cobaltstrike | 7913843f0bbdcb3082969d1ac2a189b5451446795c88bac66b84172ddf548fa7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

61dae3a6728ea17f7d7190be065003ce
SHA1

7f5fdc45e56635c96ef469b3f4d82068bd4f0f9d
SHA256

7913843f0bbdcb3082969d1ac2a189b5451446795c88bac66b84172ddf548fa7
SHA512

d85f61e84f06cdb1b026441cf26a9df527e75efcd672132fa3d2378644f4e0e3f9679b38c6f56c8821d6fc3e178ce402354048a9226f0e054485d0009732e0fd
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b9c-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba1-17.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba0-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba4-25.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba2-24.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9d-46.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba7-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb0-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bae-99.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baf-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bad-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bac-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bab-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023baa-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba8-66.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba6-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba5-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023bb1-124.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bb2-134.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023bb3-137.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4768-105-0x00007FF69CC90000-0x00007FF69CFE1000-memory.dmp	xmrig
behavioral2/memory/832-110-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/812-109-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	xmrig
behavioral2/memory/3488-108-0x00007FF791F50000-0x00007FF7922A1000-memory.dmp	xmrig
behavioral2/memory/880-104-0x00007FF635500000-0x00007FF635851000-memory.dmp	xmrig
behavioral2/memory/2700-101-0x00007FF6AA3F0000-0x00007FF6AA741000-memory.dmp	xmrig
behavioral2/memory/864-98-0x00007FF64C2C0000-0x00007FF64C611000-memory.dmp	xmrig
behavioral2/memory/1548-93-0x00007FF6D40C0000-0x00007FF6D4411000-memory.dmp	xmrig
behavioral2/memory/1392-92-0x00007FF67FF10000-0x00007FF680261000-memory.dmp	xmrig
behavioral2/memory/1392-123-0x00007FF67FF10000-0x00007FF680261000-memory.dmp	xmrig
behavioral2/memory/844-143-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	xmrig
behavioral2/memory/3892-142-0x00007FF7E97C0000-0x00007FF7E9B11000-memory.dmp	xmrig
behavioral2/memory/4236-122-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	xmrig
behavioral2/memory/1280-121-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp	xmrig
behavioral2/memory/528-119-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp	xmrig
behavioral2/memory/2504-118-0x00007FF705610000-0x00007FF705961000-memory.dmp	xmrig
behavioral2/memory/4588-117-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp	xmrig
behavioral2/memory/3212-116-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp	xmrig
behavioral2/memory/844-111-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	xmrig
behavioral2/memory/3936-113-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp	xmrig
behavioral2/memory/948-120-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp	xmrig
behavioral2/memory/2464-114-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp	xmrig
behavioral2/memory/844-148-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	xmrig
behavioral2/memory/4704-167-0x00007FF657880000-0x00007FF657BD1000-memory.dmp	xmrig
behavioral2/memory/4936-169-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp	xmrig
behavioral2/memory/844-170-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	xmrig
behavioral2/memory/3936-198-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp	xmrig
behavioral2/memory/2464-200-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp	xmrig
behavioral2/memory/3212-202-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp	xmrig
behavioral2/memory/4588-215-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp	xmrig
behavioral2/memory/2504-217-0x00007FF705610000-0x00007FF705961000-memory.dmp	xmrig
behavioral2/memory/528-219-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp	xmrig
behavioral2/memory/948-224-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp	xmrig
behavioral2/memory/1280-225-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp	xmrig
behavioral2/memory/4236-222-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	xmrig
behavioral2/memory/1392-233-0x00007FF67FF10000-0x00007FF680261000-memory.dmp	xmrig
behavioral2/memory/1548-239-0x00007FF6D40C0000-0x00007FF6D4411000-memory.dmp	xmrig
behavioral2/memory/812-242-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	xmrig
behavioral2/memory/2700-243-0x00007FF6AA3F0000-0x00007FF6AA741000-memory.dmp	xmrig
behavioral2/memory/864-238-0x00007FF64C2C0000-0x00007FF64C611000-memory.dmp	xmrig
behavioral2/memory/880-236-0x00007FF635500000-0x00007FF635851000-memory.dmp	xmrig
behavioral2/memory/4768-247-0x00007FF69CC90000-0x00007FF69CFE1000-memory.dmp	xmrig
behavioral2/memory/3488-249-0x00007FF791F50000-0x00007FF7922A1000-memory.dmp	xmrig
behavioral2/memory/832-246-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	xmrig
behavioral2/memory/3892-255-0x00007FF7E97C0000-0x00007FF7E9B11000-memory.dmp	xmrig
behavioral2/memory/4704-257-0x00007FF657880000-0x00007FF657BD1000-memory.dmp	xmrig
behavioral2/memory/4936-259-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3936	bkolyQv.exe
2464	iLTBYuS.exe
3212	EaCpwFQ.exe
4588	KbiqXsz.exe
2504	HQJpcxs.exe
528	KjGLeso.exe
948	OEKBKnm.exe
1280	uiuGnAf.exe
