cobaltstrike | d1f8f48af9e2a3df02de99c29d2cbca854d03c3d7752a7076b83f95b3c01b921

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

66d8cff9099b11ae3cc68f74ce6de90c
SHA1

946d12e0518ec2eacc5bca0f9ea87e858fa38d53
SHA256

d1f8f48af9e2a3df02de99c29d2cbca854d03c3d7752a7076b83f95b3c01b921
SHA512

2e317bde2cbd5f60bb47087399045b243d91bf6c6e5b09176015d630629527c30b8ba1dc41880044c089ae1976c8a01075bd52e0513d426edfecb1208dd41c40
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibd56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023c9b-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9a-15.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9f-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023c97-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9d-44.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9e-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c9c-32.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023c94-6.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4992-121-0x00007FF79ACB0000-0x00007FF79B001000-memory.dmp	xmrig
behavioral2/memory/2212-120-0x00007FF76DAB0000-0x00007FF76DE01000-memory.dmp	xmrig
behavioral2/memory/4820-118-0x00007FF6B5700000-0x00007FF6B5A51000-memory.dmp	xmrig
behavioral2/memory/2100-97-0x00007FF7B2AC0000-0x00007FF7B2E11000-memory.dmp	xmrig
behavioral2/memory/4976-89-0x00007FF7483F0000-0x00007FF748741000-memory.dmp	xmrig
behavioral2/memory/372-79-0x00007FF661D90000-0x00007FF6620E1000-memory.dmp	xmrig
behavioral2/memory/3132-73-0x00007FF715410000-0x00007FF715761000-memory.dmp	xmrig
behavioral2/memory/2656-59-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp	xmrig
behavioral2/memory/4444-18-0x00007FF78F610000-0x00007FF78F961000-memory.dmp	xmrig
behavioral2/memory/4496-128-0x00007FF754810000-0x00007FF754B61000-memory.dmp	xmrig
behavioral2/memory/216-129-0x00007FF664EB0000-0x00007FF665201000-memory.dmp	xmrig
behavioral2/memory/5064-133-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp	xmrig
behavioral2/memory/1792-148-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	xmrig
behavioral2/memory/4428-149-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	xmrig
behavioral2/memory/1148-147-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp	xmrig
behavioral2/memory/4876-144-0x00007FF700380000-0x00007FF7006D1000-memory.dmp	xmrig
behavioral2/memory/4880-141-0x00007FF7113F0000-0x00007FF711741000-memory.dmp	xmrig
behavioral2/memory/1084-137-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp	xmrig
behavioral2/memory/4824-136-0x00007FF771240000-0x00007FF771591000-memory.dmp	xmrig
behavioral2/memory/3440-132-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp	xmrig
behavioral2/memory/2652-131-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp	xmrig
behavioral2/memory/1664-135-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp	xmrig
behavioral2/memory/4496-150-0x00007FF754810000-0x00007FF754B61000-memory.dmp	xmrig
behavioral2/memory/4496-151-0x00007FF754810000-0x00007FF754B61000-memory.dmp	xmrig
behavioral2/memory/216-209-0x00007FF664EB0000-0x00007FF665201000-memory.dmp	xmrig
behavioral2/memory/4444-211-0x00007FF78F610000-0x00007FF78F961000-memory.dmp	xmrig
behavioral2/memory/2652-213-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp	xmrig
behavioral2/memory/3440-215-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp	xmrig
behavioral2/memory/5064-217-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp	xmrig
behavioral2/memory/2656-219-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp	xmrig
behavioral2/memory/1664-235-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp	xmrig
behavioral2/memory/1084-236-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp	xmrig
behavioral2/memory/4976-240-0x00007FF7483F0000-0x00007FF748741000-memory.dmp	xmrig
behavioral2/memory/4824-239-0x00007FF771240000-0x00007FF771591000-memory.dmp	xmrig
behavioral2/memory/3132-232-0x00007FF715410000-0x00007FF715761000-memory.dmp	xmrig
behavioral2/memory/372-231-0x00007FF661D90000-0x00007FF6620E1000-memory.dmp	xmrig
behavioral2/memory/4876-252-0x00007FF700380000-0x00007FF7006D1000-memory.dmp	xmrig
behavioral2/memory/2212-254-0x00007FF76DAB0000-0x00007FF76DE01000-memory.dmp	xmrig
behavioral2/memory/4992-251-0x00007FF79ACB0000-0x00007FF79B001000-memory.dmp	xmrig
behavioral2/memory/2100-245-0x00007FF7B2AC0000-0x00007FF7B2E11000-memory.dmp	xmrig
behavioral2/memory/1148-249-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp	xmrig
behavioral2/memory/4820-247-0x00007FF6B5700000-0x00007FF6B5A51000-memory.dmp	xmrig
behavioral2/memory/4880-243-0x00007FF7113F0000-0x00007FF711741000-memory.dmp	xmrig
behavioral2/memory/4428-257-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	xmrig
behavioral2/memory/1792-258-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
216	KoCmLzG.exe
4444	FtHULwZ.exe
2652	oGYVmZH.exe
3440	wXAJaGj.exe
2656	kyKoeaK.exe
5064	afKFaIq.exe
1664	GYYbKvC.exe
4824	PjgbcFv.exe
1084	rYgJOKJ.exe
3132	aHeLeua.exe
4976	dtcOuKs.exe
372	ijzpWqs.exe
2100	KBZIoeI.exe
4880	EgNLWNV.exe
4820	tnjGOGm.exe
4876	iazJSkB.exe
2212	wugQoIX.exe
4992	bGoyIuw.exe
1148	kOlIpVt.exe
