6953D0000-0x00007FF695721000-memory.dmp	upx
behavioral2/memory/4980-142-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp	upx
behavioral2/memory/4704-143-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp	upx
behavioral2/memory/2784-151-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp	upx
behavioral2/memory/1068-160-0x00007FF735220000-0x00007FF735571000-memory.dmp	upx
behavioral2/memory/736-161-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp	upx
behavioral2/memory/1920-163-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp	upx
behavioral2/memory/3120-162-0x00007FF631510000-0x00007FF631861000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NFZzdHY.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QlBcWBV.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LhqEkKB.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMdymvC.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nNCcnQT.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMOZwPl.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\obNWOmb.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kPYbGfG.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ObeMgkx.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbBjKBX.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zyUCQLl.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uaMKZaW.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lbrjsSY.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hcsVrvw.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Pvzebgi.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jBBPSnJ.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pHFpuJK.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CRjwBnz.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCsFjsC.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xypSPvJ.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAdqNKU.exe	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4052	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4704 wrote to memory of 4052	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4704 wrote to memory of 5064	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4704 wrote to memory of 5064	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4704 wrote to memory of 4744	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4704 wrote to memory of 4744	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4704 wrote to memory of 4984	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4704 wrote to memory of 4984	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4704 wrote to memory of 1868	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4704 wrote to memory of 1868	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4704 wrote to memory of 3940	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4704 wrote to memory of 3940	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4704 wrote to memory of 3856	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4704 wrote to memory of 3856	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4704 wrote to memory of 2124	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4704 wrote to memory of 2124	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4704 wrote to memory of 4840	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4704 wrote to memory of 4840	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4704 wrote to memory of 4576	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4704 wrote to memory of 4576	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4704 wrote to memory of 1428	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4704 wrote to memory of 1428	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4704 wrote to memory of 1908	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4704 wrote to memory of 1908	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4704 wrote to memory of 3144	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4704 wrote to memory of 3144	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4704 wrote to memory of 4980	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4704 wrote to memory of 4980	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4704 wrote to memory of 2784	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4704 wrote to memory of 2784	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4704 wrote to memory of 1068	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4704 wrote to memory of 1068	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4704 wrote to memory of 736	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4704 wrote to memory of 736	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4704 wrote to memory of 3120	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4704 wrote to memory of 3120	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4704 wrote to memory of 1920	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4704 wrote to memory of 1920	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4704 wrote to memory of 3324	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4704 wrote to memory of 3324	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4704 wrote to memory of 2456	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4704 wrote to memory of 2456	4704	2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_b2a46e0e8b49270dd16c3a0e5e9e084e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\System\TAdqNKU.exe
  C:\Windows\System\TAdqNKU.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\pHFpuJK.exe
  C:\Windows\System\pHFpuJK.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\jBBPSnJ.exe
  C:\Windows\System\jBBPSnJ.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\CRjwBnz.exe
  C:\Windows\System\CRjwBnz.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\zyUCQLl.exe
  C:\Windows\System\zyUCQLl.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\nNCcnQT.exe
  C:\Windows\System\nNCcnQT.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\TMdymvC.exe
  C:\Windows\System\TMdymvC.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\uCsFjsC.exe
  C:\Windows\System\uCsFjsC.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\xypSPvJ.exe
  C:\Windows\System\xypSPvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\TMOZwPl.exe
  C:\Windows\System\TMOZwPl.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\obNWOmb.exe
  C:\Windows\System\obNWOmb.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\kPYbGfG.exe
  C:\Windows\System\kPYbGfG.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\uaMKZaW.exe
  C:\Windows\System\uaMKZaW.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\NFZzdHY.exe
  C:\Windows\System\NFZzdHY.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\lbrjsSY.exe
  C:\Windows\System\lbrjsSY.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\ObeMgkx.exe
  C:\Windows\System\ObeMgkx.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\QlBcWBV.exe
  C:\Windows\System\QlBcWBV.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\hcsVrvw.exe
  C:\Windows\System\hcsVrvw.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\DbBjKBX.exe
  C:\Windows\System\DbBjKBX.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\LhqEkKB.exe
  C:\Windows\System\LhqEkKB.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\Pvzebgi.exe
  C:\Windows\System\Pvzebgi.exe
  2⤵
  - Executes dropped EXE
  PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CRjwBnz.exe