4236	sVArMUt.exe
1392	JSZhevB.exe
812	CoGokRg.exe
1548	sSYGxny.exe
864	vMjPtMl.exe
2700	MGqEzhh.exe
880	lCEpCNJ.exe
4768	aNKoxvJ.exe
3488	oBMJzyh.exe
832	YtcSjZq.exe
4704	esUVPgj.exe
3892	tJdmWKg.exe
4936	SjoAGJk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/844-0-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	upx
behavioral2/files/0x000b000000023b9c-5.dat	upx
behavioral2/memory/3936-8-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-17.dat	upx
behavioral2/memory/2464-15-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp	upx
behavioral2/memory/3212-18-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-12.dat	upx
behavioral2/files/0x000a000000023ba4-25.dat	upx
behavioral2/files/0x000a000000023ba2-24.dat	upx
behavioral2/files/0x000b000000023b9d-46.dat	upx
behavioral2/memory/4236-52-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-55.dat	upx
behavioral2/files/0x000a000000023ba9-73.dat	upx
behavioral2/files/0x000a000000023bb0-94.dat	upx
behavioral2/files/0x000a000000023bae-99.dat	upx
behavioral2/memory/4768-105-0x00007FF69CC90000-0x00007FF69CFE1000-memory.dmp	upx
behavioral2/memory/832-110-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp	upx
behavioral2/memory/812-109-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp	upx
behavioral2/memory/3488-108-0x00007FF791F50000-0x00007FF7922A1000-memory.dmp	upx
behavioral2/memory/880-104-0x00007FF635500000-0x00007FF635851000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-102.dat	upx
behavioral2/memory/2700-101-0x00007FF6AA3F0000-0x00007FF6AA741000-memory.dmp	upx
behavioral2/memory/864-98-0x00007FF64C2C0000-0x00007FF64C611000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-96.dat	upx
behavioral2/memory/1548-93-0x00007FF6D40C0000-0x00007FF6D4411000-memory.dmp	upx
behavioral2/memory/1392-92-0x00007FF67FF10000-0x00007FF680261000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-88.dat	upx
behavioral2/files/0x000a000000023bab-84.dat	upx
behavioral2/files/0x000a000000023baa-81.dat	upx
behavioral2/files/0x000a000000023ba8-66.dat	upx
behavioral2/files/0x000a000000023ba6-53.dat	upx
behavioral2/memory/948-51-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp	upx
behavioral2/memory/1280-50-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp	upx
behavioral2/memory/528-40-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-44.dat	upx
behavioral2/memory/2504-33-0x00007FF705610000-0x00007FF705961000-memory.dmp	upx
behavioral2/memory/4588-29-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-124.dat	upx
behavioral2/files/0x000b000000023bb2-134.dat	upx
behavioral2/files/0x000b000000023bb3-137.dat	upx
behavioral2/memory/1392-123-0x00007FF67FF10000-0x00007FF680261000-memory.dmp	upx
behavioral2/memory/4704-141-0x00007FF657880000-0x00007FF657BD1000-memory.dmp	upx
behavioral2/memory/844-143-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	upx
behavioral2/memory/3892-142-0x00007FF7E97C0000-0x00007FF7E9B11000-memory.dmp	upx
behavioral2/memory/4236-122-0x00007FF794C40000-0x00007FF794F91000-memory.dmp	upx
behavioral2/memory/1280-121-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp	upx
behavioral2/memory/528-119-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp	upx
behavioral2/memory/2504-118-0x00007FF705610000-0x00007FF705961000-memory.dmp	upx
behavioral2/memory/4588-117-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp	upx
behavioral2/memory/3212-116-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp	upx
behavioral2/memory/844-111-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	upx
behavioral2/memory/3936-113-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp	upx
behavioral2/memory/948-120-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp	upx
behavioral2/memory/2464-114-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp	upx
behavioral2/memory/4936-147-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp	upx
behavioral2/memory/844-148-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	upx
behavioral2/memory/4704-167-0x00007FF657880000-0x00007FF657BD1000-memory.dmp	upx
behavioral2/memory/4936-169-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp	upx
behavioral2/memory/844-170-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp	upx
behavioral2/memory/3936-198-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp	upx
behavioral2/memory/2464-200-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp	upx
behavioral2/memory/3212-202-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp	upx
behavioral2/memory/4588-215-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp	upx
behavioral2/memory/2504-217-0x00007FF705610000-0x00007FF705961000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KjGLeso.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uiuGnAf.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CoGokRg.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMjPtMl.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkolyQv.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaCpwFQ.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OEKBKnm.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aNKoxvJ.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oBMJzyh.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\esUVPgj.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iLTBYuS.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbiqXsz.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SjoAGJk.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HQJpcxs.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MGqEzhh.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSYGxny.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lCEpCNJ.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YtcSjZq.