cobaltstrike | c08c91d1763ad2bd7c78119c4b9c4a5759d569e237b22a8190ff65d6c3379575

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f6bdbc2a0d8c692523057771d111efee
SHA1

30de9cbbd8ab49c8bac093dc4acc12c8896bb1b8
SHA256

c08c91d1763ad2bd7c78119c4b9c4a5759d569e237b22a8190ff65d6c3379575
SHA512

a63d465019d2c667bf769cd505c611180dca8d137fbd20f7d8301f57b9ac39fc9ba0887f941cff9d6659a36434ef7f0f368629e2a7058d5cb2309b75ab7f1554
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibf56utgpPFotBER/mQ32lUp

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023ba9-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9b-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9e-32.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca0-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c99-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-59.dat	cobalt_reflective_dll
behavioral2/files/0x000800000001e57f-36.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cab-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-131.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023ca9-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-124.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4104-88-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp	xmrig
behavioral2/memory/1224-95-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp	xmrig
behavioral2/memory/4492-84-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	xmrig
behavioral2/memory/3932-104-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp	xmrig
behavioral2/memory/1196-133-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp	xmrig
behavioral2/memory/1660-120-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	xmrig
behavioral2/memory/1688-102-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp	xmrig
behavioral2/memory/4632-137-0x00007FF6A7240000-0x00007FF6A7591000-memory.dmp	xmrig
behavioral2/memory/4124-142-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp	xmrig
behavioral2/memory/1472-146-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp	xmrig
behavioral2/memory/2276-147-0x00007FF6590D0000-0x00007FF659421000-memory.dmp	xmrig
behavioral2/memory/3948-149-0x00007FF74F310000-0x00007FF74F661000-memory.dmp	xmrig
behavioral2/memory/4480-145-0x00007FF616000000-0x00007FF616351000-memory.dmp	xmrig
behavioral2/memory/2336-144-0x00007FF66E210000-0x00007FF66E561000-memory.dmp	xmrig
behavioral2/memory/4572-143-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp	xmrig
behavioral2/memory/3416-140-0x00007FF714640000-0x00007FF714991000-memory.dmp	xmrig
behavioral2/memory/2876-141-0x00007FF765670000-0x00007FF7659C1000-memory.dmp	xmrig
behavioral2/memory/4840-139-0x00007FF71C240000-0x00007FF71C591000-memory.dmp	xmrig
behavioral2/memory/3424-148-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp	xmrig
behavioral2/memory/4492-150-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	xmrig
behavioral2/memory/4752-162-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp	xmrig
behavioral2/memory/4512-161-0x00007FF652EF0000-0x00007FF653241000-memory.dmp	xmrig
behavioral2/memory/2260-160-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	xmrig
behavioral2/memory/4492-172-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	xmrig
behavioral2/memory/4104-210-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp	xmrig
behavioral2/memory/3932-217-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp	xmrig
behavioral2/memory/1224-215-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp	xmrig
behavioral2/memory/1688-219-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp	xmrig
behavioral2/memory/1660-221-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	xmrig
behavioral2/memory/1196-223-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp	xmrig
behavioral2/memory/4840-225-0x00007FF71C240000-0x00007FF71C591000-memory.dmp	xmrig
behavioral2/memory/3416-231-0x00007FF714640000-0x00007FF714991000-memory.dmp	xmrig
behavioral2/memory/2876-233-0x00007FF765670000-0x00007FF7659C1000-memory.dmp	xmrig
behavioral2/memory/4124-237-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp	xmrig
behavioral2/memory/2336-239-0x00007FF66E210000-0x00007FF66E561000-memory.dmp	xmrig
behavioral2/memory/4572-236-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp	xmrig
behavioral2/memory/1472-245-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp	xmrig
behavioral2/memory/4480-244-0x00007FF616000000-0x00007FF616351000-memory.dmp	xmrig
behavioral2/memory/2276-243-0x00007FF6590D0000-0x00007FF659421000-memory.dmp	xmrig
behavioral2/memory/4632-253-0x00007FF6A7240000-0x00007FF6A7591000-memory.dmp	xmrig
behavioral2/memory/2260-256-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	xmrig
behavioral2/memory/3948-257-0x00007FF74F310000-0x00007FF74F661000-memory.dmp	xmrig
behavioral2/memory/4512-261-0x00007FF652EF0000-0x00007FF653241000-memory.dmp	xmrig
behavioral2/memory/3424-260-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp	xmrig
behavioral2/memory/4752-263-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4104	wOHhWCb.exe
1224	aNJtjxI.exe
3932	CnQZiwJ.exe
1688	nqbDrOI.exe
1196	AnBrXHL.exe
1660	dPXFeUE.exe
4840	fJGJlKA.exe
3416	AJdZriv.exe
2876	iNyGmKv.exe
4124	kzXdtjW.exe
4572	UigqBfu.exe
2336	ITlbxKb.exe
4480	MUCOrAB.exe
1472	XIsHGqI.exe
2276	wLBIXMi.exe
3424	oLyMiGT.exe
2260	YiFpqaP.exe
4512	gkmzVHI.exe
4752	DbRSmZY.exe
4632	EfggmFB.exe
3948	KtDyCub.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4492-0-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	upx
