cobaltstrike | 34e743a337b27182273ad4150aa25675071ea21aeb5225a4cbf19ce7cac3babb

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ee6b617029e82c68f83b9e58c6fd9481
SHA1

01746b6b371ba389b0c209168eb519960976261c
SHA256

34e743a337b27182273ad4150aa25675071ea21aeb5225a4cbf19ce7cac3babb
SHA512

e6e0f2d3e48bff931f026df00582d36d29be1e9124e9b8b890941020a5a74629eff2db4a34c1f96281abf05ed72f796952acb51111a0ad7d8e343c9b2661ef25
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibf56utgpPFotBER/mQ32lUC

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233cc-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-18.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233db-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dd-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dc-80.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233da-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d8-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d9-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d7-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d6-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d5-45.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d4-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233df-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e1-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e2-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e0-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233de-107.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233cd-98.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4040-84-0x00007FF7BD1B0000-0x00007FF7BD501000-memory.dmp	xmrig
behavioral2/memory/320-36-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp	xmrig
behavioral2/memory/4620-106-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	xmrig
behavioral2/memory/5012-91-0x00007FF785340000-0x00007FF785691000-memory.dmp	xmrig
behavioral2/memory/4968-122-0x00007FF7EEBF0000-0x00007FF7EEF41000-memory.dmp	xmrig
behavioral2/memory/4880-124-0x00007FF7A3E40000-0x00007FF7A4191000-memory.dmp	xmrig
behavioral2/memory/4332-125-0x00007FF709EC0000-0x00007FF70A211000-memory.dmp	xmrig
behavioral2/memory/4876-123-0x00007FF64B180000-0x00007FF64B4D1000-memory.dmp	xmrig
behavioral2/memory/2432-127-0x00007FF619D40000-0x00007FF61A091000-memory.dmp	xmrig
behavioral2/memory/1568-126-0x00007FF79EDA0000-0x00007FF79F0F1000-memory.dmp	xmrig
behavioral2/memory/2356-130-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp	xmrig
behavioral2/memory/1156-135-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp	xmrig
behavioral2/memory/4056-134-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp	xmrig
behavioral2/memory/2424-133-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp	xmrig
behavioral2/memory/2876-132-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp	xmrig
behavioral2/memory/2368-129-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp	xmrig
behavioral2/memory/5060-128-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	xmrig
behavioral2/memory/4920-136-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp	xmrig
behavioral2/memory/3972-140-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp	xmrig
behavioral2/memory/4984-143-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp	xmrig
behavioral2/memory/2428-142-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp	xmrig
behavioral2/memory/1380-137-0x00007FF7014C0000-0x00007FF701811000-memory.dmp	xmrig
behavioral2/memory/5060-150-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	xmrig
behavioral2/memory/5060-151-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	xmrig
behavioral2/memory/2368-213-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp	xmrig
behavioral2/memory/2356-215-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp	xmrig
behavioral2/memory/320-217-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp	xmrig
behavioral2/memory/2876-219-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp	xmrig
behavioral2/memory/4056-221-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp	xmrig
behavioral2/memory/1156-225-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp	xmrig
behavioral2/memory/4920-227-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp	xmrig
behavioral2/memory/2424-224-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp	xmrig
behavioral2/memory/4040-235-0x00007FF7BD1B0000-0x00007FF7BD501000-memory.dmp	xmrig
behavioral2/memory/1380-234-0x00007FF7014C0000-0x00007FF701811000-memory.dmp	xmrig
behavioral2/memory/5012-232-0x00007FF785340000-0x00007FF785691000-memory.dmp	xmrig
behavioral2/memory/4620-230-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	xmrig
behavioral2/memory/2432-257-0x00007FF619D40000-0x00007FF61A091000-memory.dmp	xmrig
behavioral2/memory/4332-255-0x00007FF709EC0000-0x00007FF70A211000-memory.dmp	xmrig
behavioral2/memory/4968-258-0x00007FF7EEBF0000-0x00007FF7EEF41000-memory.dmp	xmrig
behavioral2/memory/1568-249-0x00007FF79EDA0000-0x00007FF79F0F1000-memory.dmp	xmrig
behavioral2/memory/3972-245-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp	xmrig
behavioral2/memory/4880-253-0x00007FF7A3E40000-0x00007FF7A4191000-memory.dmp	xmrig
behavioral2/memory/2428-251-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp	xmrig
behavioral2/memory/4876-247-0x00007FF64B180000-0x00007FF64B4D1000-memory.dmp	xmrig
behavioral2/memory/4984-243-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2368	xfjnIQA.exe
2356	KleaKfz.exe
320	XmyDFZe.exe
2876	zGyywsl.exe
2424	GaXKRIR.exe
4056	xNHwtPv.exe
1156	qztURvf.exe
4920	XbjaDCT.exe
1380	CCuJZsS.exe
4620	HlauAya.exe
4040	AdAkrfc.exe
3972	KEEMtME.exe
5012	KQWaCtg.exe
2428	QHubPEY.exe
4984	svERHuQ.exe
1568	ZgTTbUw.exe
4968	apZpRKp.exe
4876	tnYoyPs.exe
