cobaltstrike | 8502fe1119384ce385e75d0bc72b477c5f4875078b071a7b75c312c7a6a38370

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

90b7a6a865a61f1b348b7d70c07baf15
SHA1

fa7d2f2c93679c78c6ce24da13994a76834f9d9d
SHA256

8502fe1119384ce385e75d0bc72b477c5f4875078b071a7b75c312c7a6a38370
SHA512

b0e2a78bb5842eecf61b3057495c32dac6169fde30806fb6de6d25702f6185b27d432b6c60b66ae5ddbf15c07380f93b9a933eca127a5b75bf9de192829abf8b
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ld:RWWBibj56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234e5-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234e9-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ea-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234eb-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ec-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ed-35.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234e6-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ef-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f0-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f1-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f2-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f3-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f6-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fa-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f8-123.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234fb-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f9-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f7-109.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f5-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234f4-91.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ee-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/1640-22-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp	xmrig
behavioral2/memory/4984-59-0x00007FF6F6BD0000-0x00007FF6F6F21000-memory.dmp	xmrig
behavioral2/memory/1052-60-0x00007FF748E00000-0x00007FF749151000-memory.dmp	xmrig
behavioral2/memory/2732-61-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	xmrig
behavioral2/memory/2652-76-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp	xmrig
behavioral2/memory/1368-90-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp	xmrig
behavioral2/memory/1040-129-0x00007FF71CAC0000-0x00007FF71CE11000-memory.dmp	xmrig
behavioral2/memory/1728-119-0x00007FF676430000-0x00007FF676781000-memory.dmp	xmrig
behavioral2/memory/932-105-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp	xmrig
behavioral2/memory/3640-106-0x00007FF65F030000-0x00007FF65F381000-memory.dmp	xmrig
behavioral2/memory/4052-66-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	xmrig
behavioral2/memory/3168-64-0x00007FF686120000-0x00007FF686471000-memory.dmp	xmrig
behavioral2/memory/3336-62-0x00007FF6F2690000-0x00007FF6F29E1000-memory.dmp	xmrig
behavioral2/memory/1728-41-0x00007FF676430000-0x00007FF676781000-memory.dmp	xmrig
behavioral2/memory/2204-33-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp	xmrig
behavioral2/memory/4052-133-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	xmrig
behavioral2/memory/1656-146-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp	xmrig
behavioral2/memory/4376-145-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp	xmrig
behavioral2/memory/1368-148-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp	xmrig
behavioral2/memory/3252-156-0x00007FF786400000-0x00007FF786751000-memory.dmp	xmrig
behavioral2/memory/2660-154-0x00007FF678460000-0x00007FF6787B1000-memory.dmp	xmrig
behavioral2/memory/3584-152-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp	xmrig
behavioral2/memory/4016-150-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp	xmrig
behavioral2/memory/3756-149-0x00007FF618DC0000-0x00007FF619111000-memory.dmp	xmrig
behavioral2/memory/1248-153-0x00007FF674200000-0x00007FF674551000-memory.dmp	xmrig
behavioral2/memory/4052-157-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	xmrig
behavioral2/memory/3168-207-0x00007FF686120000-0x00007FF686471000-memory.dmp	xmrig
behavioral2/memory/2652-209-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp	xmrig
behavioral2/memory/1640-211-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp	xmrig
behavioral2/memory/2204-217-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp	xmrig
behavioral2/memory/932-219-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp	xmrig
behavioral2/memory/1728-221-0x00007FF676430000-0x00007FF676781000-memory.dmp	xmrig
behavioral2/memory/4984-231-0x00007FF6F6BD0000-0x00007FF6F6F21000-memory.dmp	xmrig
behavioral2/memory/2732-235-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	xmrig
behavioral2/memory/3336-234-0x00007FF6F2690000-0x00007FF6F29E1000-memory.dmp	xmrig
behavioral2/memory/4376-239-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp	xmrig
behavioral2/memory/1052-238-0x00007FF748E00000-0x00007FF749151000-memory.dmp	xmrig
behavioral2/memory/1656-241-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp	xmrig
behavioral2/memory/1368-243-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp	xmrig
behavioral2/memory/3756-250-0x00007FF618DC0000-0x00007FF619111000-memory.dmp	xmrig
behavioral2/memory/4016-252-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp	xmrig
behavioral2/memory/3640-254-0x00007FF65F030000-0x00007FF65F381000-memory.dmp	xmrig
behavioral2/memory/3584-256-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp	xmrig
behavioral2/memory/1248-258-0x00007FF674200000-0x00007FF674551000-memory.dmp	xmrig
behavioral2/memory/1040-260-0x00007FF71CAC0000-0x00007FF71CE11000-memory.dmp	xmrig
behavioral2/memory/2660-262-0x00007FF678460000-0x00007FF6787B1000-memory.dmp	xmrig
behavioral2/memory/3252-264-0x00007FF786400000-0x00007FF786751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3168	cVLvrKR.exe
2652	deYFFuh.exe
1640	AsaplWY.exe