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tJdmWKg.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sVArMUt.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JSZhevB.exe	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3936	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 844 wrote to memory of 3936	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 844 wrote to memory of 2464	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 844 wrote to memory of 2464	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 844 wrote to memory of 3212	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 844 wrote to memory of 3212	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 844 wrote to memory of 4588	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 844 wrote to memory of 4588	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 844 wrote to memory of 2504	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 844 wrote to memory of 2504	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 844 wrote to memory of 528	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 844 wrote to memory of 528	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 844 wrote to memory of 948	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 844 wrote to memory of 948	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 844 wrote to memory of 1280	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 844 wrote to memory of 1280	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 844 wrote to memory of 4236	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 844 wrote to memory of 4236	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 844 wrote to memory of 1392	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 844 wrote to memory of 1392	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 844 wrote to memory of 812	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 844 wrote to memory of 812	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 844 wrote to memory of 1548	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 844 wrote to memory of 1548	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 844 wrote to memory of 864	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 844 wrote to memory of 864	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 844 wrote to memory of 880	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 844 wrote to memory of 880	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 844 wrote to memory of 2700	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 844 wrote to memory of 2700	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 844 wrote to memory of 4768	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 844 wrote to memory of 4768	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 844 wrote to memory of 3488	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 844 wrote to memory of 3488	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 844 wrote to memory of 832	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 844 wrote to memory of 832	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 844 wrote to memory of 4704	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 844 wrote to memory of 4704	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 844 wrote to memory of 3892	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 844 wrote to memory of 3892	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 844 wrote to memory of 4936	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 844 wrote to memory of 4936	844	2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_61dae3a6728ea17f7d7190be065003ce_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\System\bkolyQv.exe
  C:\Windows\System\bkolyQv.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\iLTBYuS.exe
  C:\Windows\System\iLTBYuS.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\EaCpwFQ.exe
  C:\Windows\System\EaCpwFQ.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\KbiqXsz.exe
  C:\Windows\System\KbiqXsz.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\HQJpcxs.exe
  C:\Windows\System\HQJpcxs.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\KjGLeso.exe
  C:\Windows\System\KjGLeso.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\OEKBKnm.exe
  C:\Windows\System\OEKBKnm.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\uiuGnAf.exe
  C:\Windows\System\uiuGnAf.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\sVArMUt.exe
  C:\Windows\System\sVArMUt.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\JSZhevB.exe
  C:\Windows\System\JSZhevB.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\CoGokRg.exe
  C:\Windows\System\CoGokRg.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\sSYGxny.exe
  C:\Windows\System\sSYGxny.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\vMjPtMl.exe
  C:\Windows\System\vMjPtMl.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\lCEpCNJ.exe
  C:\Windows\System\lCEpCNJ.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\MGqEzhh.exe
  C:\Windows\System\MGqEzhh.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\aNKoxvJ.exe
  C:\Windows\System\aNKoxvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\oBMJzyh.exe
  C:\Windows\System\oBMJzyh.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\YtcSjZq.exe
  C:\Windows\System\YtcSjZq.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\esUVPgj.exe
  C:\Windows\System\esUVPgj.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\tJdmWKg.exe
  C:\Windows\System\tJdmWKg.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\SjoAGJk.exe
  C:\Windows\System\SjoAGJk.exe
  2⤵
  - Executes dropped EXE
  PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CoGokRg.exe