2432	OgPlPSd.exe
4880	fSyXlON.exe
4332	rbNqJNu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	upx
behavioral2/files/0x00080000000233cc-4.dat	upx
behavioral2/files/0x00070000000233d1-10.dat	upx
behavioral2/files/0x00070000000233d0-18.dat	upx
behavioral2/files/0x00070000000233d3-27.dat	upx
behavioral2/files/0x00070000000233d2-29.dat	upx
behavioral2/memory/4056-35-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp	upx
behavioral2/memory/2424-39-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp	upx
behavioral2/files/0x00070000000233db-75.dat	upx
behavioral2/memory/4040-84-0x00007FF7BD1B0000-0x00007FF7BD501000-memory.dmp	upx
behavioral2/files/0x00070000000233dd-83.dat	upx
behavioral2/files/0x00070000000233dc-80.dat	upx
behavioral2/files/0x00070000000233da-79.dat	upx
behavioral2/memory/1380-73-0x00007FF7014C0000-0x00007FF701811000-memory.dmp	upx
behavioral2/files/0x00070000000233d8-70.dat	upx
behavioral2/files/0x00070000000233d9-67.dat	upx
behavioral2/files/0x00070000000233d7-59.dat	upx
behavioral2/files/0x00070000000233d6-51.dat	upx
behavioral2/memory/4920-46-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp	upx
behavioral2/files/0x00070000000233d5-45.dat	upx
behavioral2/memory/1156-40-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp	upx
behavioral2/files/0x00070000000233d4-37.dat	upx
behavioral2/memory/320-36-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp	upx
behavioral2/memory/2876-30-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp	upx
behavioral2/memory/3972-85-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp	upx
behavioral2/files/0x00070000000233df-104.dat	upx
behavioral2/files/0x00070000000233e1-116.dat	upx
behavioral2/files/0x00070000000233e2-118.dat	upx
behavioral2/files/0x00070000000233e0-114.dat	upx
behavioral2/files/0x00070000000233de-107.dat	upx
behavioral2/memory/4620-106-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp	upx
behavioral2/files/0x00080000000233cd-98.dat	upx
behavioral2/memory/4984-92-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp	upx
behavioral2/memory/5012-91-0x00007FF785340000-0x00007FF785691000-memory.dmp	upx
behavioral2/memory/2356-17-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp	upx
behavioral2/memory/2368-8-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp	upx
behavioral2/memory/4968-122-0x00007FF7EEBF0000-0x00007FF7EEF41000-memory.dmp	upx
behavioral2/memory/2428-121-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp	upx
behavioral2/memory/4880-124-0x00007FF7A3E40000-0x00007FF7A4191000-memory.dmp	upx
behavioral2/memory/4332-125-0x00007FF709EC0000-0x00007FF70A211000-memory.dmp	upx
behavioral2/memory/4876-123-0x00007FF64B180000-0x00007FF64B4D1000-memory.dmp	upx
behavioral2/memory/2432-127-0x00007FF619D40000-0x00007FF61A091000-memory.dmp	upx
behavioral2/memory/1568-126-0x00007FF79EDA0000-0x00007FF79F0F1000-memory.dmp	upx
behavioral2/memory/2356-130-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp	upx
behavioral2/memory/1156-135-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp	upx
behavioral2/memory/4056-134-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp	upx
behavioral2/memory/2424-133-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp	upx
behavioral2/memory/2876-132-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp	upx
behavioral2/memory/2368-129-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp	upx
behavioral2/memory/5060-128-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	upx
behavioral2/memory/4920-136-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp	upx
behavioral2/memory/3972-140-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp	upx
behavioral2/memory/4984-143-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp	upx
behavioral2/memory/2428-142-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp	upx
behavioral2/memory/1380-137-0x00007FF7014C0000-0x00007FF701811000-memory.dmp	upx
behavioral2/memory/5060-150-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	upx
behavioral2/memory/5060-151-0x00007FF781970000-0x00007FF781CC1000-memory.dmp	upx
behavioral2/memory/2368-213-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp	upx
behavioral2/memory/2356-215-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp	upx
behavioral2/memory/320-217-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp	upx
behavioral2/memory/2876-219-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp	upx
behavioral2/memory/4056-221-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp	upx
behavioral2/memory/1156-225-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp	upx
behavioral2/memory/4920-227-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OgPlPSd.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XmyDFZe.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XbjaDCT.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlauAya.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KEEMtME.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHubPEY.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fSyXlON.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KleaKfz.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNHwtPv.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qztURvf.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCuJZsS.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xfjnIQA.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaXKRIR.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tnYoyPs.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgTTbUw.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apZpRKp.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rbNqJNu.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGyywsl.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdAkrfc.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KQWaCtg.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\svERHuQ.exe	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2368	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5060 wrote to memory of 2368	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5060 wrote to memory of 2356	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5060 wrote to memory of 2356	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5060 wrote to memory of 320	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5060 wrote to memory of 320	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5060 wrote to memory of 2876	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5060 wrote to memory of 2876	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5060 wrote to memory of 2424	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5060 wrote to memory of 2424	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5060 wrote to memory of 4056	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5060 wrote to memory of 4056	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5060 wrote to memory of 1156	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5060 wrote to memory of 1156	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5060 wrote to memory of 4920	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5060 wrote to memory of 4920	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5060 wrote to memory of 1380	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5060 wrote to memory of 1380	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5060 wrote to memory of 4040	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5060 wrote to memory of 4040	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5060 wrote to memory of 4620	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5060 wrote to memory of 4620	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5060 wrote to memory of 3972	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5060 wrote to memory of 3972	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5060 wrote to memory of 5012	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5060 wrote to memory of 5012	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5060 wrote to memory of 2428	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5060 wrote to memory of 2428	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5060 wrote to memory of 4984	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5060 wrote to memory of 4984	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5060 wrote to memory of 4876	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5060 wrote to memory of 4876	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5060 wrote to memory of 1568	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5060 wrote to memory of 1568	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5060 wrote to memory of 4968	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5060 wrote to memory of 4968	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5060 wrote to memory of 2432	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5060 wrote to memory of 2432	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5060 wrote to memory of 4880	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5060 wrote to memory of 4880	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5060 wrote to memory of 4332	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5060 wrote to memory of 4332	5060	2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_ee6b617029e82c68f83b9e58c6fd9481_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\System\xfjnIQA.exe
  C:\Windows\System\xfjnIQA.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\KleaKfz.exe
  C:\Windows\System\KleaKfz.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\XmyDFZe.exe
  C:\Windows\System\XmyDFZe.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\zGyywsl.exe
  C:\Windows\System\zGyywsl.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\GaXKRIR.exe
  C:\Windows\System\GaXKRIR.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\xNHwtPv.exe
  C:\Windows\System\xNHwtPv.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\qztURvf.exe
  C:\Windows\System\qztURvf.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\XbjaDCT.exe
  C:\Windows\System\XbjaDCT.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\CCuJZsS.exe
  C:\Windows\System\CCuJZsS.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\AdAkrfc.exe
  C:\Windows\System\AdAkrfc.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\HlauAya.exe
  C:\Windows\System\HlauAya.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\KEEMtME.exe
  C:\Windows\System\KEEMtME.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\KQWaCtg.exe
  C:\Windows\System\KQWaCtg.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\QHubPEY.exe
  C:\Windows\System\QHubPEY.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\svERHuQ.exe
  C:\Windows\System\svERHuQ.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\tnYoyPs.exe
  C:\Windows\System\tnYoyPs.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\ZgTTbUw.exe
  C:\Windows\System\ZgTTbUw.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\apZpRKp.exe
  C:\Windows\System\apZpRKp.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\OgPlPSd.exe
  C:\Windows\System\OgPlPSd.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\fSyXlON.exe
  C:\Windows\System\fSyXlON.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\rbNqJNu.exe
  C:\Windows\System\rbNqJNu.exe
  2⤵
  - Executes dropped EXE
  PID:4332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AdAkrfc.exe