4428	yDNMjTH.exe
1792	oOrLntJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4496-0-0x00007FF754810000-0x00007FF754B61000-memory.dmp	upx
behavioral2/memory/216-8-0x00007FF664EB0000-0x00007FF665201000-memory.dmp	upx
behavioral2/files/0x0007000000023c9b-9.dat	upx
behavioral2/files/0x0007000000023c9a-15.dat	upx
behavioral2/files/0x0007000000023ca0-39.dat	upx
behavioral2/files/0x0007000000023c9f-35.dat	upx
behavioral2/files/0x0007000000023ca2-49.dat	upx
behavioral2/files/0x0007000000023ca1-57.dat	upx
behavioral2/files/0x0007000000023ca3-61.dat	upx
behavioral2/files/0x000a000000023c97-69.dat	upx
behavioral2/files/0x0007000000023ca5-84.dat	upx
behavioral2/files/0x0007000000023ca8-91.dat	upx
behavioral2/memory/4876-103-0x00007FF700380000-0x00007FF7006D1000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-119.dat	upx
behavioral2/memory/1792-124-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-126.dat	upx
behavioral2/memory/4428-123-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	upx
behavioral2/memory/4992-121-0x00007FF79ACB0000-0x00007FF79B001000-memory.dmp	upx
behavioral2/memory/2212-120-0x00007FF76DAB0000-0x00007FF76DE01000-memory.dmp	upx
behavioral2/memory/4820-118-0x00007FF6B5700000-0x00007FF6B5A51000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-116.dat	upx
behavioral2/files/0x0007000000023ca9-114.dat	upx
behavioral2/memory/1148-113-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-107.dat	upx
behavioral2/files/0x0007000000023ca7-99.dat	upx
behavioral2/memory/2100-97-0x00007FF7B2AC0000-0x00007FF7B2E11000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-93.dat	upx
behavioral2/memory/4976-89-0x00007FF7483F0000-0x00007FF748741000-memory.dmp	upx
behavioral2/memory/4880-80-0x00007FF7113F0000-0x00007FF711741000-memory.dmp	upx
behavioral2/memory/372-79-0x00007FF661D90000-0x00007FF6620E1000-memory.dmp	upx
behavioral2/memory/3132-73-0x00007FF715410000-0x00007FF715761000-memory.dmp	upx
behavioral2/memory/4824-65-0x00007FF771240000-0x00007FF771591000-memory.dmp	upx
behavioral2/memory/2656-59-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp	upx
behavioral2/memory/1084-53-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp	upx
behavioral2/memory/1664-52-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp	upx
behavioral2/memory/5064-48-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-44.dat	upx
behavioral2/files/0x0007000000023c9e-42.dat	upx
behavioral2/memory/3440-38-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp	upx
behavioral2/memory/2652-27-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp	upx
behavioral2/files/0x0007000000023c9c-32.dat	upx
behavioral2/memory/4444-18-0x00007FF78F610000-0x00007FF78F961000-memory.dmp	upx
behavioral2/files/0x0009000000023c94-6.dat	upx
behavioral2/memory/4496-128-0x00007FF754810000-0x00007FF754B61000-memory.dmp	upx
behavioral2/memory/216-129-0x00007FF664EB0000-0x00007FF665201000-memory.dmp	upx
behavioral2/memory/5064-133-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp	upx
behavioral2/memory/1792-148-0x00007FF76B200000-0x00007FF76B551000-memory.dmp	upx
behavioral2/memory/4428-149-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp	upx
behavioral2/memory/1148-147-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp	upx
behavioral2/memory/4876-144-0x00007FF700380000-0x00007FF7006D1000-memory.dmp	upx
behavioral2/memory/4880-141-0x00007FF7113F0000-0x00007FF711741000-memory.dmp	upx
behavioral2/memory/1084-137-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp	upx
behavioral2/memory/4824-136-0x00007FF771240000-0x00007FF771591000-memory.dmp	upx
behavioral2/memory/3440-132-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp	upx
behavioral2/memory/2652-131-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp	upx
behavioral2/memory/1664-135-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp	upx
behavioral2/memory/4496-150-0x00007FF754810000-0x00007FF754B61000-memory.dmp	upx
behavioral2/memory/4496-151-0x00007FF754810000-0x00007FF754B61000-memory.dmp	upx
behavioral2/memory/216-209-0x00007FF664EB0000-0x00007FF665201000-memory.dmp	upx
behavioral2/memory/4444-211-0x00007FF78F610000-0x00007FF78F961000-memory.dmp	upx
behavioral2/memory/2652-213-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp	upx
behavioral2/memory/3440-215-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp	upx
behavioral2/memory/5064-217-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp	upx