behavioral2/files/0x000c000000023ba9-5.dat	upx
behavioral2/memory/4104-6-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp	upx
behavioral2/files/0x0008000000023c9b-12.dat	upx
behavioral2/files/0x0007000000023c9c-17.dat	upx
behavioral2/memory/3932-18-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp	upx
behavioral2/memory/1224-16-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-23.dat	upx
behavioral2/memory/1688-26-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c9e-32.dat	upx
behavioral2/files/0x0008000000023ca0-38.dat	upx
behavioral2/memory/4840-42-0x00007FF71C240000-0x00007FF71C591000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-68.dat	upx
behavioral2/memory/2336-76-0x00007FF66E210000-0x00007FF66E561000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-83.dat	upx
behavioral2/memory/4104-88-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp	upx
behavioral2/memory/1224-95-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-91.dat	upx
behavioral2/files/0x0007000000023ca6-89.dat	upx
behavioral2/memory/2276-87-0x00007FF6590D0000-0x00007FF659421000-memory.dmp	upx
behavioral2/memory/1472-86-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp	upx
behavioral2/memory/4480-85-0x00007FF616000000-0x00007FF616351000-memory.dmp	upx
behavioral2/memory/4492-84-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-81.dat	upx
behavioral2/files/0x0007000000023ca3-70.dat	upx
behavioral2/memory/4124-66-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp	upx
behavioral2/memory/4572-65-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp	upx
behavioral2/files/0x0008000000023c99-62.dat	upx
behavioral2/files/0x0007000000023ca1-59.dat	upx
behavioral2/memory/2876-58-0x00007FF765670000-0x00007FF7659C1000-memory.dmp	upx
behavioral2/memory/3416-55-0x00007FF714640000-0x00007FF714991000-memory.dmp	upx
behavioral2/memory/1660-39-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	upx
behavioral2/files/0x000800000001e57f-36.dat	upx
behavioral2/memory/1196-33-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp	upx
behavioral2/memory/3932-104-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp	upx
behavioral2/files/0x0008000000023cab-115.dat	upx
behavioral2/files/0x0007000000023cae-122.dat	upx
behavioral2/memory/1196-133-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp	upx
behavioral2/memory/4752-132-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-131.dat	upx
behavioral2/files/0x0008000000023ca9-127.dat	upx
behavioral2/memory/4512-125-0x00007FF652EF0000-0x00007FF653241000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-124.dat	upx
behavioral2/memory/2260-121-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	upx
behavioral2/memory/1660-120-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca8-118.dat	upx
behavioral2/memory/3424-111-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp	upx
behavioral2/memory/1688-102-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp	upx
behavioral2/memory/4632-137-0x00007FF6A7240000-0x00007FF6A7591000-memory.dmp	upx
behavioral2/memory/4124-142-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp	upx
behavioral2/memory/1472-146-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp	upx
behavioral2/memory/2276-147-0x00007FF6590D0000-0x00007FF659421000-memory.dmp	upx
behavioral2/memory/3948-149-0x00007FF74F310000-0x00007FF74F661000-memory.dmp	upx
behavioral2/memory/4480-145-0x00007FF616000000-0x00007FF616351000-memory.dmp	upx
behavioral2/memory/2336-144-0x00007FF66E210000-0x00007FF66E561000-memory.dmp	upx
behavioral2/memory/4572-143-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp	upx
behavioral2/memory/3416-140-0x00007FF714640000-0x00007FF714991000-memory.dmp	upx
behavioral2/memory/2876-141-0x00007FF765670000-0x00007FF7659C1000-memory.dmp	upx
behavioral2/memory/4840-139-0x00007FF71C240000-0x00007FF71C591000-memory.dmp	upx
behavioral2/memory/3424-148-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp	upx
behavioral2/memory/4492-150-0x00007FF7403F0000-0x00007FF740741000-memory.dmp	upx
behavioral2/memory/4752-162-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp	upx
behavioral2/memory/4512-161-0x00007FF652EF0000-0x00007FF653241000-memory.dmp	upx
behavioral2/memory/2260-160-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YiFpqaP.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EfggmFB.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtDyCub.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CnQZiwJ.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ITlbxKb.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUCOrAB.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XIsHGqI.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kzXdtjW.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLyMiGT.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aNJtjxI.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqbDrOI.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fJGJlKA.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJdZriv.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UigqBfu.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wLBIXMi.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gkmzVHI.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbRSmZY.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wOHhWCb.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnBrXHL.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dPXFeUE.