Filesize
5.2MB

MD5
918add915daaf7e34ededf840fd53460

SHA1
530063744093b6ad3830139e218a5609f4aed653

SHA256
516bb4c45be2c43af94198bede1d5115742282a2690ef968ea1fcea498474e0b

SHA512
6ed431b28149db6b252fc23e6ebd8baa5db989550301150d8c8ade37d416464c392e0c4e0f1e8a76db7c04f3c80d5a45a3fd1f821d1c03ddec1fe1857c820d31

Download Submit
C:\Windows\System\CCuJZsS.exe

Filesize
5.2MB

MD5
5bffabe53ee6f7f2138d69e68cc9c23e

SHA1
ab9fd1bf7601b02ed37afb602f398a407e8ecd9f

SHA256
35537130e6fac8f4e1e6e441c11c728ef31884de746b8ff8056d66c4b1501484

SHA512
e639a0e337818281257e33fc2277a984e034fa8f2e57ce65a32e0a27113dd998b9c3a41b1de50cc03963adda40b3a7fd133ca25f3b3f2cab03f5340b602eadfb

Download Submit
C:\Windows\System\GaXKRIR.exe

Filesize
5.2MB

MD5
0e816bd1c8dd05e5e617e1972cf2f607

SHA1
6c222815e55d45dbe38a04975921131beb0c1e85

SHA256
a42b5cfcc6cb1c37124b0cb3cddd3d71583302bf53b7c03c619b8e88e8613e39

SHA512
49f47a601cb93433ac4928e7728c7ac9b35ecff8613faa02bb2acd8331453a80f6d9426e987ab4eaff17fa3fb26497d6e6c587fa6d56de417df736a6827e081e

Download Submit
C:\Windows\System\HlauAya.exe

Filesize
5.2MB

MD5
688c3a85e823a7a691e7bffe28123a97

SHA1
43a8d457ada7abc6c680aff3448ddb5641cee123

SHA256
f766960c0b6e3a829f940e5a58aa6c846937f61dcbe040d825598455a3e81cdb

SHA512
5ba7f1d210deb0cee0b6778cdb970fb15bfcd63be01f35727020659ae0a4496c74033c881e3d24d37f42c0d9189a22db38616cd1ff16d2d12a3fa65d1664e35c

Download Submit
C:\Windows\System\KEEMtME.exe

Filesize
5.2MB

MD5
dc6d669b4d23148f782057da394e08a7

SHA1
8e21869f1bc53d07f22689eec3999a80a4537671

SHA256
042700547beff1fe4dfa81d43d3645b1a8588f5f9a6e28f69a0fae2492c64de8

SHA512
ad0f2319b62cd57dc8df2d4f5a0b7ff81436a51760a439f6de1495dad1a04fd3aed6f528826b6a2ff77be3bef3528383b45e4d4e7658fcb58666d972a1a27cff

Download Submit
C:\Windows\System\KQWaCtg.exe

Filesize
5.2MB

MD5
f52d0c02625968dbb349dd398bcbac0d

SHA1
aaf780ddb74e457c0b090769c4180637eb6bc96c

SHA256
87b1647738ca437922a7474b8af9ec1e789cb4241a9cb954e07a10389cf81a4f

SHA512
9fdc3f3ba390d9995b73bd24d61e21956e423d0aad428e9c9eb6ff345f287bfda523a4ef65965c28ffc464e10b76ac71225e946f5ef681f220b956f6a9bf92df

Download Submit
C:\Windows\System\KleaKfz.exe

Filesize
5.2MB

MD5
ebb3ca93fb1f1d3815c04b391147d038

SHA1
f9931fcba2f9c1ecdc2dfc9e539c5e56d41ffc73

SHA256
e449b7b823245356e651b793e88f82fbe343c638ea659301c02b3eb49b0e506a

SHA512
f263f8ece0a2b5b107befffc9fb910a8e3fe0b2f347eb370e4f833fdc79d4d1c8876f241b81366d81f2cf1cd7517b25a57320b21f787e7bb852c57e646562fc1