Filesize
5.2MB

MD5
a47aa5b4419702b06c2e19b73b4168a7

SHA1
af5b265f849a37820ecb5061bbae728fe1a2f075

SHA256
d4f1a9223aba258de81ff6fe4d8d82d027d0f3250ceeb664a99af4f63c2845a3

SHA512
7e97f887b37877dcdb254d3e57fc83c56e2c53c02a36546693b0ca4ed3334032459d6b565708b42990f71a5926704e36dcc487dee11ce1f9749ae2611b232412

Download Submit
C:\Windows\System\EaCpwFQ.exe

Filesize
5.2MB

MD5
1083509398735adbd3149fbb14ed44b9

SHA1
2f679cd8b24435cfbdda0851256f5aa1ca1886aa

SHA256
89a79a5b4ad2ff37f5c57924da254b56fa42b00ffc3090f797325cefafb30668

SHA512
3557f20837c933401ecf4c17ab4b465b25e45f8a315c394109b9455b44fe4200cd376bd069d5d05dd700a371b9bce207de9043b222f96390d5acd416ab152324

Download Submit
C:\Windows\System\HQJpcxs.exe

Filesize
5.2MB

MD5
753e6cc2eccbea21df6d31cc8c6774e3

SHA1
6b26d7691948f1d2b522b2b231a2f70e2b536cbc

SHA256
ed376521d267d98b0060e362e8d680c3ee1e6a7401bb5659879acd3c983b391a

SHA512
c808cf6a9aef1877fd1f061866bf76d7b7b8bcf22f9a10cddd847cef154790ee33ee117814d4801fd4ddbee9385ce83d2fb2049838b39c07629161976e506e3d

Download Submit
C:\Windows\System\JSZhevB.exe

Filesize
5.2MB

MD5
f7bafb7de993ba67bccc6fd74fcfc577

SHA1
e55acce419d58f0912fb36ac4df9fb7faeaf4327

SHA256
d90406efabc3508e108438a41b451482e58fa7729d17c250a8231e0a982434ce

SHA512
978cc83f3423e5490a2e95411e66cc4b9a11c72b0bb4ca801c665e5c3e3fcb25f9d6dbdc17c077de2cd69849f8356fcc1fbeb6f3914e400844223f4c8a16dc47

Download Submit
C:\Windows\System\KbiqXsz.exe

Filesize
5.2MB

MD5
2c29a59fe9e49ffad4b92f58dba0d948

SHA1
01ad05debdfe3a4dc6a0f0a3e4b1835c85bf20dd

SHA256
0b1b503a93197963b756e346f7a0cac98288ba0ec17f12c83f6286244d7c9e2d

SHA512
6108ba07eec36421b3706332d80552caa127f36da6e3c3999ce56ceb24db1d858df4802d59739a5d63499f7ba1d28b1ec4edef03872e72ebafaf60060c9e1147

Download Submit
C:\Windows\System\KjGLeso.exe

Filesize
5.2MB

MD5
7bb1026218bfc953d004bfbeaba960e2

SHA1
62874d19337606f0e6693caead95b08cc2870bc0

SHA256
08d0f87af54e4873af09049280b2d7681e514e924d59dfa1f84eedf283fc3478

SHA512
257b85106aac6caf8ba2ab441d0a547472f5a741287e4195d209bb61f9ff959acf047b91088cb4d1dc8a3e69f73142ce642f7470bc66a7a05b9af796a47b05e5

Download Submit
C:\Windows\System\MGqEzhh.exe

Filesize
5.2MB

MD5
83dd96aa5676ad56ba4efb87779ddab5

SHA1
72beff0cbdad8fde3c22f84d2a8a0aaafd060131

SHA256
86acadd23e09f4a6a3719c39f2e494a44008765e357acd22aded3d0f4454bfcf

SHA512
563174da2de1339803b0657f4bb48d586c123dc7ffdb28b6db4ee7c859003eb0fc7a65033b6d99a1296a8e0ffefb91261918e8b39eed5e33c6a8f8c2f40e0260