932	SygFuOt.exe
2204	CjfCMEa.exe
1728	SQzAgTP.exe
4984	MJKCBNI.exe
2732	npvpoQF.exe
3336	uYRHvqa.exe
1052	OrsmAUW.exe
4376	jFjvaYG.exe
1656	cFYXzxF.exe
1368	CRniUzH.exe
3756	ITsNbiQ.exe
4016	YwgPUwe.exe
3640	RuufHDa.exe
3584	NnYmVzj.exe
1248	nyCQLhT.exe
2660	KJHZWkx.exe
1040	VGMGIlz.exe
3252	OWrPBli.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4052-0-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	upx
behavioral2/files/0x00080000000234e5-6.dat	upx
behavioral2/files/0x00070000000234e9-10.dat	upx
behavioral2/memory/3168-9-0x00007FF686120000-0x00007FF686471000-memory.dmp	upx
behavioral2/files/0x00070000000234ea-11.dat	upx
behavioral2/memory/2652-19-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp	upx
behavioral2/files/0x00070000000234eb-23.dat	upx
behavioral2/memory/1640-22-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp	upx
behavioral2/memory/932-27-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-29.dat	upx
behavioral2/files/0x00070000000234ed-35.dat	upx
behavioral2/files/0x00080000000234e6-40.dat	upx
behavioral2/files/0x00070000000234ef-49.dat	upx
behavioral2/files/0x00070000000234f0-55.dat	upx
behavioral2/memory/4984-59-0x00007FF6F6BD0000-0x00007FF6F6F21000-memory.dmp	upx
behavioral2/memory/1052-60-0x00007FF748E00000-0x00007FF749151000-memory.dmp	upx
behavioral2/memory/2732-61-0x00007FF647EE0000-0x00007FF648231000-memory.dmp	upx
behavioral2/files/0x00070000000234f1-65.dat	upx
behavioral2/memory/4376-67-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-72.dat	upx
behavioral2/memory/2652-76-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp	upx
behavioral2/files/0x00070000000234f3-85.dat	upx
behavioral2/memory/1368-90-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp	upx
behavioral2/memory/3756-94-0x00007FF618DC0000-0x00007FF619111000-memory.dmp	upx
behavioral2/files/0x00070000000234f6-102.dat	upx
behavioral2/memory/3584-113-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp	upx
behavioral2/files/0x00070000000234fa-120.dat	upx
behavioral2/files/0x00070000000234f8-123.dat	upx
behavioral2/files/0x00070000000234fb-131.dat	upx
behavioral2/memory/1040-129-0x00007FF71CAC0000-0x00007FF71CE11000-memory.dmp	upx
behavioral2/memory/3252-126-0x00007FF786400000-0x00007FF786751000-memory.dmp	upx
behavioral2/files/0x00070000000234f9-124.dat	upx
behavioral2/memory/2660-122-0x00007FF678460000-0x00007FF6787B1000-memory.dmp	upx
behavioral2/memory/1728-119-0x00007FF676430000-0x00007FF676781000-memory.dmp	upx
behavioral2/memory/1248-118-0x00007FF674200000-0x00007FF674551000-memory.dmp	upx
behavioral2/files/0x00070000000234f7-109.dat	upx
behavioral2/memory/932-105-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp	upx
behavioral2/memory/3640-106-0x00007FF65F030000-0x00007FF65F381000-memory.dmp	upx
behavioral2/memory/4016-100-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp	upx
behavioral2/files/0x00070000000234f5-97.dat	upx
behavioral2/files/0x00070000000234f4-91.dat	upx
behavioral2/memory/1656-82-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp	upx
behavioral2/memory/4052-66-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	upx
behavioral2/memory/3168-64-0x00007FF686120000-0x00007FF686471000-memory.dmp	upx
behavioral2/memory/3336-62-0x00007FF6F2690000-0x00007FF6F29E1000-memory.dmp	upx
behavioral2/files/0x00070000000234ee-50.dat	upx
behavioral2/memory/1728-41-0x00007FF676430000-0x00007FF676781000-memory.dmp	upx
behavioral2/memory/2204-33-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp	upx
behavioral2/memory/4052-133-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	upx
behavioral2/memory/1656-146-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp	upx
behavioral2/memory/4376-145-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp	upx
behavioral2/memory/1368-148-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp	upx
behavioral2/memory/3252-156-0x00007FF786400000-0x00007FF786751000-memory.dmp	upx
behavioral2/memory/2660-154-0x00007FF678460000-0x00007FF6787B1000-memory.dmp	upx
behavioral2/memory/3584-152-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp	upx
behavioral2/memory/4016-150-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp	upx
behavioral2/memory/3756-149-0x00007FF618DC0000-0x00007FF619111000-memory.dmp	upx
behavioral2/memory/1248-153-0x00007FF674200000-0x00007FF674551000-memory.dmp	upx
behavioral2/memory/4052-157-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp	upx
behavioral2/memory/3168-207-0x00007FF686120000-0x00007FF686471000-memory.dmp	upx
behavioral2/memory/2652-209-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp	upx
behavioral2/memory/1640-211-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp	upx
behavioral2/memory/2204-217-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp	upx
behavioral2/memory/932-219-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cVLvrKR.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsaplWY.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CRniUzH.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RuufHDa.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KJHZWkx.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VGMGIlz.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\npvpoQF.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrsmAUW.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ITsNbiQ.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YwgPUwe.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CjfCMEa.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SQzAgTP.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJKCBNI.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYRHvqa.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFjvaYG.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cFYXzxF.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NnYmVzj.