Download Submit
C:\Windows\System\OgPlPSd.exe

Filesize
5.2MB

MD5
4547b3013ef4e360e17bfe690d0c2ab1

SHA1
68d03d4f9488cdc090b0fa10e72b1dd6fb6f2db7

SHA256
fd3a1d8c02290d50729e8efde9c63b57e3d010af3e0eabd60388792a4a8d5d26

SHA512
be1c7a93c2210e57f1227407d7f4504676ebff329ffd3ba85ef6c18bdc07475a1ee81152dcc2ca903e7d12903af3bbfa2b3613bfbbafd3c0f3e5af806c6664bb

Download Submit
C:\Windows\System\QHubPEY.exe

Filesize
5.2MB

MD5
006492545e1737bf952ccd4f85850020

SHA1
45f370c2d5fd4429eb9d5ebb79548b7ffcdf48f5

SHA256
28702156bde8b7a584fafd630ad3c1adccc977e7e15cfa34d74f94c34957afa2

SHA512
abdea8c85fed583030d477740e2bfd280aec2f6aa54ab3d85d31a4100a87bf070c93e58a6bf221801d373b472739e494d654d67a676b79733cb1cc086e85b441

Download Submit
C:\Windows\System\XbjaDCT.exe

Filesize
5.2MB

MD5
3cb02c70db76d1423148b579639d13f5

SHA1
984ab8d1f28a2a07cf3823b31fdafd1dc1d7efdf

SHA256
7dac5e4db0ab31afde1a45b985fabfc2199ddaaa5af559c15e7c5d05ffd920b8

SHA512
763e5290fc67b4cd5149483e779529b64f97dc52c77ce9a5084b788b47af3f7fe0b0ad94194a1118ba962f15c9e2e25b1d42673ecfe6a5862f8ff6e0f5dcac2f

Download Submit
C:\Windows\System\XmyDFZe.exe

Filesize
5.2MB

MD5
aec67ca57164b501da606ab9d2894f19

SHA1
67ce93dc39b4274ab301d9c0616a7aa88f395b85

SHA256
6e1732e26bd8b8d4a7c706ad6f1bac38e6443caf50f75ab10d12bdda7412e174

SHA512
a90f5754132128f4a87cbc20cc8fc6978db7e88bd85d2077a35e8a438ba7bb4cab7de3b0c20dec97a65f6875b54143119809c96f9deb6874a2354b7e65a2cd1b

Download Submit
C:\Windows\System\ZgTTbUw.exe

Filesize
5.2MB

MD5
cb68effcce95e71ce8ae83348136e3a1

SHA1
bf5f5c01f6726f4e308ed6b8a3ae2050388bb960

SHA256
e30a38c248e103f7a6e4e36fd89fa7ee518463e8b7924ac21f38af52bff145a8

SHA512
bbbd214fb54eb2aa1c6421f84d74ae0fb14fb429572d4716a425c3ec4fcfd2c921e1862797547eeb1c43e688720df338e244e0e326388ff73995ef0040f4fe42

Download Submit
C:\Windows\System\apZpRKp.exe

Filesize
5.2MB

MD5
00ff0ff6e51409bd00d0ea74b2516fb9

SHA1
653d3f1d203935c031ee62255e3c20c0598650b8

SHA256
30dcf5e0f612ad1d9040a2615d8634e2264223b0a7d27f0083e9cc1a08d91cf1

SHA512
f8952e00669c7d1f178422e12ea83de4c02a89f3d8ea315c6f39848b8221fbfb30392c62d1813675febe2559e2856e602c454213c9a026fb103a76e78d26f02f

Download Submit
C:\Windows\System\fSyXlON.exe

Filesize
5.2MB

MD5
484510dcce7ea1a3e629123501e830de

SHA1
f4b65ca3cc60c343e188bac72a75e46f8ae57aeb

SHA256
650601d7bc9a9b17e1f68a972cc9170068069e81b480b6be9dff2b5a48b7876c

SHA512
55f9e2f89e762c6253e934309cb7403e2761248a6c8bd3ee37ca8e33e4cf903301758e8d9f845e41ca61d27a9f1a93b38ebb81051050ccb363ac2d8a015c0473

Download Submit
C:\Windows\System\qztURvf.exe

Filesize
5.2MB

MD5
e4c60672c189ce295dfc2bab82f6e9c6

SHA1
a62c526b377c8361351fa97d26b7ade5508da03b

SHA256
c3485887f9fe25f4bcf280f704805fcee4a589981266bae7402a147986113162

SHA512
8e63ed3f2b85b9e682392d83d9736274d21667b6cb3e04c822995804014846da2c7d41a8459a254e7ea56c3a99d4718ca08f73c6fa9e4e59fdd5e94e3ceeaff5