Download Submit
C:\Windows\System\OEKBKnm.exe

Filesize
5.2MB

MD5
ab85ad52c5b48f1f33a2a936ff977143

SHA1
bb3ab31f23ef5e01d4663a7f9ed43b1aa3790430

SHA256
d7133defde1c1a29ec77b591dcdc9d2de2112fcf846fc25635f9f01060a58dcc

SHA512
7883bd378b8e26fcb79c06dc9be72c06d7696d4835a8c09a2d5a316c5fe5c150c54e60c4fe3f82269bc56f752eed9c7eb64588174a6dc37656657b79c8f1f01f

Download Submit
C:\Windows\System\SjoAGJk.exe

Filesize
5.2MB

MD5
6c0fe219073470143fdf643d885dd7dc

SHA1
9fe041ba2a1a10fe77437891cd5df10e6f499dc5

SHA256
447a427ace87e0b1c99e8bbc3f5a908a69a630ba24583e73eed8b523d42d0865

SHA512
192c45e346c1f2ccab893049e4ac45e2901907fd47c162ea85af06ac4f954ca9fc07df1dda1d88d67eff775390212f225a4097188f02d50c0472ba8f0079bf83

Download Submit
C:\Windows\System\YtcSjZq.exe

Filesize
5.2MB

MD5
7350937bf641d3934d433d98d5369b5b

SHA1
4cc974e87c855def78f8897a7657c62daf3f2099

SHA256
d696b9ceabd7a161882c5db008cf6816caaf9bf9c8796b1182ff6b5ec0521b06

SHA512
0f9c1e0584752a73266ca3676e58bd27636cdb861e3e0f6a06b3821cb3eed349aa749e087a40d6004f50d92902c6a48c26ca46fc917c40269d4cb948b08b004e

Download Submit
C:\Windows\System\aNKoxvJ.exe

Filesize
5.2MB

MD5
f55183b6a3eb14c475c113885b0f7581

SHA1
013169f3e731206ae9a1c3e12584f391b2a07e54

SHA256
7c10b1da5d9c220587917e8afdaf61e041ea6d99fac6f532e3e8f873af52fad8

SHA512
54cb1fb29f33d9026cf3907695ce3492e46be8d0829aefc1b00680bcf18792f041e146d24d9933b22b1ca1edb53144543c809d729e93b274508131950c58fe71

Download Submit
C:\Windows\System\bkolyQv.exe

Filesize
5.2MB

MD5
7cdda62d75d92fde556481973ec6af07

SHA1
26e9eb190caa88f36bfd1ee4466c7272ee608492

SHA256
f1a44b3519d5d6ee58af91df971404aa6c216f3f8c90e041b4f2dcd2af337863

SHA512
517f9f745f34eb56dd846af857e0d1c0a2ce1f7493642415a890241b98b2e66d1f5b6d39a9d4a8d2c115ef59d4bcb1f0017165cd1fa3454870d588bdc8243c70

Download Submit
C:\Windows\System\esUVPgj.exe

Filesize
5.2MB

MD5
a4d04e77deead4f3b9232d5ef68d53e8

SHA1
20e548decd8f61ba956cb9e3e4bb2b5c1e67bcd6

SHA256
9903c0943639f692d35f9564079b1574c67d08b0220b6b0a419a3375c035d26f

SHA512
a82938cea957816c7925ff5c319ab9c88051d5256d3cbb5b47cf327a366a60c681df6472db288519da08a7711bdebd48064b80610c2315431623bbe41bd471d9

Download Submit
C:\Windows\System\iLTBYuS.exe

Filesize
5.2MB

MD5
505fbcc156bbc0bd953a935d1575d149

SHA1
287d412cf7af7bf89dc29b7f5e1452d69a559eba

SHA256
3e7d9cc321b7fb14532ab82b21d4eb0ebc3c9ed97a9e1920599d41d08b14053f

SHA512
4f2a1f184d3240a3a90d6743cdd4548a50d136b01fc7bc0c82064cb82ff0be1c7104864ed8ade4f3aba3b28320437e06020194f214311426d35cf496f91bf896

Download Submit
C:\Windows\System\lCEpCNJ.exe

Filesize
5.2MB

MD5
3e842ca8d6c9f16f3862990f912116b0

SHA1
94474a344dc11f1b235dbf1da31a955d6bb0d2b0

SHA256
6205ba1a07035efb636276b454976a0eedbfc07ecbac1d1df33a575be025e383

SHA512
97c298c974a761f46ebf03186016665583898dc27fc88dba54335aae59e9bec3664784eee20298eddc57c84ac6fe24640421ebb0577506ecc6507c830259c103