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nyCQLhT.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\deYFFuh.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SygFuOt.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OWrPBli.exe	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3168	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4052 wrote to memory of 3168	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4052 wrote to memory of 2652	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4052 wrote to memory of 2652	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4052 wrote to memory of 1640	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4052 wrote to memory of 1640	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4052 wrote to memory of 932	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4052 wrote to memory of 932	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4052 wrote to memory of 2204	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4052 wrote to memory of 2204	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4052 wrote to memory of 1728	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4052 wrote to memory of 1728	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4052 wrote to memory of 4984	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4052 wrote to memory of 4984	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4052 wrote to memory of 2732	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4052 wrote to memory of 2732	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4052 wrote to memory of 3336	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4052 wrote to memory of 3336	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4052 wrote to memory of 1052	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4052 wrote to memory of 1052	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4052 wrote to memory of 4376	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4052 wrote to memory of 4376	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4052 wrote to memory of 1656	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4052 wrote to memory of 1656	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4052 wrote to memory of 1368	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4052 wrote to memory of 1368	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4052 wrote to memory of 3756	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4052 wrote to memory of 3756	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4052 wrote to memory of 4016	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4052 wrote to memory of 4016	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4052 wrote to memory of 3640	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4052 wrote to memory of 3640	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4052 wrote to memory of 3584	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4052 wrote to memory of 3584	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4052 wrote to memory of 1248	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4052 wrote to memory of 1248	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4052 wrote to memory of 2660	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4052 wrote to memory of 2660	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4052 wrote to memory of 1040	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4052 wrote to memory of 1040	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4052 wrote to memory of 3252	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4052 wrote to memory of 3252	4052	2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_90b7a6a865a61f1b348b7d70c07baf15_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\System\cVLvrKR.exe
  C:\Windows\System\cVLvrKR.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\deYFFuh.exe
  C:\Windows\System\deYFFuh.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\AsaplWY.exe
  C:\Windows\System\AsaplWY.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\SygFuOt.exe
  C:\Windows\System\SygFuOt.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\CjfCMEa.exe
  C:\Windows\System\CjfCMEa.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\SQzAgTP.exe
  C:\Windows\System\SQzAgTP.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\MJKCBNI.exe
  C:\Windows\System\MJKCBNI.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\npvpoQF.exe
  C:\Windows\System\npvpoQF.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\uYRHvqa.exe
  C:\Windows\System\uYRHvqa.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\OrsmAUW.exe
  C:\Windows\System\OrsmAUW.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\jFjvaYG.exe
  C:\Windows\System\jFjvaYG.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\cFYXzxF.exe
  C:\Windows\System\cFYXzxF.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\CRniUzH.exe
  C:\Windows\System\CRniUzH.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\ITsNbiQ.exe
  C:\Windows\System\ITsNbiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\YwgPUwe.exe
  C:\Windows\System\YwgPUwe.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\RuufHDa.exe
  C:\Windows\System\RuufHDa.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\NnYmVzj.exe
  C:\Windows\System\NnYmVzj.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\nyCQLhT.exe
  C:\Windows\System\nyCQLhT.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\KJHZWkx.exe
  C:\Windows\System\KJHZWkx.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\VGMGIlz.exe
  C:\Windows\System\VGMGIlz.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\OWrPBli.exe
  C:\Windows\System\OWrPBli.exe
  2⤵
  - Executes dropped EXE
  PID:3252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AsaplWY.exe