Filesize
5.2MB

MD5
8885c5661f8767f629ae7cc95d09336a

SHA1
7c18ff42ec959c8fdf13bcdedc0174d048a8106d

SHA256
51e727aa6ff8f8feaf57efb42a7f52f1ced77d21b504f9668bb14d0b5ce1f07d

SHA512
e83c8933434ea821c2c674a51efcef11c627d72e403188c18059eeee6f5bef3515d6eaab61c6638dce8cc032a48cebef77ed763087cb546251ae7f9b4eccfcb8

Download Submit
C:\Windows\System\DbBjKBX.exe

Filesize
5.2MB

MD5
2619ce162f9d36d07483cbe47675323b

SHA1
e0c1ed4d4ab0d0af13e35edcc080db8ec8882e9b

SHA256
9d016729ea68abef58bd0b0378c289cf20ebba1799eab7714facecb82d52d670

SHA512
7d33f5ebb04d2b5785f44d326b1805e2eec9e702803df24e61ebcb2c6484119a7a5066f161010c062d0ca75af59aee76dc748bacb46775c2407ee9b13d02f74d

Download Submit
C:\Windows\System\LhqEkKB.exe

Filesize
5.2MB

MD5
9c0ccadc5a89e3697c574c64e2e2b4db

SHA1
493e7fce67fce3db0e8ad312e21191f370e27fbb

SHA256
6cd54c53615339cae1f3efad7670693d2914b5262ae2f2daea0ab49c1894f59d

SHA512
39d5a1a115040283ceeb91e2b262541ad3a1839a7f322f5b7a8cd9e142ece505fdcd8db0c3f40899f5a3f65458c7fdf0e01f07bd6bcc7207596b9a1e584165cc

Download Submit
C:\Windows\System\NFZzdHY.exe

Filesize
5.2MB

MD5
70cf0983147120ba66214709ef48167d

SHA1
85f425e9d8dd3fd5b484e9d7bccb38ae4d6386d5

SHA256
0f4d99dcbd04d3b4c241d63d934d0304f0a438ca7e924de03c1e2b69e9031005

SHA512
21ef2e467d68ba600812d2b0007484848a63b55490f88f48c8428317a188fbc22e0ca6c8eb97a1a95b113f629be248f32adf92e1ad1cca7a2b77f06cc9be3197

Download Submit
C:\Windows\System\ObeMgkx.exe

Filesize
5.2MB

MD5
f92d76e2f763ab61f34362fbd756b286

SHA1
aa04d14e41b0e3011c319b9a27eed001fe0678f8

SHA256
910e972b283111b733c1d9e184f1904f4c91e9f7b1eefeec51523bf951786bd9

SHA512
f45c074c76b3df946de837593f250e2e583d5e970bb8e5cf0b06852a5f2aaefde2cd1961eeb30a3794a4c3c1dc4db38ecbd9865b7656f6981225facd668e17d0

Download Submit
C:\Windows\System\Pvzebgi.exe

Filesize
5.2MB

MD5
d2d164307c63f84808d7200e7fdf3ed8

SHA1
75970fc28a37ebb4095a4acdd14278d2dcd9abd7

SHA256
19d2be30e2b4c37c8be37687ce9986c230b1f60790444b111937abf96a870250

SHA512
151193f0d763f6ef60bcf30745d8dcb9669ba93dccc805e0f9560ff22a4f1a37b70dbb0f04a9b759df257df3cf114debd2b689efe9914ef00eefcac6a233bdb0

Download Submit
C:\Windows\System\QlBcWBV.exe

Filesize
5.2MB

MD5
6b55850d572228e8d6af8f778662ad5d

SHA1
8fbc6d75ed615fe4e8ddb0821fbeb188e3bf49e2

SHA256
7c095fd1c97b4fc870c30b9bde3024c6cd236a333873be62f9c59d3223e1a609

SHA512
a5b2fdf25e29b776c2c3eb3a11ccdacfb1a0093d22d552ee36f9ea243972741fa483e236b46c56b1dc698a7322ebdeadc32d90bf471d52350efc1a4ab8da12b6

