cobaltstrike | fb102bd06b27191d75de52a20067bb8726a06e70ec332b55c2066adf0066d23c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a9bcd1e3392651c6a4265e174ce9904e
SHA1

f3add6325723b34e4621b78c2b18c25aa9e90a50
SHA256

fb102bd06b27191d75de52a20067bb8726a06e70ec332b55c2066adf0066d23c
SHA512

438eff2a3191ff406ae717c02dc15aa1f307314adbb10003c7957d1764bfb79dd0edf7a13f144eaf760e21c698c13ceebb644dbe0011afd0fcaf434f4f4c4c6f
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023c9d-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-13.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb0-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb4-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-91.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c9e-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2996-90-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp	xmrig
behavioral2/memory/4804-70-0x00007FF63B380000-0x00007FF63B6D1000-memory.dmp	xmrig
behavioral2/memory/3916-66-0x00007FF7391F0000-0x00007FF739541000-memory.dmp	xmrig
behavioral2/memory/4312-64-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp	xmrig
behavioral2/memory/1880-55-0x00007FF705490000-0x00007FF7057E1000-memory.dmp	xmrig
behavioral2/memory/716-119-0x00007FF766040000-0x00007FF766391000-memory.dmp	xmrig
behavioral2/memory/5052-121-0x00007FF757C70000-0x00007FF757FC1000-memory.dmp	xmrig
behavioral2/memory/3512-120-0x00007FF7F8920000-0x00007FF7F8C71000-memory.dmp	xmrig
behavioral2/memory/1748-122-0x00007FF66C780000-0x00007FF66CAD1000-memory.dmp	xmrig
behavioral2/memory/4624-123-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp	xmrig
behavioral2/memory/3340-125-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	xmrig
behavioral2/memory/3704-124-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp	xmrig
behavioral2/memory/4308-126-0x00007FF797610000-0x00007FF797961000-memory.dmp	xmrig
behavioral2/memory/2608-128-0x00007FF725070000-0x00007FF7253C1000-memory.dmp	xmrig
behavioral2/memory/3892-127-0x00007FF6A1E90000-0x00007FF6A21E1000-memory.dmp	xmrig
behavioral2/memory/2216-130-0x00007FF7190F0000-0x00007FF719441000-memory.dmp	xmrig
behavioral2/memory/3860-132-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp	xmrig
behavioral2/memory/1140-133-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp	xmrig
behavioral2/memory/4372-131-0x00007FF701530000-0x00007FF701881000-memory.dmp	xmrig
behavioral2/memory/368-129-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp	xmrig
behavioral2/memory/5076-143-0x00007FF709870000-0x00007FF709BC1000-memory.dmp	xmrig
behavioral2/memory/2996-142-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp	xmrig
behavioral2/memory/3852-140-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp	xmrig
behavioral2/memory/3340-150-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	xmrig
behavioral2/memory/3340-151-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	xmrig
behavioral2/memory/368-199-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp	xmrig
behavioral2/memory/2216-210-0x00007FF7190F0000-0x00007FF719441000-memory.dmp	xmrig
behavioral2/memory/4372-212-0x00007FF701530000-0x00007FF701881000-memory.dmp	xmrig
behavioral2/memory/1140-214-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp	xmrig
behavioral2/memory/3860-216-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp	xmrig
behavioral2/memory/4624-218-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp	xmrig
behavioral2/memory/1880-221-0x00007FF705490000-0x00007FF7057E1000-memory.dmp	xmrig
behavioral2/memory/3916-223-0x00007FF7391F0000-0x00007FF739541000-memory.dmp	xmrig
behavioral2/memory/4312-232-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp	xmrig
behavioral2/memory/3704-236-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp	xmrig
behavioral2/memory/4804-238-0x00007FF63B380000-0x00007FF63B6D1000-memory.dmp	xmrig
behavioral2/memory/3852-240-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp	xmrig
behavioral2/memory/4308-245-0x00007FF797610000-0x00007FF797961000-memory.dmp	xmrig
behavioral2/memory/716-242-0x00007FF766040000-0x00007FF766391000-memory.dmp	xmrig
behavioral2/memory/2996-246-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp	xmrig
behavioral2/memory/3512-249-0x00007FF7F8920000-0x00007FF7F8C71000-memory.dmp	xmrig
behavioral2/memory/5076-250-0x00007FF709870000-0x00007FF709BC1000-memory.dmp	xmrig
behavioral2/memory/1748-252-0x00007FF66C780000-0x00007FF66CAD1000-memory.dmp	xmrig
behavioral2/memory/5052-258-0x00007FF757C70000-0x00007FF757FC1000-memory.dmp	xmrig
behavioral2/memory/2608-257-0x00007FF725070000-0x00007FF7253C1000-memory.dmp	xmrig
behavioral2/memory/3892-255-0x00007FF6A1E90000-0x00007FF6A21E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
368	bNjDoqF.exe
2216	TFTLhaW.exe
4372	iAEMGqC.exe
1140	hNryhYU.exe
3860	DRExDZz.exe
4624	OToERWp.exe
1880	jYFgMVQ.exe
4312	GKAaAQg.exe
3916	iAdWWCX.exe
3704	vaxBIKx.exe
4804	lmAQKEc.exe
3852	tNRKrgJ.exe
4308	pQQETei.exe
2996	dJrLPHF.exe
5076	CcgulST.exe
3892	WxORKJC.exe
716	GpaLrOa.exe
3512	kSxgTir.exe
5052	CLlblGS.exe
2608	bvjeeav.exe
1748	KXeaENX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3340-0-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/files/0x0009000000023c9d-4.dat	upx
behavioral2/memory/368-8-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-13.dat	upx
behavioral2/memory/2216-12-0x00007FF7190F0000-0x00007FF719441000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-17.dat	upx