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iNyGmKv.exe	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4104	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4492 wrote to memory of 4104	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4492 wrote to memory of 1224	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4492 wrote to memory of 1224	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4492 wrote to memory of 3932	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4492 wrote to memory of 3932	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4492 wrote to memory of 1688	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4492 wrote to memory of 1688	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4492 wrote to memory of 1196	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4492 wrote to memory of 1196	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4492 wrote to memory of 1660	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4492 wrote to memory of 1660	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4492 wrote to memory of 4840	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4492 wrote to memory of 4840	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4492 wrote to memory of 3416	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4492 wrote to memory of 3416	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4492 wrote to memory of 2876	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4492 wrote to memory of 2876	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4492 wrote to memory of 4124	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4492 wrote to memory of 4124	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4492 wrote to memory of 4572	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4492 wrote to memory of 4572	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4492 wrote to memory of 2336	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4492 wrote to memory of 2336	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4492 wrote to memory of 4480	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4492 wrote to memory of 4480	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4492 wrote to memory of 1472	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4492 wrote to memory of 1472	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4492 wrote to memory of 2276	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4492 wrote to memory of 2276	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4492 wrote to memory of 3424	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4492 wrote to memory of 3424	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4492 wrote to memory of 2260	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4492 wrote to memory of 2260	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4492 wrote to memory of 4512	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4492 wrote to memory of 4512	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4492 wrote to memory of 4752	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4492 wrote to memory of 4752	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4492 wrote to memory of 4632	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4492 wrote to memory of 4632	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4492 wrote to memory of 3948	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4492 wrote to memory of 3948	4492	2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_f6bdbc2a0d8c692523057771d111efee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System\wOHhWCb.exe
  C:\Windows\System\wOHhWCb.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\aNJtjxI.exe
  C:\Windows\System\aNJtjxI.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\CnQZiwJ.exe
  C:\Windows\System\CnQZiwJ.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\nqbDrOI.exe
  C:\Windows\System\nqbDrOI.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\AnBrXHL.exe
  C:\Windows\System\AnBrXHL.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\dPXFeUE.exe
  C:\Windows\System\dPXFeUE.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\fJGJlKA.exe
  C:\Windows\System\fJGJlKA.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\AJdZriv.exe
  C:\Windows\System\AJdZriv.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\iNyGmKv.exe
  C:\Windows\System\iNyGmKv.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\kzXdtjW.exe
  C:\Windows\System\kzXdtjW.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\UigqBfu.exe
  C:\Windows\System\UigqBfu.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\ITlbxKb.exe
  C:\Windows\System\ITlbxKb.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\MUCOrAB.exe
  C:\Windows\System\MUCOrAB.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\XIsHGqI.exe
  C:\Windows\System\XIsHGqI.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\wLBIXMi.exe
  C:\Windows\System\wLBIXMi.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\oLyMiGT.exe
  C:\Windows\System\oLyMiGT.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\YiFpqaP.exe
  C:\Windows\System\YiFpqaP.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\gkmzVHI.exe
  C:\Windows\System\gkmzVHI.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\DbRSmZY.exe
  C:\Windows\System\DbRSmZY.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\EfggmFB.exe
  C:\Windows\System\EfggmFB.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\KtDyCub.exe
  C:\Windows\System\KtDyCub.exe
  2⤵
  - Executes dropped EXE
  PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AJdZriv.exe