Download Submit
C:\Windows\System\rbNqJNu.exe

Filesize
5.2MB

MD5
9cf42d2a00f0bfbad471731adb9a22c2

SHA1
afbaa13038ca4593e854e31203761bce912d7f3f

SHA256
3e76e4de19f98ebf18156a77e90e9944c45d3293236ea4f10b35b9273198ff44

SHA512
933ad9c3be47699915deecd24d9662c5232faca9bb9eafd42146a6b51bd3ceadadf985b184e487cb40e3432b2712a34c4e5feb56e3f6625534a21fff8d4ad950

Download Submit
C:\Windows\System\svERHuQ.exe

Filesize
5.2MB

MD5
6f386758190358534207f10510265f0b

SHA1
91db21a9bd6e1774c190521e6d9e5fa9d863ac97

SHA256
7f7569e18c53301036a542d18bd7dd8045c082618810e07619a26d91a47a9432

SHA512
578b009f9392bfe929737f758e7856a8d50645d8aafda20add927a684d91cfe3100f1c755fcff41c43466cc31e1d944c2f1826fbbbdcf618073c7cc18fe4f59c

Download Submit
C:\Windows\System\tnYoyPs.exe

Filesize
5.2MB

MD5
041bc7fe88db662ba8a7ddd3fec09cc4

SHA1
f5a64a744ac0904318f982ad88ce9f6c7273fe36

SHA256
8dbdbb2cd0e22715338bf215632a0079b94645fd32f1a800d48d6bbd914db108

SHA512
8515e8bb7efa9172b3ae35f4bc8bc753d4c88842db273b0b880f118fec9a68d0025f9b13a713bc62e1621319bda290562942d02a3c1ab8eb493b0c99f9f308dd

Download Submit
C:\Windows\System\xNHwtPv.exe

Filesize
5.2MB

MD5
1a18e7f75deadfe1b5fc8cc08b9477d7

SHA1
e3d0d911691e646a2c974ea66d74e17bb8100cc4

SHA256
1538616c4cdbcb9df6adbdff0db05ff062f4359a719ad59cb7f3a3cbed5aab2d

SHA512
ed2df030134afc9e9e622843cbf738e226b31ebc7001a0412a5c29aba5e2f1d0d08f4e2e89924c27420e7214abbf6480b2eaa7a55a539d0c760ba533a243dad6

Download Submit
C:\Windows\System\xfjnIQA.exe

Filesize
5.2MB

MD5
3d87ce68ab66c9dff80afdba93a72497

SHA1
f1ae619bef2d1e5ca0023b454504531235017864

SHA256
b2967d536cf380b4cf84fca9844afbf27495800e7330ce93487b2661bc95be63

SHA512
886f0752ba2719ca6be2136f521cb8c20d080ccc56ffa93f87a8d976e81f7c6dfcd9a80e9ee2bec8091fe1f39348d6cbbd2e8d5778fd4475d1a187593312b0a7

Download Submit
C:\Windows\System\zGyywsl.exe

Filesize
5.2MB

MD5
a6bd89f4ad0aff0bda17c8d730e7d917

SHA1
2e842873e3214d4f0579c699841bd8fb373be114

SHA256
53e7c6fdbbf2862b7719bd6c0e793c86e1ff350f4493e2f31886a0e20cbb3965

SHA512
3e80291bd180c75c7ede0b94520350655864b53e586cd27954e0fa7b9816a582c1a3250b9e639686a3d8e014350507af1720ad755aaccda1788e44b4f27c310e

Download Submit
memory/320-217-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp

Filesize
3.3MB

Download
memory/320-36-0x00007FF72F0D0000-0x00007FF72F421000-memory.dmp

Filesize
3.3MB

Download
memory/1156-225-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1156-40-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1156-135-0x00007FF63FC10000-0x00007FF63FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1380-234-0x00007FF7014C0000-0x00007FF701811000-memory.dmp