behavioral2/memory/4372-20-0x00007FF701530000-0x00007FF701881000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-26.dat	upx
behavioral2/files/0x0007000000023ca7-36.dat	upx
behavioral2/files/0x0007000000023ca6-38.dat	upx
behavioral2/files/0x0007000000023ca8-42.dat	upx
behavioral2/memory/3860-47-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-60.dat	upx
behavioral2/files/0x0007000000023cab-65.dat	upx
behavioral2/files/0x0007000000023caa-67.dat	upx
behavioral2/files/0x0007000000023cac-82.dat	upx
behavioral2/files/0x0007000000023cad-86.dat	upx
behavioral2/files/0x0007000000023cb0-100.dat	upx
behavioral2/files/0x0007000000023caf-110.dat	upx
behavioral2/files/0x0007000000023cb4-117.dat	upx
behavioral2/files/0x0007000000023cb3-115.dat	upx
behavioral2/files/0x0007000000023cb2-113.dat	upx
behavioral2/files/0x0007000000023cb1-108.dat	upx
behavioral2/memory/5076-105-0x00007FF709870000-0x00007FF709BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-91.dat	upx
behavioral2/memory/2996-90-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp	upx
behavioral2/memory/3852-78-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp	upx
behavioral2/memory/4804-70-0x00007FF63B380000-0x00007FF63B6D1000-memory.dmp	upx
behavioral2/memory/3916-66-0x00007FF7391F0000-0x00007FF739541000-memory.dmp	upx
behavioral2/memory/4312-64-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp	upx
behavioral2/memory/1880-55-0x00007FF705490000-0x00007FF7057E1000-memory.dmp	upx
behavioral2/files/0x0009000000023c9e-49.dat	upx
behavioral2/files/0x0007000000023ca5-30.dat	upx
behavioral2/memory/1140-29-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp	upx
behavioral2/memory/716-119-0x00007FF766040000-0x00007FF766391000-memory.dmp	upx
behavioral2/memory/5052-121-0x00007FF757C70000-0x00007FF757FC1000-memory.dmp	upx
behavioral2/memory/3512-120-0x00007FF7F8920000-0x00007FF7F8C71000-memory.dmp	upx
behavioral2/memory/1748-122-0x00007FF66C780000-0x00007FF66CAD1000-memory.dmp	upx
behavioral2/memory/4624-123-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp	upx
behavioral2/memory/3340-125-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/memory/3704-124-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp	upx
behavioral2/memory/4308-126-0x00007FF797610000-0x00007FF797961000-memory.dmp	upx
behavioral2/memory/2608-128-0x00007FF725070000-0x00007FF7253C1000-memory.dmp	upx
behavioral2/memory/3892-127-0x00007FF6A1E90000-0x00007FF6A21E1000-memory.dmp	upx
behavioral2/memory/2216-130-0x00007FF7190F0000-0x00007FF719441000-memory.dmp	upx
behavioral2/memory/3860-132-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp	upx
behavioral2/memory/1140-133-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp	upx
behavioral2/memory/4372-131-0x00007FF701530000-0x00007FF701881000-memory.dmp	upx
behavioral2/memory/368-129-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp	upx
behavioral2/memory/5076-143-0x00007FF709870000-0x00007FF709BC1000-memory.dmp	upx
behavioral2/memory/2996-142-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp	upx
behavioral2/memory/3852-140-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp	upx
behavioral2/memory/3340-150-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/memory/3340-151-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp	upx
behavioral2/memory/368-199-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp	upx
behavioral2/memory/2216-210-0x00007FF7190F0000-0x00007FF719441000-memory.dmp	upx
behavioral2/memory/4372-212-0x00007FF701530000-0x00007FF701881000-memory.dmp	upx
behavioral2/memory/1140-214-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp	upx
behavioral2/memory/3860-216-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp	upx
behavioral2/memory/4624-218-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp	upx
behavioral2/memory/1880-221-0x00007FF705490000-0x00007FF7057E1000-memory.dmp	upx
behavioral2/memory/3916-223-0x00007FF7391F0000-0x00007FF739541000-memory.dmp	upx
behavioral2/memory/4312-232-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp	upx
behavioral2/memory/3704-236-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bNjDoqF.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iAEMGqC.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OToERWp.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pQQETei.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFTLhaW.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iAdWWCX.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vaxBIKx.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNRKrgJ.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CcgulST.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLlblGS.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKAaAQg.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WxORKJC.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpaLrOa.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSxgTir.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXeaENX.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DRExDZz.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hNryhYU.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYFgMVQ.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lmAQKEc.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dJrLPHF.