Filesize
5.2MB

MD5
c1300a9ccf04bd9333dd0c420b985ddb

SHA1
366685ad0b11eee061eb36bf51476f1598cea3fc

SHA256
e751267c545ab960fdcd9c611f3e7ed35fe2e24971f142a2adfe6bae7799aa9a

SHA512
3526b10e3e23eb5d883e7085a15e624b30a43ada2cb4355bb8b59e90e72b97b2dd833d774adf65bd6b9a0279511f29aca7d331af26d9cfe4b4e094a6bc3e97cc

Download Submit
C:\Windows\System\CRniUzH.exe

Filesize
5.2MB

MD5
32bcf13984eb24f88017d1ffe44ab43c

SHA1
3a237f4ae628a402bcebc39a3720155a2c41d9da

SHA256
1b1ab4df4f29fe95ce2089724b4fa3983478ce8bc7e7e4421d46b7004972977e

SHA512
bef334443fc4357be9ef17245a0c44f1a8951a80271407367e464196f39d16f0c99b8a131133b6fd46687ef38035d60c97752ea20582a1bb30da2a94dfc414fc

Download Submit
C:\Windows\System\CjfCMEa.exe

Filesize
5.2MB

MD5
e5593544912df258f7156ddb145f2e2a

SHA1
2c1a152422a7bceccda2098b6fab6351237b70ba

SHA256
ea5155032405a44cb3292b93d21e51b55aa06435bd94cbdc7055a051582bc0d5

SHA512
c10f98961ffa3b5b4edccf45e03d0e1055357006d4d5902194d4bad9d52d4b902f5585e8ac20b9efb547048910bf757b3a20eea60d1690a9c056844322f4b1a8

Download Submit
C:\Windows\System\ITsNbiQ.exe

Filesize
5.2MB

MD5
cf1e0e28ce867d0256240fd688a704a3

SHA1
526a459d1dd943854da5c02fe779f6480260c380

SHA256
a4cae58b07df370d74e195271dcb79b3cf24178a8ef4d0233672839587233038

SHA512
2fff50acbcc05518b4109efe732ad684dd4bc2e9d444c363796fbe12c0fbe820813adc4d9313609e85f22d7bd0f4180b9f95d23218b2b7975b8db1de93a29d1f

