cobaltstrike | 2ff44bf3c4f851b65d1f7eff8ac32786dbda52b8ef20448ffadeea2121ec09b5

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1518b9f0885517f7931294798181418e
SHA1

b8e4e7a8fb7d0ff62d5d5184c653a037ef8867a7
SHA256

2ff44bf3c4f851b65d1f7eff8ac32786dbda52b8ef20448ffadeea2121ec09b5
SHA512

35e728c289a4aa5199630b0bc6adef2e0a2cfdb872228b716f0d3cf7c75be3f724d0ffa6295609291be0808c81fba67e3bde129d0b61d1cb90e06ea97415fa83
SSDEEP

98304:oemTLkNdfE0pZrx56utgpPFotBER/mQ32lUH:T+o56utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233e3-5.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-29.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002343c-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344f-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023451-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023450-126.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344e-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023452-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/452-0-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp	xmrig
behavioral2/files/0x00090000000233e3-5.dat	xmrig
behavioral2/memory/3516-7-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	xmrig
behavioral2/files/0x000800000002343b-11.dat	xmrig
behavioral2/files/0x000700000002343f-10.dat	xmrig
behavioral2/files/0x0007000000023440-20.dat	xmrig
behavioral2/memory/4284-22-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-39.dat	xmrig
behavioral2/files/0x0007000000023445-43.dat	xmrig
behavioral2/memory/4272-50-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp	xmrig
behavioral2/memory/3964-64-0x00007FF718C70000-0x00007FF718FC4000-memory.dmp	xmrig
behavioral2/memory/452-67-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp	xmrig
behavioral2/memory/1316-72-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp	xmrig
behavioral2/memory/2264-75-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-76.dat	xmrig
behavioral2/memory/4284-81-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp	xmrig
behavioral2/memory/2044-84-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344a-82.dat	xmrig
behavioral2/memory/3516-73-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023448-71.dat	xmrig
behavioral2/files/0x0007000000023446-69.dat	xmrig
behavioral2/memory/336-68-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp	xmrig
behavioral2/memory/3580-65-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp	xmrig
behavioral2/memory/408-58-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-53.dat	xmrig
behavioral2/files/0x0007000000023442-42.dat	xmrig
behavioral2/memory/1104-38-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-29.dat	xmrig
behavioral2/memory/2456-28-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp	xmrig
behavioral2/memory/3668-24-0x00007FF692FF0000-0x00007FF693344000-memory.dmp	xmrig
behavioral2/memory/2264-12-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp	xmrig
behavioral2/files/0x000800000002343c-87.dat	xmrig
behavioral2/files/0x000700000002344d-96.dat	xmrig
behavioral2/files/0x000700000002344f-105.dat	xmrig
behavioral2/files/0x0007000000023451-116.dat	xmrig
behavioral2/memory/2912-122-0x00007FF745750000-0x00007FF745AA4000-memory.dmp	xmrig
behavioral2/memory/4624-125-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	xmrig
behavioral2/files/0x0007000000023450-126.dat	xmrig
behavioral2/memory/1104-124-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp	xmrig
behavioral2/memory/2036-123-0x00007FF646A00000-0x00007FF646D54000-memory.dmp	xmrig
behavioral2/memory/4544-118-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp	xmrig
behavioral2/memory/5024-117-0x00007FF670260000-0x00007FF6705B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344c-114.dat	xmrig
behavioral2/files/0x000700000002344e-112.dat	xmrig
behavioral2/memory/2940-110-0x00007FF663EB0000-0x00007FF664204000-memory.dmp	xmrig
behavioral2/memory/2456-108-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp	xmrig
behavioral2/memory/2484-95-0x00007FF753950000-0x00007FF753CA4000-memory.dmp	xmrig
behavioral2/memory/3668-89-0x00007FF692FF0000-0x00007FF693344000-memory.dmp	xmrig
behavioral2/memory/408-131-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp	xmrig
behavioral2/memory/1996-134-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023452-133.dat	xmrig
behavioral2/memory/4272-130-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp	xmrig
behavioral2/memory/3580-137-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp	xmrig
behavioral2/memory/336-138-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp	xmrig
behavioral2/memory/1316-139-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp	xmrig
behavioral2/memory/2044-140-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp	xmrig
behavioral2/memory/2484-141-0x00007FF753950000-0x00007FF753CA4000-memory.dmp	xmrig
behavioral2/memory/5024-142-0x00007FF670260000-0x00007FF6705B4000-memory.dmp	xmrig
behavioral2/memory/2940-143-0x00007FF663EB0000-0x00007FF664204000-memory.dmp	xmrig
behavioral2/memory/4544-144-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp	xmrig
behavioral2/memory/2912-145-0x00007FF745750000-0x00007FF745AA4000-memory.dmp	xmrig
behavioral2/memory/4624-146-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	xmrig
behavioral2/memory/1996-147-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	xmrig
behavioral2/memory/3516-148-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3516	rRDhiPb.exe
2264	AykxSrJ.exe
4284	RGikoRQ.exe
3668	xjVOlcN.exe
2456	fBlDnus.exe
1104	zxlUwKs.exe
4272	BQnRSkT.exe
408	jppLBtx.exe
3964	Ifqdwck.exe
336	IOFSHwr.exe
3580	XcFyCva.exe
1316	vYdbIvG.exe
2044	mlhfjXC.exe
2484	RxXYDdd.exe
2940	ExMySvE.exe
2036	cRWATNF.exe
5024	uiThVms.exe