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvjeeav.exe	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 368	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3340 wrote to memory of 368	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3340 wrote to memory of 2216	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3340 wrote to memory of 2216	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3340 wrote to memory of 4372	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3340 wrote to memory of 4372	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3340 wrote to memory of 3860	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3340 wrote to memory of 3860	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3340 wrote to memory of 1140	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3340 wrote to memory of 1140	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3340 wrote to memory of 4624	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3340 wrote to memory of 4624	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3340 wrote to memory of 1880	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3340 wrote to memory of 1880	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3340 wrote to memory of 4312	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3340 wrote to memory of 4312	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3340 wrote to memory of 3916	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3340 wrote to memory of 3916	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3340 wrote to memory of 3704	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3340 wrote to memory of 3704	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3340 wrote to memory of 4804	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3340 wrote to memory of 4804	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3340 wrote to memory of 3852	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3340 wrote to memory of 3852	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3340 wrote to memory of 4308	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3340 wrote to memory of 4308	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3340 wrote to memory of 2996	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3340 wrote to memory of 2996	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3340 wrote to memory of 5076	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3340 wrote to memory of 5076	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3340 wrote to memory of 3892	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3340 wrote to memory of 3892	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3340 wrote to memory of 716	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3340 wrote to memory of 716	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3340 wrote to memory of 3512	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3340 wrote to memory of 3512	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3340 wrote to memory of 5052	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3340 wrote to memory of 5052	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3340 wrote to memory of 2608	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3340 wrote to memory of 2608	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3340 wrote to memory of 1748	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3340 wrote to memory of 1748	3340	2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_a9bcd1e3392651c6a4265e174ce9904e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\System\bNjDoqF.exe
  C:\Windows\System\bNjDoqF.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\TFTLhaW.exe
  C:\Windows\System\TFTLhaW.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\iAEMGqC.exe
  C:\Windows\System\iAEMGqC.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\DRExDZz.exe
  C:\Windows\System\DRExDZz.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\hNryhYU.exe
  C:\Windows\System\hNryhYU.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\OToERWp.exe
  C:\Windows\System\OToERWp.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\jYFgMVQ.exe
  C:\Windows\System\jYFgMVQ.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\GKAaAQg.exe
  C:\Windows\System\GKAaAQg.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\iAdWWCX.exe
  C:\Windows\System\iAdWWCX.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\vaxBIKx.exe
  C:\Windows\System\vaxBIKx.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\lmAQKEc.exe
  C:\Windows\System\lmAQKEc.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\tNRKrgJ.exe
  C:\Windows\System\tNRKrgJ.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\pQQETei.exe
  C:\Windows\System\pQQETei.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\dJrLPHF.exe
  C:\Windows\System\dJrLPHF.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\CcgulST.exe
  C:\Windows\System\CcgulST.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\WxORKJC.exe
  C:\Windows\System\WxORKJC.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\GpaLrOa.exe
  C:\Windows\System\GpaLrOa.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\kSxgTir.exe
  C:\Windows\System\kSxgTir.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\CLlblGS.exe
  C:\Windows\System\CLlblGS.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\bvjeeav.exe
  C:\Windows\System\bvjeeav.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\KXeaENX.exe
  C:\Windows\System\KXeaENX.exe
  2⤵
  - Executes dropped EXE
  PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLlblGS.exe