Filesize
5.2MB

MD5
15bdc4040d89fa45c7d15276334d30a4

SHA1
4a8ee8b8702a2154cd824e3c75e8aad0a3e58d70

SHA256
fb5de64f832c78322eef2697f530fec780942405401a4c10f38b44d188aa8e35

SHA512
b30cc36d26044cd9897fff1aba33df902c9ee94f7fdc50ee37c41f56feb8fb067a1777644277d208b92fa02959284344969842434614f45d445256805a20191b

Download Submit
C:\Windows\System\AnBrXHL.exe

Filesize
5.2MB

MD5
b2fafb23a0ab9503ff67701b03981783

SHA1
cb2e20c0443e9c8035ea536c4a055c0ca51d6383

SHA256
b23cce0ba78e9aa7db9013e0ae142d4582f8c66a71d1cd784c3e04503b9fb86f

SHA512
27dae8927e944fe651f4e40489aa7156a8cf60addc6861441f8e9d05d6715bbfbb95472f2d13cfd2dfa439a19917ca36a335e81ce1fdbdceea1b2a3da83c65e6

Download Submit
C:\Windows\System\CnQZiwJ.exe

Filesize
5.2MB

MD5
ad12cb61b4a82982746be03062806261

SHA1
93e6ed3d92ccb7cc72b42ccfaba9348c6d54aa24

SHA256
6d173a97e4e17b7ec458c9c3eb0187c8e57dfdd2cdf2fd414625d91e6c6bcded

SHA512
0d8e80591a78bf0c9ab8637b0e13aedac9714ef833b5d5bb00ff3a18b54f26a50a0d3d36d12bd13668b6da23d0a2ca16eddc7b62ea0c224268ecfe3682e097d8

Download Submit
C:\Windows\System\DbRSmZY.exe

Filesize
5.2MB

MD5
bb7ff231b0175574e6dae9f59a0775cf

SHA1
32f774e4b3c86693936aad2c307aa18d55a5c24a

SHA256
cd65c1124c73d7d3ff90c64362e4110bf6c18ecf93ceeec69b9d58e023f8835f

SHA512
c3cf389ea89dc6facf01537eb5ddb986e582d082d700405469bc6de9fe13d9666fdc087267c2ffc4a06a57f6aaef5f0d9fcd9a7a7ebde2bb9c979724b606a61f

Download Submit
C:\Windows\System\EfggmFB.exe

Filesize
5.2MB

MD5
843c0ca2575ecde2e055f129e39e7145

SHA1
02957f30a16a9ed493ccb9690efa13f207a7ab20

SHA256
a5dcba022b1de3b9c2c0e3203669d5f90680ec98a78ad5d0ab1011bb1f410b1e

SHA512
d0acb667c05282466550a0bb59a1a8b444747cad4531a22e22cd92421f745e189c7f410c9b7daa4825a9442dbf756898f3391b0a8a3afd928fac7d7c615a621f

Download Submit
C:\Windows\System\ITlbxKb.exe

Filesize
5.2MB

MD5
40ddffa89a14ecaefd9e82b65d88df98

SHA1
1641b6a84781968b07773bb55023e5b53184ecce

SHA256
07a388d0d23ede83c25bffad64b05bc609e75aa77dbf5052c5984e574f4207ba

SHA512
7f7d1b6712dcbb0c6c8fc292e92dc89491b773f664aee905667e8d4844745f3f959edbf2f50de1c35e92d41eb41273da7a23e20ebf38bcb64241ea506036cb66

Download Submit
C:\Windows\System\KtDyCub.exe

Filesize
5.2MB

MD5
4bac0cba6c392da38e39f92c88ebe1f1

SHA1
822b0034f9d7561da290327fc6776f210ef663d6

SHA256
eda14de90600cbbed882adc82a6488889419c48cee7ea84e571ea48b966ee4cc

SHA512
41c99df9caf90680e1780b0643c17bd35e4454a58574e4155c06804d8d61672c44a292f0add0e3b431ecda826288ffa4ff7100c6917f4f82276ee564c734331b

Download Submit
C:\Windows\System\MUCOrAB.exe

Filesize
5.2MB

MD5
453d006a4ae207616e04c7d094d12361

SHA1
e0b3c583d4ac3e920e64d5374fcb5d2ccc717546

SHA256
dcfa40e5c0b9093e7fa938c1e590592fed0c5e2bd8d4c90966b6a8469777d979

SHA512
7358925d4c7599737bfba826e8821cf7036bb42ad10f2196943eed956b1de23cf1be128cdabd088f53a4eeb55046ffc8faf726d126ede6e14615dada4829b6c7