4544	UJENGEp.exe
4624	wUgLJyj.exe
2912	UKqlgng.exe
1996	sOUDVZP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/452-0-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp	upx
behavioral2/files/0x00090000000233e3-5.dat	upx
behavioral2/memory/3516-7-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	upx
behavioral2/files/0x000800000002343b-11.dat	upx
behavioral2/files/0x000700000002343f-10.dat	upx
behavioral2/files/0x0007000000023440-20.dat	upx
behavioral2/memory/4284-22-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp	upx
behavioral2/files/0x0007000000023444-39.dat	upx
behavioral2/files/0x0007000000023445-43.dat	upx
behavioral2/memory/4272-50-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp	upx
behavioral2/memory/3964-64-0x00007FF718C70000-0x00007FF718FC4000-memory.dmp	upx
behavioral2/memory/452-67-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp	upx
behavioral2/memory/1316-72-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp	upx
behavioral2/memory/2264-75-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp	upx
behavioral2/files/0x0007000000023449-76.dat	upx
behavioral2/memory/4284-81-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp	upx
behavioral2/memory/2044-84-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp	upx
behavioral2/files/0x000700000002344a-82.dat	upx
behavioral2/memory/3516-73-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	upx
behavioral2/files/0x0007000000023448-71.dat	upx
behavioral2/files/0x0007000000023446-69.dat	upx
behavioral2/memory/336-68-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp	upx
behavioral2/memory/3580-65-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp	upx
behavioral2/memory/408-58-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp	upx
behavioral2/files/0x0007000000023447-53.dat	upx
behavioral2/files/0x0007000000023442-42.dat	upx
behavioral2/memory/1104-38-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp	upx
behavioral2/files/0x0007000000023441-29.dat	upx
behavioral2/memory/2456-28-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp	upx
behavioral2/memory/3668-24-0x00007FF692FF0000-0x00007FF693344000-memory.dmp	upx
behavioral2/memory/2264-12-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp	upx
behavioral2/files/0x000800000002343c-87.dat	upx
behavioral2/files/0x000700000002344d-96.dat	upx
behavioral2/files/0x000700000002344f-105.dat	upx
behavioral2/files/0x0007000000023451-116.dat	upx
behavioral2/memory/2912-122-0x00007FF745750000-0x00007FF745AA4000-memory.dmp	upx
behavioral2/memory/4624-125-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	upx
behavioral2/files/0x0007000000023450-126.dat	upx
behavioral2/memory/1104-124-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp	upx
behavioral2/memory/2036-123-0x00007FF646A00000-0x00007FF646D54000-memory.dmp	upx
behavioral2/memory/4544-118-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp	upx
behavioral2/memory/5024-117-0x00007FF670260000-0x00007FF6705B4000-memory.dmp	upx
behavioral2/files/0x000700000002344c-114.dat	upx
behavioral2/files/0x000700000002344e-112.dat	upx
behavioral2/memory/2940-110-0x00007FF663EB0000-0x00007FF664204000-memory.dmp	upx
behavioral2/memory/2456-108-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp	upx
behavioral2/memory/2484-95-0x00007FF753950000-0x00007FF753CA4000-memory.dmp	upx
behavioral2/memory/3668-89-0x00007FF692FF0000-0x00007FF693344000-memory.dmp	upx
behavioral2/memory/408-131-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp	upx
behavioral2/memory/1996-134-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	upx
behavioral2/files/0x0007000000023452-133.dat	upx
behavioral2/memory/4272-130-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp	upx
behavioral2/memory/3580-137-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp	upx
behavioral2/memory/336-138-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp	upx
behavioral2/memory/1316-139-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp	upx
behavioral2/memory/2044-140-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp	upx
behavioral2/memory/2484-141-0x00007FF753950000-0x00007FF753CA4000-memory.dmp	upx
behavioral2/memory/5024-142-0x00007FF670260000-0x00007FF6705B4000-memory.dmp	upx
behavioral2/memory/2940-143-0x00007FF663EB0000-0x00007FF664204000-memory.dmp	upx
behavioral2/memory/4544-144-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp	upx
behavioral2/memory/2912-145-0x00007FF745750000-0x00007FF745AA4000-memory.dmp	upx
behavioral2/memory/4624-146-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	upx
behavioral2/memory/1996-147-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	upx
behavioral2/memory/3516-148-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cRWATNF.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uiThVms.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rRDhiPb.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjVOlcN.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IOFSHwr.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XcFyCva.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mlhfjXC.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UJENGEp.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKqlgng.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOUDVZP.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AykxSrJ.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBlDnus.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jppLBtx.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ExMySvE.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGikoRQ.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zxlUwKs.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxXYDdd.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUgLJyj.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BQnRSkT.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ifqdwck.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vYdbIvG.exe	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3516	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 452 wrote to memory of 3516	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 452 wrote to memory of 2264	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 452 wrote to memory of 2264	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 452 wrote to memory of 4284	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 452 wrote to memory of 4284	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 452 wrote to memory of 3668	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 452 wrote to memory of 3668	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 452 wrote to memory of 2456	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 452 wrote to memory of 2456	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 452 wrote to memory of 1104	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 452 wrote to memory of 1104	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 452 wrote to memory of 4272	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 452 wrote to memory of 4272	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 452 wrote to memory of 408	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 452 wrote to memory of 408	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 452 wrote to memory of 336	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 452 wrote to memory of 336	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 452 wrote to memory of 3964	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 452 wrote to memory of 3964	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 452 wrote to memory of 3580	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 452 wrote to memory of 3580	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 452 wrote to memory of 1316	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 452 wrote to memory of 1316	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 452 wrote to memory of 2044	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 452 wrote to memory of 2044	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 452 wrote to memory of 2484	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 452 wrote to memory of 2484	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 452 wrote to memory of 2940	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 452 wrote to memory of 2940	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 452 wrote to memory of 2036	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 452 wrote to memory of 2036	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 452 wrote to memory of 5024	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 452 wrote to memory of 5024	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 452 wrote to memory of 4544	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 452 wrote to memory of 4544	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 452 wrote to memory of 4624	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 452 wrote to memory of 4624	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 452 wrote to memory of 2912	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 452 wrote to memory of 2912	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 452 wrote to memory of 1996	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 452 wrote to memory of 1996	452	2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_1518b9f0885517f7931294798181418e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\System\rRDhiPb.exe
  C:\Windows\System\rRDhiPb.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\AykxSrJ.exe
  C:\Windows\System\AykxSrJ.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\RGikoRQ.exe
  C:\Windows\System\RGikoRQ.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\xjVOlcN.exe
  C:\Windows\System\xjVOlcN.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\fBlDnus.exe
  C:\Windows\System\fBlDnus.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\zxlUwKs.exe
  C:\Windows\System\zxlUwKs.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\BQnRSkT.exe
  C:\Windows\System\BQnRSkT.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\jppLBtx.exe
  C:\Windows\System\jppLBtx.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\IOFSHwr.exe
  C:\Windows\System\IOFSHwr.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\Ifqdwck.exe
  C:\Windows\System\Ifqdwck.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\XcFyCva.exe
  C:\Windows\System\XcFyCva.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\vYdbIvG.exe
  C:\Windows\System\vYdbIvG.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\mlhfjXC.exe
  C:\Windows\System\mlhfjXC.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\RxXYDdd.exe
  C:\Windows\System\RxXYDdd.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\ExMySvE.exe
  C:\Windows\System\ExMySvE.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\cRWATNF.exe
  C:\Windows\System\cRWATNF.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\uiThVms.exe
  C:\Windows\System\uiThVms.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\UJENGEp.exe
  C:\Windows\System\UJENGEp.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\wUgLJyj.exe
  C:\Windows\System\wUgLJyj.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\UKqlgng.exe
  C:\Windows\System\UKqlgng.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\sOUDVZP.exe
  C:\Windows\System\sOUDVZP.exe
  2⤵
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AykxSrJ.exe