Filesize
5.2MB

MD5
adf1ed98994e806eb7084e09be3547c4

SHA1
a2415c425bfb33605fb89ab3d6cade9fdb51b47c

SHA256
f02dfe0050292eb9f63a595fde46edc745912a70045bafbfb370a864dfa85d9a

SHA512
f8a51f71b801b461f4efaa73364b4d407392657253b405e392baf41742e01326ce5a63e56fc77e41f5da863ddfb67520d2db299adcdc6d2fe08f4c5bfa37d176

Download Submit
C:\Windows\System\CcgulST.exe

Filesize
5.2MB

MD5
630c5e4901605ae2f62d8e6b34e0c73e

SHA1
5ab4c9200afd9c53d8196ac4a93b16bf26502054

SHA256
f970e6922309d5a1dc76d464d8f412829bf9852e2fc9e4035f418aa8ea814c16

SHA512
6ba537b56982303ec92f5cc674322179655e50c0f5704ba863b43349e20f19600b7013ce670dbf324306c104fd7ea30091b296188cb800185d3e8dcbe1fcc208

Download Submit
C:\Windows\System\DRExDZz.exe

Filesize
5.2MB

MD5
0397818b6c6ffdd394e9e28ce310b52f

SHA1
290335dc69ce622abb1c78f440f1366f1879e458

SHA256
4bb8f93775beebd3408d3a96c62cf6067cc24e25e7c332d9673131eaaf38ce77

SHA512
6e197ce409998286a3b580168f71ac3837757f18d73fbb7d2f2d5ba8845c86eb805beab328456574d345734fc3bd5d133993adf8778111a3c6a0f818655d510b

Download Submit
C:\Windows\System\GKAaAQg.exe

Filesize
5.2MB

MD5
651a01761df5e27199bcfabda0bcb86c

SHA1
d40c21a6402b202a8476852c4cbdb373aa71e818

SHA256
e19ca275973b7f58b2d0d29e4d98e29d12124b1a916c556e8bb604402f5bde7a

SHA512
910a539304d7a605757defccb481b3bb613ae9223380f4ce8ae9b38b55e743971b483e9d18ff2c32d4a1633f5d1a0cbf834fa2e9eef07d1d4dea0d1c60937d50

Download Submit
C:\Windows\System\GpaLrOa.exe

Filesize
5.2MB

MD5
ec2eea0b17a47f6744da9156c5ea89db

SHA1
5e7e6b242a2f9c0dd80367d91ec7708fb290d42f

SHA256
e07ea2fe2ae76688250c5a2b6b21550f621c94acba274395ce93d7065f499e6e

SHA512
bc3ae3f4039578c4940b062f12dde708db99456921dca433fadb3bd816ec6a839bb5addaeb528da93d0363ecf448d281e17879f638b3abe353b33cc0130c4f2f

Download Submit
C:\Windows\System\KXeaENX.exe

Filesize
5.2MB

MD5
5ef6fd09f99aef634751aadfc4197d44

SHA1
69a10d56981b6ab6d731fca886ef0c0f51dbcccf

SHA256
17afb418048c438ae77617f5581f4a2659f1bd6b6785877d4f77984d9ee447cd

SHA512
aca0e0ad255d5265132eb62ea3df6e3f154babf438f9f5bda8e228801d45b1c50b189956bc2bc1f2205376fbee4e9a5e71c8a5f03cd5e81d94b2954eceab84a1

Download Submit
C:\Windows\System\OToERWp.exe

Filesize
5.2MB

MD5
ab8cabe4ff44410cc07abd70a2fd2185

SHA1
fb8f5790b914fef2eb9c8543a58a01a820a77700

SHA256
e62e1c3f241fcd4f79c586157c19d0005e96f8ac02ec0d341a60d18da0bc02f7

SHA512
c70c8739752867cd70282c448855263ebada8b661b714da7983c20e2467b9d5717b2a50341f1a34b6a7ab0631059ec324abb09110d4220ff2174d3e275834298