Filesize
3.3MB

Download
memory/1380-73-0x00007FF7014C0000-0x00007FF701811000-memory.dmp

Filesize
3.3MB

Download
memory/1380-137-0x00007FF7014C0000-0x00007FF701811000-memory.dmp

Filesize
3.3MB

Download
memory/1568-126-0x00007FF79EDA0000-0x00007FF79F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-249-0x00007FF79EDA0000-0x00007FF79F0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2356-215-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp

Filesize
3.3MB

Download
memory/2356-17-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp

Filesize
3.3MB

Download
memory/2356-130-0x00007FF7B9040000-0x00007FF7B9391000-memory.dmp

Filesize
3.3MB

Download
memory/2368-213-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-129-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-8-0x00007FF7ABE90000-0x00007FF7AC1E1000-memory.dmp

Filesize
3.3MB

Download
memory/2424-133-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp

Filesize
3.3MB

Download
memory/2424-224-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp

Filesize
3.3MB

Download
memory/2424-39-0x00007FF62D7D0000-0x00007FF62DB21000-memory.dmp

Filesize
3.3MB

Download
memory/2428-121-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp

Filesize
3.3MB

Download
memory/2428-251-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp

Filesize
3.3MB

Download
memory/2428-142-0x00007FF7EFF00000-0x00007FF7F0251000-memory.dmp

Filesize
3.3MB

Download
memory/2432-257-0x00007FF619D40000-0x00007FF61A091000-memory.dmp

Filesize
3.3MB

Download
memory/2432-127-0x00007FF619D40000-0x00007FF61A091000-memory.dmp

Filesize
3.3MB

Download
memory/2876-132-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-219-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-30-0x00007FF7F2460000-0x00007FF7F27B1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-245-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-85-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-140-0x00007FF6C3A70000-0x00007FF6C3DC1000-memory.dmp

Filesize
3.3MB

Download
memory/4040-235-0x00007FF7BD1B0000-0x00007FF7BD501000-memory.dmp

Filesize
3.3MB

Download
memory/4040-84-0x00007FF7BD1B0000-0x00007FF7BD501000-memory.dmp

Filesize
3.3MB

Download
memory/4056-134-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp

Filesize
3.3MB

Download
memory/4056-221-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp

Filesize
3.3MB

Download
memory/4056-35-0x00007FF63C0D0000-0x00007FF63C421000-memory.dmp

Filesize
3.3MB

Download
memory/4332-255-0x00007FF709EC0000-0x00007FF70A211000-memory.dmp

Filesize
3.3MB

Download
memory/4332-125-0x00007FF709EC0000-0x00007FF70A211000-memory.dmp

Filesize
3.3MB

Download
memory/4620-230-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4620-106-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-123-0x00007FF64B180000-0x00007FF64B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-247-0x00007FF64B180000-0x00007FF64B4D1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-124-0x00007FF7A3E40000-0x00007FF7A4191000-memory.dmp

Filesize
3.3MB

Download
memory/4880-253-0x00007FF7A3E40000-0x00007FF7A4191000-memory.dmp

Filesize
3.3MB

Download
memory/4920-136-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp

Filesize
3.3MB

Download
memory/4920-46-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp

Filesize
3.3MB

Download
memory/4920-227-0x00007FF6EBEC0000-0x00007FF6EC211000-memory.dmp

Filesize
3.3MB

Download
memory/4968-258-0x00007FF7EEBF0000-0x00007FF7EEF41000-memory.dmp

Filesize
3.3MB

Download
memory/4968-122-0x00007FF7EEBF0000-0x00007FF7EEF41000-memory.dmp

Filesize
3.3MB

Download
memory/4984-92-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp

Filesize
3.3MB

Download
memory/4984-143-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp

Filesize
3.3MB

Download
memory/4984-243-0x00007FF61F9C0000-0x00007FF61FD11000-memory.dmp

Filesize
3.3MB

Download
memory/5012-91-0x00007FF785340000-0x00007FF785691000-memory.dmp

Filesize
3.3MB

Download
memory/5012-232-0x00007FF785340000-0x00007FF785691000-memory.dmp

Filesize
3.3MB

Download
memory/5060-150-0x00007FF781970000-0x00007FF781CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-128-0x00007FF781970000-0x00007FF781CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-0-0x00007FF781970000-0x00007FF781CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-151-0x00007FF781970000-0x00007FF781CC1000-memory.dmp

Filesize
3.3MB

Download
memory/5060-1-0x00000212FA990000-0x00000212FA9A0000-memory.dmp

Filesize
64KB

Download