Filesize
5.9MB

MD5
8168314237d1a97b63222c41b3baca6e

SHA1
60e86494850adb4d60d25aee6f4268e47476cd2b

SHA256
478ae0a3b5f66aa4c2975fbd32d22132203be98e1bbd938db1cca14b19ed25d3

SHA512
59116e2190bf06a82bc5aaa3467092f71591f7ff524c1dc6db800ff06f5fbcbbff7a0ce3307c65aa8c7232d170228ed6c43ea69a3041cc2cde86455e5810a894

Download Submit
C:\Windows\System\BQnRSkT.exe

Filesize
5.9MB

MD5
62b35bffa09af69448c13d14639d0c39

SHA1
270185188cfba9d0af70e840bab7c288a400256b

SHA256
870bdcce91986f5086a8fcd623e99680923121648541cb27ba383f16549658ff

SHA512
c293b9a883e8a9e879f80f2227b4d33bf222684fd87ec6785a17094bb0d93c36f59050b769b2b3256270bed80930743c0b785b5f6da73df2ac4a64dcc1302f6d

Download Submit
C:\Windows\System\ExMySvE.exe

Filesize
5.9MB

MD5
c7926c6f5f44a7a7a01dba6e94d04bec

SHA1
b6a4d1eee2b3af5d6f7ef6828ca184cf8e11e52a

SHA256
dc289be8a53a19c265001a454b6e0e7e169ba76eae81b04e58712091d0b61c67

SHA512
295fc3e74ec17a41e94c11136db5dfb1af759dab855d65ea7890b590f21663d975c7b9cbf9237698dfda5e7bf0babf26627c9a14fd91b9a17688000196c59f79

Download Submit
C:\Windows\System\IOFSHwr.exe

Filesize
5.9MB

MD5
6bd6cfea6421c14ff0aeb033f39b6840

SHA1
e6160dd409c9fa1247d671ace16ae925fcd634f5

SHA256
2b53a40d4963b922c0b640ecdce618fd7145b541688c78db94e15b501cc28bb9

SHA512
89f8843e9a2cdc01066dc5fcec56f6f0c1470b524e239d65e4483255dd03f5b2ff1da98f9cd2478218e56fc56ef086336efc559acf744166fe3629a697619a51

Download Submit
C:\Windows\System\Ifqdwck.exe

Filesize
5.9MB

MD5
9734fe496a02b738430750f66142d77d

SHA1
bc91d9a76e87a7b95faa253c3c3afa984079ed34

SHA256
867d3e29694ea251877d12a3a2fe40f5d04c976c64bcb7a83672ab145a9e177e

SHA512
932eb3e4d95b04f77569066a3293fd2e80ee71b05cc75a42c4e363c0ffa5f9b4862c20c8faf3716d5fa5c5a39c09e9370f4b74ab61a5a332e52a29b3f70d1492

Download Submit
C:\Windows\System\RGikoRQ.exe

Filesize
5.9MB

MD5
8f0fb48bbb37db897a0ee2b41cec998e

SHA1
102da740dc4dc3dc514397cbca0381494d2ca037

SHA256
3b18c7a581ef35cfeec853528c410272b26314f3762127d1859d534c3909c457

SHA512
108dcd2a7e0c4c249d4eff73f9f93b1c3ebf7da4075ccf9359ad579859ba696dc02456e4d18fcf11b1423bea4bfd8a6485b4815b22839a0132ffaaec1a3b8f69