Download Submit
C:\Windows\System\TFTLhaW.exe

Filesize
5.2MB

MD5
a750fd90251f2a229341d044da25d0f6

SHA1
8a16aeef96bb0f2f46268af95d5fbf718cf5e79e

SHA256
da6ea4bd61cee5decd5beb41d29027ebff6df07f236c5723b430db9d94e0ea42

SHA512
91a55bbc3bbb228eb1793e1220aaa721253435f24a228315885a4c6665565e1b1525861eaeb8b94bf535460f03f8ce015d7c9648085a7d7dd92ec8b889c19479

Download Submit
C:\Windows\System\WxORKJC.exe

Filesize
5.2MB

MD5
aeb712504457c86a3f67f0f4624cb575

SHA1
4b497b7cc475cfc34b0f65fef97530e190fe075d

SHA256
bbf8b46099730a0539fa76dc2f6eae3f14e94a350bc7f7f29f5b3076760dab94

SHA512
b473978281d714fd130765e56d6fb3e9c354ec25de1fa09c3c08e016647f3d125531b8244728e153486d4a7ef66fac601f636e40ab0162963616cf126aa5a5ac

Download Submit
C:\Windows\System\bNjDoqF.exe

Filesize
5.2MB

MD5
b9dd43fbdacd8ec7c2ffddef57448886

SHA1
06db45d5be73131888bb52343ca7f9d153519278

SHA256
2c483bbe7491808016e7709e025a2610e8559fdef77ed2aa82aba347b69a548d

SHA512
8b9b84c6da0e6753ecf8983f8e7a51a9823a694e0c21dc0bb57eda62e2cd12e5c9be348dd17739316d471bc3d40e03931f508f01d5f89ca8725af7b423e7366d

Download Submit
C:\Windows\System\bvjeeav.exe

Filesize
5.2MB

MD5
b035ef6000f497ada5f4e0ef6b4152d5

SHA1
c6e5adc997969c37dbc89f014534c3daee0d4d79

SHA256
93442b18f6b06bc3792b29697fd5eb77a0316162823b93cf1334ab44833d8908

SHA512
183e09a9a71ee14670c83bd39b51e61d0e8df2e971fb027619c40f8d362e9699dff00b0bb74cc89a877bb82c7e2722a1d257b5c333d8cf89e07e5121b2e6645b

Download Submit
C:\Windows\System\dJrLPHF.exe

Filesize
5.2MB

MD5
50d679df9d764dfec9dd84b277bbed3b

SHA1
f796ace09b74705aed344b719c7cff938720fa66

SHA256
575bf35f340a3d6efd3cb78ddc7df6d32d8f3b958d1c44bf28c1dc92df183fc0

SHA512
ec7d5b8f28eb8d647c1dc0be47e2e8216d5deb7739416214d81e3896e49cb57393cdcf936d6a8064f2dc111f13a07a138ca7f542eb2d1d9708e8915555b6d2c2

Download Submit
C:\Windows\System\hNryhYU.exe

Filesize
5.2MB

MD5
d58818c6365842fbbcac7cd7fea844ab

SHA1
3f15b14afb95ac66c3239cd0fc0b82a6010cbc5e

SHA256
7c9613c4a6daa68a2796bd02f824eabcf0814309fc0ca5171921a30c3c379999

SHA512
13caf4cfca30303bdd3f2453124c32be62b0aabd95f7fe2c6fb339feeb043e1e6f26abb48c614a063ee9065bdb9a33eb9ffaaecc23479637e895532859afb585

Download Submit
C:\Windows\System\iAEMGqC.exe

Filesize
5.2MB

MD5
742789e991c96efcfd92d34c45e9e4fe

SHA1
583a00c2b2dee4277ef7e8de39e04cb26475f781

SHA256
9c8beb651a68701a0959039daf398b3729ec2fbbf3dfe7045875a507e3008391

SHA512
4aafe4768ed1969eb9564f994f7a5c3e8dcbbcbba967e821bbaeb81173680cdac3b7322fffe313b99316689b9ace60efac49b8c25af99272697a2b91aeb2bf74