Download Submit
C:\Windows\System\TAdqNKU.exe

Filesize
5.2MB

MD5
62f70c32755809f8184c8e349e2dd994

SHA1
7853836f0d3b7e36415443edddd38ae5f6c7091b

SHA256
b256d97e8311e2bd8ba41cca2a49434e820202b450594a9abaaac73c85d03396

SHA512
847eb1ffac125985d438714cb78c2862e13bf8fc7df488b863a19aae2d5d920dd1ef15acc9cf1ef13a86791a648c03f68849f3ae724a6070461f676ba88c2b13

Download Submit
C:\Windows\System\TMOZwPl.exe

Filesize
5.2MB

MD5
073d3287ed4b3b2674faefb05238145f

SHA1
509f83fc24af6c20e83809f27f9834056fa1de6d

SHA256
b5dd1f776fceb8c98c28813bbf419090624f08dc2237627f61f0b6cd386e3339

SHA512
7d97ef20134cbb240135e3d9b5744e8ba252ef4de4ee6e6e7e02a5419f7581d4c31048ada891f1ff5fc0dad1625b893a54d4c9a1e4271183a84196fc6b95a3cf

Download Submit
C:\Windows\System\TMdymvC.exe

Filesize
5.2MB

MD5
0073d6a1586fa7b7df97e14b3fe0dd3b

SHA1
9baeebd472fcf4b7033e62c3acabd16c045fcf23

SHA256
b439897454f45499c637847ff0daafc70be0a280e9cf77b2c74415a490449ea9

SHA512
c15d244603d0d435cf76fb15c7f5af15a2c5eb9701bbdf7f585840e7638ced2e5bf64d7fba621ea84365e2a7d1681fd98661f70c80ecd537cf051cb37c8defac

Download Submit
C:\Windows\System\hcsVrvw.exe

Filesize
5.2MB

MD5
28eeb51cf076729183e9d80cf58a4564

SHA1
b4116c5f7c4c3f7b562aee2c986b1f0f1bbf3600

SHA256
6b2c4300f0e3c7b804a95e7aff15371583849f19007a5b5bfee80b50191fe96f

SHA512
627e745464a9656a165873f6ce9ab5afeeeaec560ec779445083b81f4a23a236680828302b3810ca48288a55dc6fef49d174b96800e476b6694b524022bf9ecd

Download Submit
C:\Windows\System\jBBPSnJ.exe

Filesize
5.2MB

MD5
078e97b581fa0a8b5e0cfc6819b8bd59

SHA1
6a4128adb2349872d14cbfea7476379d65787e3a

SHA256
31c6c5e6525097b444faa597e7aa74ff75062ee379b9d581913bbb172e57e3b7

SHA512
b48ad8c4fe4194be0e79f4b0210f185d7675c375a235ac0673b01ba35dff1e3f79f9d4bc2af2bb9f41e77374d1a25896e6621cbb5a691ca10bac1bd8a170024a

Download Submit
C:\Windows\System\kPYbGfG.exe

Filesize
5.2MB

MD5
04493ff4636ffc676968777294068c21

SHA1
c4690f35a55484090535702efc225f71287b02fa

SHA256
771f26f8d386dc90aee4ab7d19c3a5a0a00fc49e41e0fd80dab44f6785d5f62f

SHA512
6604073d506c2c07df500c755d5e73e8b037f76ac6f9a4eeb134f7ea47593ea1e2fa4bc4a7822b680c2110138bf87baf87368c14e3062cee65ae72d1a3f068a5

Download Submit
C:\Windows\System\lbrjsSY.exe

Filesize
5.2MB

MD5
e3c36197fb63ccf4498b77e4ec51dea5

SHA1
cbeac42428a1de9321af35a9c8473655e4a2ae61

SHA256
7ad172958d7e1c3392575863eef1257ff8ee160ad3cf5169bce35a2d993058d1

SHA512
c9c0f41fd9a9743d5184e241bd00dd72de164b445cf16f7709c453581af33529c44789eea69664323797b4ffe41ce832473368147d2ad97f23fb6264f6a3fa9a