Download Submit
C:\Windows\System\RxXYDdd.exe

Filesize
5.9MB

MD5
b6c6a6177dc42ffe4194a42040147a62

SHA1
e128725f9dfd92337f024e930be78f417e288e0e

SHA256
ac14225f37c716f998389a4e1651369dd8c9b6d2c6fcbdd4fa532a505a00b226

SHA512
907b64db328322f9b04933b1eac3a3cc363c473854f5b1fd5c8ab02a4357de21c94cf228973306591123fb5275e2827020915228743f39800027822c9d2c9a86

Download Submit
C:\Windows\System\UJENGEp.exe

Filesize
5.9MB

MD5
0a93d41c138e2d7b90b8ae7768f7df92

SHA1
213b99efd8c66ad84c034cb5fd6f4f00269d45d4

SHA256
209663e42f897ff0ec2c68cff528e2d07d552ec964509f5c367f0751ce5b422d

SHA512
e05c1d805da2663d7bf9ccf44e3ac1954fb67353cb79a12de5f4b427198f73ff0f0b5afedf69376ea251ad34682b7db76c8fa56d9af9ccb1437de6d8786566ed

Download Submit
C:\Windows\System\UKqlgng.exe

Filesize
5.9MB

MD5
f2e53b68f7afade98e271b1447be7bb0

SHA1
09d4cce42b50cae4e0a4ddfbe9d9576370e1e4ab

SHA256
531ef3f21e557dea246d621ae6608d5b4fc2be88f8e3b616707a6af6437ba300

SHA512
7000773cfd1eebb2ee737681482164d486564c20a9877d11a6ba02d92e2f7a35b6877e040eac926d885f4ea2e7d76599802c2869d4b8e01dca3ce2f05afd30ef

Download Submit
C:\Windows\System\XcFyCva.exe

Filesize
5.9MB

MD5
84381a554a421ced865438c854a5ef4a

SHA1
85028ce1737c622f2d44055b03a51b0f1590e85e

SHA256
9d6762b26a0f15b6ea354a213a2721390dbf45bd76c48630540f7c096c8b272a

SHA512
ba2c2e0e921374cdffd6abb6862671fc797c35964a026f28e8f170a6a345abbe276b69d25d441618760a79b7e2ed2a3503c6c63070c94ea7134e987b699a73f3

Download Submit
C:\Windows\System\cRWATNF.exe

Filesize
5.9MB

MD5
30104dae860117d50d1a6316b54272b9

SHA1
321e00545358d4668cb56776669ed37ebfe67507

SHA256
c4443b5855c179342c04150d90eaef7b5d629c4c246883d882ce821da11d000e

SHA512
ae7144b263e8582cda65a42726b5a5c69cdfefb3fced75acd4ecec7c6f14d22ddd4cb28a9c10c4f2c1b15133aed698d2918b7e687fb52f839aaded0de84d7fc1

Download Submit
C:\Windows\System\fBlDnus.exe

Filesize
5.9MB

MD5
f290edda84dd4e78b9f395e01742e5f5

SHA1
3dc27c242c56cc79e9ce3e47b3560f550e2bac17

SHA256
dac910cee6356e6d7de8ab96c9efa36c90b282ce837b0e7cdfa28b7be32d0802

SHA512
8b41ae5122b66224d094a169f8f1644409d2403d10b631d19b4a139be40ddd35a5faff2f70aa7408591d36b31ae5b81d71e01551683c3e5f7a50652961440fe6

Download Submit
C:\Windows\System\jppLBtx.exe

Filesize
5.9MB

MD5
96196ec0d4158ebb315aa745f595d21b

SHA1
68dd144c0e8f36d67ed3a4f7d9febd59c1371b49

SHA256
cde6e34ce9a9f76b465d7a310d7f5f5f6671549d1ddae2e25b652b42167836d1

SHA512
e6f58535ec3bdd9b32bebe9f04dc8c6393590b20e9431f92c8406cb6370aa6f7bcae024ef03840648918581d87788f303904b6e1acbab53bf5cfff0ee8de7964

Download Submit
C:\Windows\System\mlhfjXC.exe

Filesize
5.9MB

MD5
b0cb563ce93bd858f5f042b36c1efd74

SHA1
4e818d3af65dfd2c03745ebe6af44a850e98784d

SHA256
448010b7d61e82d59bab464bbff624a2bfa7fa24fdcd24b225c1e8fb0c6190b0

SHA512
1751e2c4d4a2d6fe79f1ca74b35c2d26ffe8c4000a9aaa8bad09287f3c28e96a7ee289f206aa7aff7e9430763fc52c059311d5ee24dc743aa597f46e618d936a