Download Submit
C:\Windows\System\iAdWWCX.exe

Filesize
5.2MB

MD5
2dd62d15fd748c6ddf1cc3f7de447667

SHA1
c77f048043dfc11dbc5e95acd92cf86992758d49

SHA256
4c966c62de755720bce35c05aaef90bf569b20ade527c55e9485d7c47340e81c

SHA512
55f2b804248dfac46c7d6cb8374365c62e8eeb79dcad2aa83d4ccccf23253bd0755cd267ccc57ddb154407e8ac8e38597327d87530769c663061a31ef6e723ac

Download Submit
C:\Windows\System\jYFgMVQ.exe

Filesize
5.2MB

MD5
3c1e0f49a5fa3217fede451609e77fd5

SHA1
d18e5b4ed05d441d906e0f77418505a53ae52ade

SHA256
2f77dd3c33686956ec0077c2cb2428f534f04734f2d4891d10a93d227ec74723

SHA512
b698b15ac3ea5b031473f918024078416c108dc58ebd7b891efdf409f3a526669dc6fb898b12b0e5ea7efe973bfe95d2c2e5b1a7f6cb6a8e2ab442e9792a4312

Download Submit
C:\Windows\System\kSxgTir.exe

Filesize
5.2MB

MD5
6ef7526fbb7cc9f346567de6f9941d2d

SHA1
959fc2c827ad54d2d23f78d3a9b29ab7fd27454f

SHA256
5dba3f5494951a8dffa50a7e81e58d10f82478d2e8ae5fa4ad64c6f724422ef2

SHA512
6f2348ad8c18988ec34482631c49b455ec653c9e99add5190436ddf5529d3b1e1149de0d63701750fc33110926d0fd47d60e8b235d6ab51d214aabb56e6a6090

Download Submit
C:\Windows\System\lmAQKEc.exe

Filesize
5.2MB

MD5
2a04c71b3900755999a81b9f689d7981

SHA1
7c94c77b33a1f8ebcb27cad0332c1196faf6f6eb

SHA256
3144d6f2143225640b85c22d4beebb7c7ab444acb5f5106eb0b3860eba6b1622

SHA512
595a99ade88e481613e227d45839bf25bc92647897da3f32baae1c4a8571929bb191588419dab5363af642bfdbd3e0b6cfbac6d43414267cd57f4171c3f875cb

Download Submit
C:\Windows\System\pQQETei.exe

Filesize
5.2MB

MD5
de403f4fc813d32581e1b43448f4abc6

SHA1
8fd5cf73cb00c7b23ef9cecbed7121e60e25e16d

SHA256
e24507fe45c7ff1ad63f2697b4a9772a0604a0ea446099104cd6472a8a677902

SHA512
9cc64ff6b6ea51fb0743af247f8780f2331688b7773fdafb09ba372a2af77df68c1a77af7f3e31a23f578e442cd35ef2fc8068ae8604ae26af0b91bb7125d949

Download Submit
C:\Windows\System\tNRKrgJ.exe

Filesize
5.2MB

MD5
79dfda80a1d8e435bb181672b7c4620e

SHA1
87e7b5ef3132e9c5665122eb87d51cb8f3c78665

SHA256
cfd6cd9d762978b61771a8cd7c62dc99c1580c0a34f3225179758e9442e66d73

SHA512
ab14fbc2eebb9c242f84705392c6b16ac6f08d0f90a1c7307f89ecc9726cfb3a36dade2b35cc58a9205c5edd3a382d09b1db50ef998d7a2a5d077ece3d36af10

Download Submit
C:\Windows\System\vaxBIKx.exe

Filesize
5.2MB

MD5
2a1ea436d2c1ff4c020e993d1ef8acfd

SHA1
d65a451be16bc07425ba3db0a7f892933bfdb464

SHA256
673acb4f4c3b6806bf776c43f300ef4f95ffb53925e7e3bbdddef6445619d10c

SHA512
3220af7437a0e6f0c42f4ebb5b207517b35b582f28463de6833bb1e065a13278fc2413179fe9a6e3dea9ea9e83ad4124f3da818f0c2e7da6a1881e9fca7ba68e

Download Submit
memory/368-199-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp

Filesize
3.3MB

Download
memory/368-8-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp

Filesize
3.3MB

Download
memory/368-129-0x00007FF693E90000-0x00007FF6941E1000-memory.dmp

Filesize
3.3MB

Download
memory/716-119-0x00007FF766040000-0x00007FF766391000-memory.dmp

Filesize
3.3MB

Download
memory/716-242-0x00007FF766040000-0x00007FF766391000-memory.dmp

Filesize
3.3MB

Download
memory/1140-214-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp

Filesize
3.3MB

Download
memory/1140-29-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp

Filesize
3.3MB

Download
memory/1140-133-0x00007FF7EA8D0000-0x00007FF7EAC21000-memory.dmp

Filesize
3.3MB

Download
memory/1748-122-0x00007FF66C780000-0x00007FF66CAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1748-252-0x00007FF66C780000-0x00007FF66CAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-221-0x00007FF705490000-0x00007FF7057E1000-memory.dmp

Filesize
3.3MB

Download
memory/1880-55-0x00007FF705490000-0x00007FF7057E1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-210-0x00007FF7190F0000-0x00007FF719441000-memory.dmp

Filesize
3.3MB

Download
memory/2216-12-0x00007FF7190F0000-0x00007FF719441000-memory.dmp

Filesize
3.3MB

Download
memory/2216-130-0x00007FF7190F0000-0x00007FF719441000-memory.dmp

Filesize
3.3MB

Download
memory/2608-257-0x00007FF725070000-0x00007FF7253C1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-128-0x00007FF725070000-0x00007FF7253C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-142-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-246-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-90-0x00007FF76C5A0000-0x00007FF76C8F1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-125-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-0-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-151-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-150-0x00007FF75C280000-0x00007FF75C5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-1-0x00000242C5110000-0x00000242C5120000-memory.dmp

Filesize
64KB

Download
memory/3512-249-0x00007FF7F8920000-0x00007FF7F8C71000-memory.dmp

Filesize
3.3MB

Download
memory/3512-120-0x00007FF7F8920000-0x00007FF7F8C71000-memory.dmp

Filesize
3.3MB

Download
memory/3704-236-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp

Filesize
3.3MB

Download
memory/3704-124-0x00007FF604E70000-0x00007FF6051C1000-memory.dmp

Filesize
3.3MB

Download
memory/3852-240-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/3852-78-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/3852-140-0x00007FF6B1940000-0x00007FF6B1C91000-memory.dmp

Filesize
3.3MB

Download
memory/3860-47-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp

Filesize
3.3MB

Download
memory/3860-132-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp

Filesize
3.3MB

Download
memory/3860-216-0x00007FF7C1FF0000-0x00007FF7C2341000-memory.dmp

Filesize
3.3MB

Download
memory/3892-127-0x00007FF6A1E90000-0x00007FF6A21E1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-255-0x00007FF6A1E90000-0x00007FF6A21E1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-66-0x00007FF7391F0000-0x00007FF739541000-memory.dmp

Filesize
3.3MB

Download
memory/3916-223-0x00007FF7391F0000-0x00007FF739541000-memory.dmp

Filesize
3.3MB

Download
memory/4308-126-0x00007FF797610000-0x00007FF797961000-memory.dmp

Filesize
3.3MB

Download
memory/4308-245-0x00007FF797610000-0x00007FF797961000-memory.dmp

Filesize
3.3MB

Download
memory/4312-64-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp

Filesize
3.3MB

Download
memory/4312-232-0x00007FF7C4D20000-0x00007FF7C5071000-memory.dmp

Filesize
3.3MB

Download
memory/4372-20-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/4372-131-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/4372-212-0x00007FF701530000-0x00007FF701881000-memory.dmp

Filesize
3.3MB

Download
memory/4624-218-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-123-0x00007FF7F6F90000-0x00007FF7F72E1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-238-0x00007FF63B380000-0x00007FF63B6D1000-memory.dmp

Filesize
3.3MB

Download
memory/4804-70-0x00007FF63B380000-0x00007FF63B6D1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-121-0x00007FF757C70000-0x00007FF757FC1000-memory.dmp

Filesize
3.3MB

Download
memory/5052-258-0x00007FF757C70000-0x00007FF757FC1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-250-0x00007FF709870000-0x00007FF709BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-105-0x00007FF709870000-0x00007FF709BC1000-memory.dmp

Filesize
3.3MB

Download
memory/5076-143-0x00007FF709870000-0x00007FF709BC1000-memory.dmp

Filesize
3.3MB

Download