Download Submit
C:\Windows\System\nNCcnQT.exe

Filesize
5.2MB

MD5
0e7c4cda8780fad25d5766e2ecd2a3c2

SHA1
281e43d70798d86f04f5b481196041faee25e273

SHA256
ff5822a85248ce106c746530599e7e23c93ad517bebfe3462cb97499f3f31762

SHA512
0c8566012778bdb5952db6e71f500386153d7a437933ee796580fb54ccb59c179de414283bffc28439742894df9b729c5ef5f15a8cc078b9632160b37e69177a

Download Submit
C:\Windows\System\obNWOmb.exe

Filesize
5.2MB

MD5
179f797bf0573a64bc0e940136b40e4c

SHA1
a4c33261486a9dee17757493d5125a028ae11032

SHA256
10837d925c611e51a45cf6c6b81ec57e76358d064023d614275b559873c8449e

SHA512
7689c3b68790a9dcf554537f76f4e53aab825558813da05a0df9b25913480a16fd92c206a59f8e367f9a35a8fb75f15b2c1d680a76f25d9090be8fbdc84a2bef

Download Submit
C:\Windows\System\pHFpuJK.exe

Filesize
5.2MB

MD5
a4f3cc089c8de549bee63868cc9c0c3a

SHA1
3012a7591728871b3d6ac2dd60e0fcf05aeb4cb8

SHA256
df24da9209026430e5d9733d9be4beff9510f1657634bc117eba66bf43e5ea02

SHA512
632ebe36e82b093b8a800c3e207ab6c8d01f58ab77d697696c46f1b140690293bbc392a019955f91ac53dc0522cf32ba5f454f59dc834983db285f48a59ea000

Download Submit
C:\Windows\System\uCsFjsC.exe

Filesize
5.2MB

MD5
bdb2127610a8f14469da608ab194fec4

SHA1
719a33bcf0175ac963727aeec249455ac38564e5

SHA256
7bf2b931aec737b04f37d837c05f9c119e4d2c19502c86769977c5fa7e8853fc

SHA512
e6c2031550fb39d2aa40802da5615e686ddebf7131f209183225eadad1b183b73350bb4dc715c99e82a440ce78f29f9085b9351029078749d3e0342f031f80fb

Download Submit
C:\Windows\System\uaMKZaW.exe

Filesize
5.2MB

MD5
524425a5c1ac10c8543013b447da812e

SHA1
46456987a28db40fc7c826b5341abd0b35a1f5d7

SHA256
6ce61eaeb9f35c4435966990b2b6a38e00f3a6e4bb3b67e44734fc630b941b7f

SHA512
e473e8be7ad50c3c32c0a29fe503fba604ff26d63474b7d68d54e8e0774c015682f1e21b2e1113c57834dcf5f59f63dbbbd6ddc94bbda37a042c6a91245cf533

Download Submit
C:\Windows\System\xypSPvJ.exe

Filesize
5.2MB

MD5
c6e50b629d28d744907705b61af07abc

SHA1
026f694e6f6f5b0b02151b6f43ab0164e23b5f60

SHA256
de360e88cafd14af35b29f79d60d559f6a741f54f870693e4417912eb6e11f93

SHA512
8b45b7cdb2f1bf45816bc9d59378d928c8be5d9383e07ee9e5b49d363ebadf7b0a766e34b9e0440a069c67b31b13a87a4f22ead7472472c592f5af012e53d3d2

Download Submit
C:\Windows\System\zyUCQLl.exe

Filesize
5.2MB

MD5
5808d2ab02fd361c7765781845b8f0fc

SHA1
243c4bfbcc9cea86d380fdc3a7c84d65169efd84

SHA256
d5c153259d10cd15131741f6b764a04819681e45d84403e0b1f016523405c20e

SHA512
be2c76cc73c8f9bc7ec4575a5e504824111132dd939458a630b482cd5df31763146b911a4c8aed8178e25f42ff676c6f80a83d5f1ce0a872f030c18beeaebb43

Download Submit
memory/736-161-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/736-271-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/736-109-0x00007FF7B0880000-0x00007FF7B0BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-160-0x00007FF735220000-0x00007FF735571000-memory.dmp

Filesize
3.3MB

Download
memory/1068-106-0x00007FF735220000-0x00007FF735571000-memory.dmp

Filesize
3.3MB

Download
memory/1068-267-0x00007FF735220000-0x00007FF735571000-memory.dmp

Filesize
3.3MB

Download
memory/1428-68-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-251-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-135-0x00007FF7DB390000-0x00007FF7DB6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-100-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-235-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-32-0x00007FF6C8060000-0x00007FF6C83B1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-140-0x00007FF600450000-0x00007FF6007A1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-254-0x00007FF600450000-0x00007FF6007A1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-77-0x00007FF600450000-0x00007FF6007A1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-163-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp

Filesize
3.3MB

Download
memory/1920-275-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp

Filesize
3.3MB

Download
memory/1920-123-0x00007FF6247C0000-0x00007FF624B11000-memory.dmp

Filesize
3.3MB

Download
memory/2124-126-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-245-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2124-48-0x00007FF6A4880000-0x00007FF6A4BD1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-139-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

Filesize
3.3MB

Download
memory/2456-277-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

Filesize
3.3MB

Download
memory/2456-169-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

Filesize
3.3MB

Download
memory/2784-151-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp

Filesize
3.3MB

Download
memory/2784-257-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp

Filesize
3.3MB

Download
memory/2784-89-0x00007FF63F4C0000-0x00007FF63F811000-memory.dmp

Filesize
3.3MB

Download
memory/3120-162-0x00007FF631510000-0x00007FF631861000-memory.dmp

Filesize
3.3MB

Download
memory/3120-269-0x00007FF631510000-0x00007FF631861000-memory.dmp

Filesize
3.3MB

Download
memory/3120-117-0x00007FF631510000-0x00007FF631861000-memory.dmp

Filesize
3.3MB

Download
memory/3144-75-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/3144-255-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/3144-138-0x00007FF7B0310000-0x00007FF7B0661000-memory.dmp

Filesize
3.3MB

Download
memory/3324-168-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp

Filesize
3.3MB

Download
memory/3324-128-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp

Filesize
3.3MB

Download
memory/3324-273-0x00007FF7F6830000-0x00007FF7F6B81000-memory.dmp

Filesize
3.3MB

Download
memory/3856-42-0x00007FF7220C0000-0x00007FF722411000-memory.dmp

Filesize
3.3MB

Download
memory/3856-239-0x00007FF7220C0000-0x00007FF722411000-memory.dmp

Filesize
3.3MB

Download
memory/3856-124-0x00007FF7220C0000-0x00007FF722411000-memory.dmp

Filesize
3.3MB

Download
memory/3940-38-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp

Filesize
3.3MB

Download
memory/3940-115-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp

Filesize
3.3MB

Download
memory/3940-237-0x00007FF78F0D0000-0x00007FF78F421000-memory.dmp

Filesize
3.3MB

Download
memory/4052-227-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp

Filesize
3.3MB

Download
memory/4052-10-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp

Filesize
3.3MB

Download
memory/4052-94-0x00007FF7646F0000-0x00007FF764A41000-memory.dmp

Filesize
3.3MB

Download
memory/4576-60-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-127-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4576-249-0x00007FF7A9D60000-0x00007FF7AA0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-1-0x00000261A48E0000-0x00000261A48F0000-memory.dmp

Filesize
64KB

Download
memory/4704-143-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp

Filesize
3.3MB

Download
memory/4704-0-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp

Filesize
3.3MB

Download
memory/4704-170-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp

Filesize
3.3MB

Download
memory/4704-88-0x00007FF73D2E0000-0x00007FF73D631000-memory.dmp

Filesize
3.3MB

Download
memory/4744-21-0x00007FF6953D0000-0x00007FF695721000-memory.dmp

Filesize
3.3MB

Download
memory/4744-231-0x00007FF6953D0000-0x00007FF695721000-memory.dmp

Filesize
3.3MB

Download
memory/4744-99-0x00007FF6953D0000-0x00007FF695721000-memory.dmp

Filesize
3.3MB

Download
memory/4840-65-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

Filesize
3.3MB

Download
memory/4840-247-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

Filesize
3.3MB

Download
memory/4840-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

Filesize
3.3MB

Download
memory/4980-85-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-259-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4980-142-0x00007FF6AF370000-0x00007FF6AF6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-33-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-114-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-233-0x00007FF740D50000-0x00007FF7410A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-229-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-17-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

Filesize
3.3MB

Download
memory/5064-95-0x00007FF745450000-0x00007FF7457A1000-memory.dmp

Filesize
3.3MB

Download