Download Submit
C:\Windows\System\oBMJzyh.exe

Filesize
5.2MB

MD5
1beb906ca3fb2e0ea4e49fa2e6f8f53e

SHA1
5af701a7a32aae7dc08cd20c0957803f6e1b2baa

SHA256
b8ee23f8df8b3cbec3d271fbcba1887275cf100bc6fcc22147bd0dcc6d05c6f7

SHA512
20f01a5fc0bd18b8e5eedf94452d715d8109004a81be5f764bff6bbcf0473ffcae86a4def195d7e852a9127e5f7e233115faabee9835187b4323f2bb3e692a5e

Download Submit
C:\Windows\System\sSYGxny.exe

Filesize
5.2MB

MD5
5767555c49658b13097c19180982fb49

SHA1
428be3b3ae922fa0c0257cd269095e1858b5987a

SHA256
ad11ddd40a28c7f2ec14399d91c9ca52e81b694008f391d2866c2638b4f6cf43

SHA512
83cae53f57d2cdb25b6f4ecb37ca598b0d830745f67dd2bde513e2359f2d62812a6d8199bb31a8f91232661d480529c368cbce4d200f138e78928c4d077f7fd5

Download Submit
C:\Windows\System\sVArMUt.exe

Filesize
5.2MB

MD5
4cbaa8156e2a3d38f9efd77ae7e01490

SHA1
a63083e9a5c51e0b5a335ed541f8526174fc0515

SHA256
96549840ead2fccaef8503e894d227221a51681f7853455cd0045a840821c947

SHA512
a05502b76c7f37b99c02cdf9246ec80bc5622d60f18be8bb8e1145f4061a856784b5c9ac6b737fa9d108b7af324a99b1dc5c90b9bd63fe7aaf319dd1c1b735a4

Download Submit
C:\Windows\System\tJdmWKg.exe

Filesize
5.2MB

MD5
0d38de181787237e2a3c7f6c385b00de

SHA1
cd6d9a3e4cb63b419eb37b287ffd9d4771c3d312

SHA256
395465186444961de5e6bc83f843bfa1d27c9d869a5ba273f49cbc88a3aaeecd

SHA512
27c7d85882cb154e18dc9a242f16892961fae4d187e97232d0256faf8718e7cc5bc94bf69b5c81aad80c999d6af501e7fb3998268f7a4c3d7c39b2262a0754ee

Download Submit
C:\Windows\System\uiuGnAf.exe

Filesize
5.2MB

MD5
34ddd930d91cdcb5b75ddd0ee4107db4

SHA1
fd1c772e06ce368957d2a2a73c2acdaa843400ef

SHA256
d4b357afa0065dd4693a523bdbafa4e125c262e7887c20879fea751f0229ffcf

SHA512
1e77cc7186b4074ab64a8b03b91c223e06a5e8421fe93ed8f41fab6fcae6d158e6855cb7f94bf472da5bd01b5d29fcfe1d1dc8a09f74b1695b2ebc7d83c3dcf7

Download Submit
C:\Windows\System\vMjPtMl.exe

Filesize
5.2MB

MD5
9629021667d504f004bccf912124f1ad

SHA1
ff286eda497781a50f7a17d55ccb7e3bad010dc4

SHA256
dee537fc90827e846e6b1f7637ce026a4a72bb8a521c0caac415af5fb813d14d

SHA512
37ec6e27d1030688afbb9bdbb327300ccdb2b6b4636c2dcd51a7c8f0759a7b8e6e9351513f4b1e6ece24aaa0cbec3855efda050145d8941eb2917fefb50da777

Download Submit
memory/528-219-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp

Filesize
3.3MB

Download
memory/528-40-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp

Filesize
3.3MB

Download
memory/528-119-0x00007FF6D54B0000-0x00007FF6D5801000-memory.dmp

Filesize
3.3MB

Download
memory/812-242-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp

Filesize
3.3MB

Download
memory/812-109-0x00007FF7A3100000-0x00007FF7A3451000-memory.dmp

Filesize
3.3MB

Download
memory/832-246-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp

Filesize
3.3MB

Download
memory/832-110-0x00007FF7CF240000-0x00007FF7CF591000-memory.dmp

Filesize
3.3MB

Download
memory/844-143-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-111-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-0-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-148-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-170-0x00007FF6BF350000-0x00007FF6BF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-1-0x00000240183A0000-0x00000240183B0000-memory.dmp