Download Submit
C:\Windows\System\KJHZWkx.exe

Filesize
5.2MB

MD5
760f07661cf257cf414057e61d50386f

SHA1
21f5b79212c1e87c7dc8fe6b6069ec8cb811c6d9

SHA256
f9502fd638aa6132b1695eddff5bb9dc52eab19f79e54cc0c4e1a4dfd5621b68

SHA512
6d85195b4c0a3749cf6075349e2107649eecf9ad836fe4092cb3784a93c285b0f3a0e8b1f98d7d6b35c72bc148870c8cf1a292551cc277d20b933dd076a27d0c

Download Submit
C:\Windows\System\MJKCBNI.exe

Filesize
5.2MB

MD5
4869c110e647faa20917c125adc89c66

SHA1
1cd019eec7868423b0dc669dbe6a2087ee94d14f

SHA256
991a6a588dfaec04b76a3ffc35d5eef64cc0efdced9000de6f8ac7057f959c7d

SHA512
b3f7395125df46fcb558bc51c447d00d3edae8a1356ca24ecd355fb18daa9263404e4148b8dc5806db1f622aa30c8a34cc7d86a0da4f0dbd72ca41c101c6669b

Download Submit
C:\Windows\System\NnYmVzj.exe

Filesize
5.2MB

MD5
0c7c51d9e4194e10c718a825059e9a88

SHA1
fd401f8eae56fea5bff7bfad5df62aa9c793efa7

SHA256
d4e47b766959d7bdcda94fda806bcab128c721932116b3262fe93327d2d5db95

SHA512
e6e90e0265918731c07ebf1ea4a369de458611877b3e6aeecca7fbf78248647311fdd04f87c52e55a878edcf54019ea89e03c9c502024142cc3efcc94b069df8

Download Submit
C:\Windows\System\OWrPBli.exe

Filesize
5.2MB

MD5
43e84b7d5f6b7e3eeeb36a6a2a74822c

SHA1
73dc70db56fa51c24a8d13bdcb7e994b2c1880f7

SHA256
a8fae97ff225779a0b5ec3ac9cf5ba96ad321c77ac88a79b2ac3726345a9f1a2

SHA512
e71a68fda4d9dc19ef47edb5fbd6aebf2c3d97c51039362241344386061b0a9a22cd0e7230b33ddd25b3437e7dd66544f2e2ce4c24e2b4909213cf49357ecb51

Download Submit
C:\Windows\System\OrsmAUW.exe

Filesize
5.2MB

MD5
a82a79aacdc85dd49751f2c974e7e108

SHA1
ea402e040255096f18ad6fc701c829b06464fe35

SHA256
f4c0a718977e843fb7ae03aac9d6b94f7e275023763eb797d335c29416ebf5b8

SHA512
921c2996716dd953eee48fafed5bcb3d6c7a428be95f8f34e18cbce295c8f3058e64700871793b50a7e1cb10d472d094796671fc9768ac9ab806df50d68c7b37

Download Submit
C:\Windows\System\RuufHDa.exe

Filesize
5.2MB

MD5
95d08e376788ea1efe8c51ce65a3bcd7

SHA1
4c521971442beb7c87e1fb3b3fd09b375cbddaf3

SHA256
342f32142324e59081ba596ba6b1797e3490048032cac7c5b74740151f04f998

SHA512
d90fc9acc2e639073f63a3ffc95ba5bab5280ea3f3bbeeb8feac55f486d0fd137f2c49171c4370a71e1d4d82ee7452034293c4930d065cffda4ba4f36d5391ab