Download Submit
C:\Windows\System\UigqBfu.exe

Filesize
5.2MB

MD5
a0de4ef0fd28575c2fc297004c79a4e4

SHA1
f29732f0e7716b79178fefd6f06d513719e1e8d9

SHA256
4f968f395b7aa72b48dabe1de1b1a845988d2ff5672ef9caab7a6c5e76058c41

SHA512
95e0546b5f495152b0f7f1d25eb47eb838fea2e21a0f4bb955d52cca116d8ff67efc0a421f08c66b5105801958c5f74b4e6e666be7007bef479ff71feed0d156

Download Submit
C:\Windows\System\XIsHGqI.exe

Filesize
5.2MB

MD5
f49e09e3e585949adec7894e89acd9cb

SHA1
ed6be256ecdf0ac58a188086a81221be42324d17

SHA256
7ccc0e7bc57038728bb4d71f0a6c2d41ae7584a0f4b286a19be2d385eb86a621

SHA512
bad9f2154118a00409a897c3ac37b29aaad0d37aa2c897b8e423362ad54b3f01872b0bf6224e77959fc789844d5135431bef44fb7f40f5dfb54235b4d500bdda

Download Submit
C:\Windows\System\YiFpqaP.exe

Filesize
5.2MB

MD5
0fb638d25ed5c4fac037605259890ccb

SHA1
0d54ce87d0ac4f8692321a765b468fbb51ea6d02

SHA256
7177258b0f856e722ca7a4426714b8098c527bbe1bc552e8b5cd693f5fe60cbb

SHA512
820543c00898538960d6a4a64c3440f9cc6d8bf12c01c64ca2ec47389453889992157aab79457f1ab7a6df0400e5ff82b7c2f8c95dd3ed6a3e46ec8ce938a987

Download Submit
C:\Windows\System\aNJtjxI.exe

Filesize
5.2MB

MD5
9ed68cdc74260baba46feaaa7fb687ab

SHA1
72219f45626d5b7837d40ac254b8fa101c602327

SHA256
eb0a65055c2922940c098aa62f5f14284b682c566d45d02356c152c71342afc1

SHA512
6ec582491b401f6151ca25a4a85741908cedb4c303edfcaf4ed3fd23e888d074cb51a3324095738aef5d667e3e1ea8e96076defabc2bf264dd3f80a7f9ac2478

Download Submit
C:\Windows\System\dPXFeUE.exe

Filesize
5.2MB

MD5
c7c715a1e04291113c9e8cc23dbf9388

SHA1
07b7c9517b5add5a93891fb9a39a36a0e7676b18

SHA256
c782d9f288dad0e9d5c0dd698cc1a46b3dc9154860affae1405e3770b4586bb9

SHA512
a829773c4e5918d3a103eb248e81f56ce8e6d5c285c187fa468e93065f0feabeb6c669bc72bd1578618f980adf2858e2c7d9b4d89c6e6b4dc47e1284b2793a66

Download Submit
C:\Windows\System\fJGJlKA.exe

Filesize
5.2MB

MD5
13a0930a6a0b7817b6fd511d89c78ef5

SHA1
767b01ee899f79fad009b18773d428cd71681fb6

SHA256
10c3df3ccb7776e93cf2a7e637c4ca284f63934e9c33efd956c90b6b428e432e

SHA512
489ec658fbc3355626d346e51282ae8acc63629f0470f2135dcba6537d8a7127d3bba605e2871644ad2753218004f80eb37b6fa58e8681d6b53ab25b1eb38f19

Download Submit
C:\Windows\System\gkmzVHI.exe

Filesize
5.2MB

MD5
cc187502091dcff05dd3143f296ae20f

SHA1
f987896cf8ca22683c5d9d0c1f06be7d7515ef27

SHA256
4e34151b2bd9ca43fb2ec2681d394b742a7cf9a84104b3593216a27e64ca41df

SHA512
0f170aad09a37b14bcec503e1c51874f7caae52f16d93c03d55ed0eb296443937361153c59ee3a4254a916aeef13b6fa59915303a8ce078aa81a5e36083f3525