Filesize
64KB

Download
memory/864-98-0x00007FF64C2C0000-0x00007FF64C611000-memory.dmp

Filesize
3.3MB

Download
memory/864-238-0x00007FF64C2C0000-0x00007FF64C611000-memory.dmp

Filesize
3.3MB

Download
memory/880-104-0x00007FF635500000-0x00007FF635851000-memory.dmp

Filesize
3.3MB

Download
memory/880-236-0x00007FF635500000-0x00007FF635851000-memory.dmp

Filesize
3.3MB

Download
memory/948-120-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp

Filesize
3.3MB

Download
memory/948-224-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp

Filesize
3.3MB

Download
memory/948-51-0x00007FF77FEF0000-0x00007FF780241000-memory.dmp

Filesize
3.3MB

Download
memory/1280-121-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp

Filesize
3.3MB

Download
memory/1280-225-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp

Filesize
3.3MB

Download
memory/1280-50-0x00007FF6A7060000-0x00007FF6A73B1000-memory.dmp

Filesize
3.3MB

Download
memory/1392-92-0x00007FF67FF10000-0x00007FF680261000-memory.dmp

Filesize
3.3MB

Download
memory/1392-233-0x00007FF67FF10000-0x00007FF680261000-memory.dmp

Filesize
3.3MB

Download
memory/1392-123-0x00007FF67FF10000-0x00007FF680261000-memory.dmp

Filesize
3.3MB

Download
memory/1548-239-0x00007FF6D40C0000-0x00007FF6D4411000-memory.dmp

Filesize
3.3MB

Download
memory/1548-93-0x00007FF6D40C0000-0x00007FF6D4411000-memory.dmp

Filesize
3.3MB

Download
memory/2464-15-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-200-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-114-0x00007FF728F80000-0x00007FF7292D1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-118-0x00007FF705610000-0x00007FF705961000-memory.dmp

Filesize
3.3MB

Download
memory/2504-217-0x00007FF705610000-0x00007FF705961000-memory.dmp

Filesize
3.3MB

Download
memory/2504-33-0x00007FF705610000-0x00007FF705961000-memory.dmp

Filesize
3.3MB

Download
memory/2700-101-0x00007FF6AA3F0000-0x00007FF6AA741000-memory.dmp

Filesize
3.3MB

Download
memory/2700-243-0x00007FF6AA3F0000-0x00007FF6AA741000-memory.dmp

Filesize
3.3MB

Download
memory/3212-18-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-116-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3212-202-0x00007FF787C50000-0x00007FF787FA1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-108-0x00007FF791F50000-0x00007FF7922A1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-249-0x00007FF791F50000-0x00007FF7922A1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-255-0x00007FF7E97C0000-0x00007FF7E9B11000-memory.dmp

Filesize
3.3MB

Download
memory/3892-142-0x00007FF7E97C0000-0x00007FF7E9B11000-memory.dmp

Filesize
3.3MB

Download
memory/3936-198-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-113-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-8-0x00007FF78F460000-0x00007FF78F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/4236-122-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4236-222-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4236-52-0x00007FF794C40000-0x00007FF794F91000-memory.dmp

Filesize
3.3MB

Download
memory/4588-117-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp

Filesize
3.3MB

Download
memory/4588-29-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp

Filesize
3.3MB

Download
memory/4588-215-0x00007FF7066E0000-0x00007FF706A31000-memory.dmp

Filesize
3.3MB

Download
memory/4704-141-0x00007FF657880000-0x00007FF657BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-167-0x00007FF657880000-0x00007FF657BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4704-257-0x00007FF657880000-0x00007FF657BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-105-0x00007FF69CC90000-0x00007FF69CFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-247-0x00007FF69CC90000-0x00007FF69CFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4936-169-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp

Filesize
3.3MB

Download
memory/4936-147-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp

Filesize
3.3MB

Download
memory/4936-259-0x00007FF76EA40000-0x00007FF76ED91000-memory.dmp

Filesize
3.3MB

Download