Download Submit
C:\Windows\System\SQzAgTP.exe

Filesize
5.2MB

MD5
de23a725dcb1c96a450ae012ef0619e2

SHA1
80feb75aa7f25e8b564872a16dd7319cfa49db1c

SHA256
ddee1dc97dc13cda910887f906452380886def9dcb4eb54419ea6644ee9c083f

SHA512
46da5ec47d351c771a7ad7d29565e354e1f1d74c68c34735c8134d10aa308e40f7b76a7131fb9807fc25ee7f5f37aba072a51727aeb8ea0e27c0f449ae91056d

Download Submit
C:\Windows\System\SygFuOt.exe

Filesize
5.2MB

MD5
8be1aa669aabefcf93b97b15fce88022

SHA1
db77c985256f72bdbc5671120da9a5f56506f8ea

SHA256
e53efe4be848b1ebfdd272f7df0084d8e63e33b068cd500f492089d9bae1eb1e

SHA512
63de0e14252f5ca5737627b4479427af257658f69f7067df9c3404992e67b67a2384b36c685a4c3a2527ce101264cc641aa9d108dd3bae408f2ba6ddc35928b9

Download Submit
C:\Windows\System\VGMGIlz.exe

Filesize
5.2MB

MD5
15b243ad406bc41eb33d9dadb8a985b5

SHA1
d52640bfc8ecf63a0f4272df15d6cfc4a49270b1

SHA256
acc47a90ee7ed15ea12d095e69931f062e17e9efb4068bdd188456bb26fba557

SHA512
bc3f32fc03f81be244e0e70b47233c741820ac0db08c9b237a4dbec8bda367b6da946b033f78ccfeb07efac9cd60e143f10a99eb6af63d39d5bdbe8ac29cbb09

Download Submit
C:\Windows\System\YwgPUwe.exe

Filesize
5.2MB

MD5
8946aa5ad15c9c3f722ef6781aa67168

SHA1
fe4a9e3d4c552669fe932b2e44eb70d48c0add83

SHA256
6fa8a782aa40860871718cf47fb30a4db95244d41e1e0268cf897579808f6381

SHA512
ad377a737934aeff16a4e50fa67fdff3918c2231cbf2f2f6a9804ae3a2b7e74b7166437a82a86082138b2093f7b5da1a01a72e4608c756574038b6cec33f4296

Download Submit
C:\Windows\System\cFYXzxF.exe

Filesize
5.2MB

MD5
63152936d6361aa9e58d5e0f0819c1db

SHA1
98301d0a0677f94c2ba2445832a546e940d1183c

SHA256
1e736278a7d76beff8b6953dd9160a6172feabf66b9eb8cfb9e9364b0bb0c17c

SHA512
07c3a9fadd636680d66afdbb7f7b5b9ef065e9579925bc3ca7f959b0e79bf67da0793940df5990a6983789f248e995bbcd056ef80ff78bdb52eeeec5aa7b876b

Download Submit
C:\Windows\System\cVLvrKR.exe

Filesize
5.2MB

MD5
28b8ce541b5cc65abd5df916a5f2966a

SHA1
0a312fe59675cd0543daaf19e286f49890f6805d

SHA256
b6320ecbc0e2283db59dcfd06ed9e93507abb0a94468d0c21bce815992a9bbc0

SHA512
01cfb2482b8eae3ad491d52e2c5bc4e8a8685144e7854419ba220e06b136f0c012b932b6d9695b837c42e663dc1dbd62d67d999c1688ae5e0d4eb93877f0eca7

Download Submit
C:\Windows\System\deYFFuh.exe

Filesize
5.2MB

MD5
7ec6d589808b2ce5735185330660fc28

SHA1
68be63928e4145b97e98bfd9b919b7cbbc778904

SHA256
4cec526626deee1af0f59e1787c8de0c19cd8dd367487e5e43fdcc637c5ddfdd

SHA512
de54efb1b1396b0e47edfda44f1212dabef2e7938410aeb4f9595da7a8bdb8bb0f79f15b3692164791c46d58d6223ef2fc3fe7dfcbbeae1277c1a835536c16d1