Download Submit
C:\Windows\System\iNyGmKv.exe

Filesize
5.2MB

MD5
6ddca48ae7c51f18de4ce387077fe117

SHA1
7f6442ba08aae3fcf999b011c196ef6c4d90d48d

SHA256
b58e4772a5dac3da63f500242e46e8194d126d9051fe59da1a2f8a3831cad481

SHA512
8bb3a13b141559f582786da084bd06105d894b7c9c530cc8eef4840e159d8e4284934397f9701cfd748952e22da41a9cd449d805f619a8fba9665d81c9f7c8b7

Download Submit
C:\Windows\System\kzXdtjW.exe

Filesize
5.2MB

MD5
72a9403ce83f0bbd65acefa6b0a3758a

SHA1
e35c6d0c0fe000f4035b42cbb0c3b71b88009108

SHA256
89dc646c62950a1478295f1648435f146f2f95f006b8ad753add802e612601f2

SHA512
a9989b23aae26410cd8cc8bc3f0ce79d2e6c67e9317ef676e7c6b82d34696afb9d71fde30185a47f26981be3dfe2b342f4fd1d043bed2f12da5ec1281f6840b3

Download Submit
C:\Windows\System\nqbDrOI.exe

Filesize
5.2MB

MD5
b826f16d209277f0b29b83c002132642

SHA1
a94e5bfdf4fbcd593a88c4caa98bdbe6a59b59e5

SHA256
855bc01bbe31e7356cca7a35cf36631b4b41e7b21336ba6ce0cbb6ff793b761f

SHA512
66bb214d0c531edab53ac99749c17eb2ad0ee51315379367d3e8e6ccdf9d0b583147c0742978973ca07bc12fec187a2e5f8dcd2d8bda2ab138d5a9cd761bd1da

Download Submit
C:\Windows\System\oLyMiGT.exe

Filesize
5.2MB

MD5
1f07ecc8f771350d497eedea2fe7a414

SHA1
d33607125940d4b02562fc14d179a96aa16e247a

SHA256
0e09c382516dd952bbabcba874730876b13eb87c03d6cda5365fd5a2a0451273

SHA512
073bf7b2bf6c21c24a8624050e25ba455dd09bdceddf0a8a84e2492b4a69d3df8b2323bd17a243b8b314fbf430fcbed7f1f0cad17351c3b1b5f88d347435c0ea

Download Submit
C:\Windows\System\wLBIXMi.exe

Filesize
5.2MB

MD5
d3d23db75d21c6ea2c9ea03eec15e969

SHA1
25a87177179fa32104bcc35dbd3e2bbbc4dd83f2

SHA256
b362657982d55467cc131c0fe8872ccbb3ad9e1831e3277bffc4bc4d50689cfc

SHA512
9b0bcf89ddccaebb501ed5fc6378f6971f70fd662cc52c6f10482f1270a7908674013cd454469da5490f567b8daa72adab6282f97c1a852692544421a2981e28

Download Submit
C:\Windows\System\wOHhWCb.exe

Filesize
5.2MB

MD5
acdd7ccf5f201f53ab873c6ca947993d

SHA1
49359a320a5f0bd6b6e5079d04abc88bd512e103

SHA256
0638e147469e69447e121be79c78cd31dd5c4258b35d2f65e6e4eef9beae77bd

SHA512
ed27b604255befb72cd5b48fc8b0e0dbaad400178b17526d6fab4360d5a6c0ce3262824c3f8523890de3bfc5fa079d5146d535cc4d185d2c2d1916a324f77131

Download Submit
memory/1196-223-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-33-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-133-0x00007FF6F4A90000-0x00007FF6F4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-16-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp

Filesize
3.3MB

Download
memory/1224-95-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp

Filesize
3.3MB

Download
memory/1224-215-0x00007FF690AF0000-0x00007FF690E41000-memory.dmp

Filesize
3.3MB

Download
memory/1472-146-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1472-86-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1472-245-0x00007FF6E1390000-0x00007FF6E16E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-120-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-39-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-221-0x00007FF6A2E90000-0x00007FF6A31E1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-102-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-219-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-26-0x00007FF627D50000-0x00007FF6280A1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-121-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-160-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-256-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-87-0x00007FF6590D0000-0x00007FF659421000-memory.dmp