Download Submit
C:\Windows\System\rRDhiPb.exe

Filesize
5.9MB

MD5
2dac1431fce2408ae2b9fb95549d7694

SHA1
f0d4c06493343ce77c8c66c99ddf4a9699711056

SHA256
17dbf86a43cac10a39d26289921b60ac7ca6a1acbccf28777e92eb942d88159d

SHA512
c4fba01da68b12ddc4b6c5d1131e0bdd487d0f41656135595fe1809f196f73403d5f468096ecf065eb1742696ebe02d11170c2d9b8dc2d9d8b45c2058bae33df

Download Submit
C:\Windows\System\sOUDVZP.exe

Filesize
5.9MB

MD5
fa54e4ff089227ce8d5714ecb035104f

SHA1
ba53408186711f2d1342d6566dc7ac33017a8c1f

SHA256
03691c97a47fba9b9c2c7ff51671ccf6c3e06f6d979dadb2c3780066a380bdc3

SHA512
1effed0bc530877068d5676d28c46168f566e870d7ad8a8b1f7c8584591e6e59a87a7794ca9b5e410c19ed6307a3c0b2d3946c2d1258a7b7447c5b473eab2442

Download Submit
C:\Windows\System\uiThVms.exe

Filesize
5.9MB

MD5
8bdc72b0a898e09803de80f613bf3e20

SHA1
7c1aec157061b6eeeb109e6f9cac475d05f5721d

SHA256
e4b86fc5add64291c8ad9874ad4f307589566823c7e11d9bf80b83d7854eabfc

SHA512
686c68ac5479d299022cbfbb4d2a590e6239786b1c1545d1aa2aa7d6a208e44f156d70c87df2c30a97d4371405564c5de27eee8468cb4e9db97e716feff2cdd3

Download Submit
C:\Windows\System\vYdbIvG.exe

Filesize
5.9MB

MD5
f543c89f5f9590ec2141177c70691da3

SHA1
bd624f887c72b2a35d6c02d1b118c715a87b62d8

SHA256
44f685e8b35ca4529cfbf0267065d6dfbd2f1ab04a35bf4af79a42f8f0510853

SHA512
9f2489bdfe49bdee92f84211ec83860d4d58e0b82ed2ad53677103211ae8fea20d9c6a0b34465e905e3d87b4b4be74533319437774aa670d730ce2f918881ba1

Download Submit
C:\Windows\System\wUgLJyj.exe

Filesize
5.9MB

MD5
66213b95908aef2ef708fb2859061454

SHA1
aaceacc1d84688165e0062adfd1219021cfb8b27

SHA256
ccf725b30172a5e23f11ed53eb1434becdadd7f6d85ab8afb1879ae6b60c7473

SHA512
c1ea8a9e962892da27d07aa742c2067a185d17994fbf7df05a087bc1433329a53f4a9b96d5f777f0a75623c12688c96198b58a4a0dd67a73568ce6fc1de531fd

Download Submit
C:\Windows\System\xjVOlcN.exe

Filesize
5.9MB

MD5
0464be12948510672c231e91c2e6842d

SHA1
e8e2fcccff07ce059cf2a6bfc3577ae5fc234d36

SHA256
dfa7bb73c3cef230f8c2ca67dc2813053672cd92702fa0ab8f99eeb7e029a99b

SHA512
d89049909cb4495739a0a4d148a14b6c8a72c93b8dd2446738c6b4853c752432441419914789b50fb44f399a5c1663e82c94ed8f6e9bb92ec374bcf351e3d69e

Download Submit
C:\Windows\System\zxlUwKs.exe

Filesize
5.9MB

MD5
eb3eb6b9de2d9ca1c64db8efc482f1e6

SHA1
b90b3bd1ff30e5c453573900d42754c97db3af83

SHA256
3303a6c41b0390b793060731016b83ebcbe5b040050833b2be500c9ee4bbaf14

SHA512
9210017334679a7ee65a7ccd718bdd9827e7188e0b7781103c7a498908c411a7beeaf5ca26024075a1517c621a28e74f3693511c0d85d794277cb9a5e4536fb3

Download Submit
memory/336-156-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp

Filesize
3.3MB

Download
memory/336-138-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp

Filesize
3.3MB

Download
memory/336-68-0x00007FF6FC410000-0x00007FF6FC764000-memory.dmp

Filesize
3.3MB

Download
memory/408-157-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp

Filesize
3.3MB

Download
memory/408-58-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp

Filesize
3.3MB

Download
memory/408-131-0x00007FF775A60000-0x00007FF775DB4000-memory.dmp

Filesize
3.3MB

Download
memory/452-1-0x0000027295D50000-0x0000027295D60000-memory.dmp

Filesize
64KB

Download
memory/452-67-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp

Filesize
3.3MB

Download
memory/452-0-0x00007FF7ED180000-0x00007FF7ED4D4000-memory.dmp

Filesize
3.3MB

Download
memory/1104-154-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1104-38-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1104-124-0x00007FF64F6F0000-0x00007FF64FA44000-memory.dmp

Filesize
3.3MB

Download
memory/1316-160-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-139-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-72-0x00007FF6BD760000-0x00007FF6BDAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1996-147-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1996-168-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1996-134-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/2036-162-0x00007FF646A00000-0x00007FF646D54000-memory.dmp

Filesize
3.3MB

Download
memory/2036-123-0x00007FF646A00000-0x00007FF646D54000-memory.dmp

Filesize
3.3MB

Download
memory/2044-159-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-140-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-84-0x00007FF7FB680000-0x00007FF7FB9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-75-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-149-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-12-0x00007FF6A6BA0000-0x00007FF6A6EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-108-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp

Filesize
3.3MB

Download
memory/2456-151-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp

Filesize
3.3MB

Download
memory/2456-28-0x00007FF6B3530000-0x00007FF6B3884000-memory.dmp

Filesize
3.3MB

Download
memory/2484-95-0x00007FF753950000-0x00007FF753CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-161-0x00007FF753950000-0x00007FF753CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-141-0x00007FF753950000-0x00007FF753CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-167-0x00007FF745750000-0x00007FF745AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-122-0x00007FF745750000-0x00007FF745AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-145-0x00007FF745750000-0x00007FF745AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-163-0x00007FF663EB0000-0x00007FF664204000-memory.dmp

Filesize
3.3MB

Download
memory/2940-110-0x00007FF663EB0000-0x00007FF664204000-memory.dmp

Filesize
3.3MB

Download
memory/2940-143-0x00007FF663EB0000-0x00007FF664204000-memory.dmp

Filesize
3.3MB

Download
memory/3516-148-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-7-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-73-0x00007FF700F60000-0x00007FF7012B4000-memory.dmp

Filesize
3.3MB

Download
memory/3580-137-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3580-65-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3580-158-0x00007FF734AA0000-0x00007FF734DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-24-0x00007FF692FF0000-0x00007FF693344000-memory.dmp

Filesize
3.3MB

Download
memory/3668-89-0x00007FF692FF0000-0x00007FF693344000-memory.dmp

Filesize
3.3MB

Download
memory/3668-150-0x00007FF692FF0000-0x00007FF693344000-memory.dmp

Filesize
3.3MB

Download
memory/3964-64-0x00007FF718C70000-0x00007FF718FC4000-memory.dmp

Filesize
3.3MB

Download
memory/3964-155-0x00007FF718C70000-0x00007FF718FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-130-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-50-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-153-0x00007FF64A280000-0x00007FF64A5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4284-81-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp

Filesize
3.3MB

Download
memory/4284-152-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp

Filesize
3.3MB

Download
memory/4284-22-0x00007FF7EBE30000-0x00007FF7EC184000-memory.dmp

Filesize
3.3MB

Download
memory/4544-144-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp

Filesize
3.3MB

Download
memory/4544-118-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp

Filesize
3.3MB

Download
memory/4544-164-0x00007FF62F710000-0x00007FF62FA64000-memory.dmp

Filesize
3.3MB

Download
memory/4624-146-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

Filesize
3.3MB

Download
memory/4624-125-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

Filesize
3.3MB

Download
memory/4624-166-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

Filesize
3.3MB

Download
memory/5024-117-0x00007FF670260000-0x00007FF6705B4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-165-0x00007FF670260000-0x00007FF6705B4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-142-0x00007FF670260000-0x00007FF6705B4000-memory.dmp

Filesize
3.3MB

Download