Download Submit
C:\Windows\System\jFjvaYG.exe

Filesize
5.2MB

MD5
2d68d9f39f5ae100a469ca890bba35cd

SHA1
7eab4d42b6926ab39ad9086194f1e40fbc3dcf52

SHA256
f15e1ba9f7c127b65abd258861f39a158e2f8fd108847eb613adb4d079950161

SHA512
870a8cd51dcfde0ceb07ac4023860ab1815a827581f163b77f056a830a86d51610322476d5a15c28cced8c05455b6b51ca0332d1b2e39545b667e30f0e688588

Download Submit
C:\Windows\System\npvpoQF.exe

Filesize
5.2MB

MD5
7abe8b32a368ebb7e69e97a708d56cdb

SHA1
279dbb9c0aabb020eaac9866a07a817fd7067935

SHA256
17fade1d4852aa6e1d49a74fea5ae07dc38516e2d377e6467d9c20a151838d0e

SHA512
ad6ab2f30804c7d124ec5d8c49792ab2263910eea726b7e4ffd762f84b7c6051b8f514bb60ce5c9eb3346ca9e2c88f04a72f9dfd564054dd20a740d2c295813f

Download Submit
C:\Windows\System\nyCQLhT.exe

Filesize
5.2MB

MD5
9ae0db484be005821b680ad0db1ce741

SHA1
2045622dc70d67fce43e833ed51ec84238edead0

SHA256
43d6db70b5ca96590046860e758b18bcf57a38e88fed0fc941f1a879c3ae63c1

SHA512
42295c80680644b22671129be9510130207c24b78b9974fdaa8e22e5db925a557bb0e6a5270dd256a88d46d1a26a52d87468b0ccce734dd88ffd17091420c730

Download Submit
C:\Windows\System\uYRHvqa.exe

Filesize
5.2MB

MD5
4dfaba4665e38db497aee2e3b85954cd

SHA1
0c325aa3f8beaac5333a7a08cd4463f06e8e17f5

SHA256
f9284eb0106640379f80c30629bc7a4ec44cf93be735c5dba9339c5d06acf739

SHA512
1d503e0bfa8865ed459e141f64cca1235f4d9e32a74b66f1de643add091f2d1dd9c234658b06a1a93be41e79853335ed7e5ad43277d2865cd3f38d69bcabeb6e

Download Submit
memory/932-105-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/932-219-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/932-27-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1040-260-0x00007FF71CAC0000-0x00007FF71CE11000-memory.dmp

Filesize
3.3MB

Download
memory/1040-129-0x00007FF71CAC0000-0x00007FF71CE11000-memory.dmp

Filesize
3.3MB

Download
memory/1052-60-0x00007FF748E00000-0x00007FF749151000-memory.dmp

Filesize
3.3MB

Download
memory/1052-238-0x00007FF748E00000-0x00007FF749151000-memory.dmp

Filesize
3.3MB

Download
memory/1248-118-0x00007FF674200000-0x00007FF674551000-memory.dmp

Filesize
3.3MB

Download
memory/1248-153-0x00007FF674200000-0x00007FF674551000-memory.dmp

Filesize
3.3MB

Download
memory/1248-258-0x00007FF674200000-0x00007FF674551000-memory.dmp

Filesize
3.3MB

Download
memory/1368-90-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp

Filesize
3.3MB

Download
memory/1368-243-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp

Filesize
3.3MB

Download
memory/1368-148-0x00007FF7DB530000-0x00007FF7DB881000-memory.dmp

Filesize
3.3MB

Download
memory/1640-211-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp

Filesize
3.3MB

Download
memory/1640-22-0x00007FF7A50E0000-0x00007FF7A5431000-memory.dmp

Filesize
3.3MB

Download
memory/1656-146-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1656-241-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1656-82-0x00007FF67FA80000-0x00007FF67FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-221-0x00007FF676430000-0x00007FF676781000-memory.dmp