Filesize
3.3MB

Download
memory/2276-243-0x00007FF6590D0000-0x00007FF659421000-memory.dmp

Filesize
3.3MB

Download
memory/2276-147-0x00007FF6590D0000-0x00007FF659421000-memory.dmp

Filesize
3.3MB

Download
memory/2336-76-0x00007FF66E210000-0x00007FF66E561000-memory.dmp

Filesize
3.3MB

Download
memory/2336-144-0x00007FF66E210000-0x00007FF66E561000-memory.dmp

Filesize
3.3MB

Download
memory/2336-239-0x00007FF66E210000-0x00007FF66E561000-memory.dmp

Filesize
3.3MB

Download
memory/2876-141-0x00007FF765670000-0x00007FF7659C1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-58-0x00007FF765670000-0x00007FF7659C1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-233-0x00007FF765670000-0x00007FF7659C1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-140-0x00007FF714640000-0x00007FF714991000-memory.dmp

Filesize
3.3MB

Download
memory/3416-231-0x00007FF714640000-0x00007FF714991000-memory.dmp

Filesize
3.3MB

Download
memory/3416-55-0x00007FF714640000-0x00007FF714991000-memory.dmp

Filesize
3.3MB

Download
memory/3424-260-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-111-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3424-148-0x00007FF66AE70000-0x00007FF66B1C1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-217-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-104-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-18-0x00007FF7D6E50000-0x00007FF7D71A1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-149-0x00007FF74F310000-0x00007FF74F661000-memory.dmp

Filesize
3.3MB

Download
memory/3948-257-0x00007FF74F310000-0x00007FF74F661000-memory.dmp

Filesize
3.3MB

Download
memory/4104-88-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp

Filesize
3.3MB

Download
memory/4104-210-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp

Filesize
3.3MB

Download
memory/4104-6-0x00007FF7246D0000-0x00007FF724A21000-memory.dmp

Filesize
3.3MB

Download
memory/4124-142-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-237-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-66-0x00007FF72D780000-0x00007FF72DAD1000-memory.dmp

Filesize
3.3MB

Download
memory/4480-85-0x00007FF616000000-0x00007FF616351000-memory.dmp

Filesize
3.3MB

Download
memory/4480-244-0x00007FF616000000-0x00007FF616351000-memory.dmp

Filesize
3.3MB

Download
memory/4480-145-0x00007FF616000000-0x00007FF616351000-memory.dmp

Filesize
3.3MB

Download
memory/4492-1-0x000001E66EBE0000-0x000001E66EBF0000-memory.dmp

Filesize
64KB

Download
memory/4492-0-0x00007FF7403F0000-0x00007FF740741000-memory.dmp

Filesize
3.3MB

Download
memory/4492-84-0x00007FF7403F0000-0x00007FF740741000-memory.dmp

Filesize
3.3MB

Download
memory/4492-172-0x00007FF7403F0000-0x00007FF740741000-memory.dmp

Filesize
3.3MB

Download
memory/4492-150-0x00007FF7403F0000-0x00007FF740741000-memory.dmp

Filesize
3.3MB

Download
memory/4512-125-0x00007FF652EF0000-0x00007FF653241000-memory.dmp

Filesize
3.3MB

Download
memory/4512-261-0x00007FF652EF0000-0x00007FF653241000-memory.dmp

Filesize
3.3MB

Download
memory/4512-161-0x00007FF652EF0000-0x00007FF653241000-memory.dmp

Filesize
3.3MB

Download
memory/4572-143-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp

Filesize
3.3MB

Download
memory/4572-65-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp

Filesize
3.3MB

Download
memory/4572-236-0x00007FF6E8330000-0x00007FF6E8681000-memory.dmp

Filesize
3.3MB

Download
memory/4632-253-0x00007FF6A7240000-0x00007FF6A7591000-memory.dmp

Filesize
3.3MB

Download
memory/4632-137-0x00007FF6A7240000-0x00007FF6A7591000-memory.dmp

Filesize
3.3MB

Download
memory/4752-132-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-162-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp

Filesize
3.3MB

Download
memory/4752-263-0x00007FF68A920000-0x00007FF68AC71000-memory.dmp

Filesize
3.3MB

Download
memory/4840-139-0x00007FF71C240000-0x00007FF71C591000-memory.dmp

Filesize
3.3MB

Download
memory/4840-225-0x00007FF71C240000-0x00007FF71C591000-memory.dmp

Filesize
3.3MB

Download
memory/4840-42-0x00007FF71C240000-0x00007FF71C591000-memory.dmp

Filesize
3.3MB

Download