Filesize
3.3MB

Download
memory/1728-119-0x00007FF676430000-0x00007FF676781000-memory.dmp

Filesize
3.3MB

Download
memory/1728-41-0x00007FF676430000-0x00007FF676781000-memory.dmp

Filesize
3.3MB

Download
memory/2204-217-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp

Filesize
3.3MB

Download
memory/2204-33-0x00007FF60E4E0000-0x00007FF60E831000-memory.dmp

Filesize
3.3MB

Download
memory/2652-76-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp

Filesize
3.3MB

Download
memory/2652-209-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp

Filesize
3.3MB

Download
memory/2652-19-0x00007FF7C0600000-0x00007FF7C0951000-memory.dmp

Filesize
3.3MB

Download
memory/2660-154-0x00007FF678460000-0x00007FF6787B1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-262-0x00007FF678460000-0x00007FF6787B1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-122-0x00007FF678460000-0x00007FF6787B1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-61-0x00007FF647EE0000-0x00007FF648231000-memory.dmp

Filesize
3.3MB

Download
memory/2732-235-0x00007FF647EE0000-0x00007FF648231000-memory.dmp

Filesize
3.3MB

Download
memory/3168-9-0x00007FF686120000-0x00007FF686471000-memory.dmp

Filesize
3.3MB

Download
memory/3168-64-0x00007FF686120000-0x00007FF686471000-memory.dmp

Filesize
3.3MB

Download
memory/3168-207-0x00007FF686120000-0x00007FF686471000-memory.dmp

Filesize
3.3MB

Download
memory/3252-126-0x00007FF786400000-0x00007FF786751000-memory.dmp

Filesize
3.3MB

Download
memory/3252-264-0x00007FF786400000-0x00007FF786751000-memory.dmp

Filesize
3.3MB

Download
memory/3252-156-0x00007FF786400000-0x00007FF786751000-memory.dmp

Filesize
3.3MB

Download
memory/3336-62-0x00007FF6F2690000-0x00007FF6F29E1000-memory.dmp

Filesize
3.3MB

Download
memory/3336-234-0x00007FF6F2690000-0x00007FF6F29E1000-memory.dmp

Filesize
3.3MB

Download
memory/3584-113-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp

Filesize
3.3MB

Download
memory/3584-256-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp

Filesize
3.3MB

Download
memory/3584-152-0x00007FF6938D0000-0x00007FF693C21000-memory.dmp

Filesize
3.3MB

Download
memory/3640-106-0x00007FF65F030000-0x00007FF65F381000-memory.dmp

Filesize
3.3MB

Download
memory/3640-254-0x00007FF65F030000-0x00007FF65F381000-memory.dmp

Filesize
3.3MB

Download
memory/3756-149-0x00007FF618DC0000-0x00007FF619111000-memory.dmp

Filesize
3.3MB

Download
memory/3756-94-0x00007FF618DC0000-0x00007FF619111000-memory.dmp

Filesize
3.3MB

Download
memory/3756-250-0x00007FF618DC0000-0x00007FF619111000-memory.dmp

Filesize
3.3MB

Download
memory/4016-252-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp

Filesize
3.3MB

Download
memory/4016-150-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp

Filesize
3.3MB

Download
memory/4016-100-0x00007FF6D2B10000-0x00007FF6D2E61000-memory.dmp

Filesize
3.3MB

Download
memory/4052-0-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp

Filesize
3.3MB

Download
memory/4052-157-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp

Filesize
3.3MB

Download
memory/4052-1-0x00000265FBD20000-0x00000265FBD30000-memory.dmp

Filesize
64KB

Download
memory/4052-66-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp

Filesize
3.3MB

Download
memory/4052-133-0x00007FF6C8910000-0x00007FF6C8C61000-memory.dmp

Filesize
3.3MB

Download
memory/4376-239-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-67-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-145-0x00007FF6E6490000-0x00007FF6E67E1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-59-0x00007FF6F6BD0000-0x00007FF6F6F21000-memory.dmp

Filesize
3.3MB

Download
memory/4984-231-0x00007FF6F6BD0000-0x00007FF6F6F21000-memory.dmp

Filesize
3.3MB

Download