behavioral2/memory/2656-219-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EgNLWNV.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kOlIpVt.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oOrLntJ.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXAJaGj.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYgJOKJ.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tnjGOGm.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\afKFaIq.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kyKoeaK.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aHeLeua.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ijzpWqs.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KBZIoeI.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wugQoIX.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FtHULwZ.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oGYVmZH.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bGoyIuw.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yDNMjTH.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjgbcFv.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtcOuKs.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iazJSkB.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KoCmLzG.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GYYbKvC.exe	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 216	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4496 wrote to memory of 216	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4496 wrote to memory of 4444	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4496 wrote to memory of 4444	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4496 wrote to memory of 2652	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4496 wrote to memory of 2652	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4496 wrote to memory of 3440	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4496 wrote to memory of 3440	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4496 wrote to memory of 5064	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4496 wrote to memory of 5064	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4496 wrote to memory of 2656	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4496 wrote to memory of 2656	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4496 wrote to memory of 1664	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4496 wrote to memory of 1664	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4496 wrote to memory of 4824	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4496 wrote to memory of 4824	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4496 wrote to memory of 1084	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4496 wrote to memory of 1084	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4496 wrote to memory of 3132	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4496 wrote to memory of 3132	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4496 wrote to memory of 4976	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4496 wrote to memory of 4976	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4496 wrote to memory of 372	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4496 wrote to memory of 372	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4496 wrote to memory of 4880	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4496 wrote to memory of 4880	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4496 wrote to memory of 2100	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4496 wrote to memory of 2100	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4496 wrote to memory of 4820	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4496 wrote to memory of 4820	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4496 wrote to memory of 4876	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4496 wrote to memory of 4876	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4496 wrote to memory of 2212	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4496 wrote to memory of 2212	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4496 wrote to memory of 4992	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4496 wrote to memory of 4992	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4496 wrote to memory of 1148	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4496 wrote to memory of 1148	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4496 wrote to memory of 1792	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4496 wrote to memory of 1792	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4496 wrote to memory of 4428	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4496 wrote to memory of 4428	4496	2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_66d8cff9099b11ae3cc68f74ce6de90c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\System\KoCmLzG.exe
  C:\Windows\System\KoCmLzG.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\FtHULwZ.exe
  C:\Windows\System\FtHULwZ.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\oGYVmZH.exe
  C:\Windows\System\oGYVmZH.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\wXAJaGj.exe
  C:\Windows\System\wXAJaGj.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\afKFaIq.exe
  C:\Windows\System\afKFaIq.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\kyKoeaK.exe
  C:\Windows\System\kyKoeaK.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\GYYbKvC.exe
  C:\Windows\System\GYYbKvC.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\PjgbcFv.exe
  C:\Windows\System\PjgbcFv.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\rYgJOKJ.exe
  C:\Windows\System\rYgJOKJ.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\aHeLeua.exe
  C:\Windows\System\aHeLeua.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\dtcOuKs.exe
  C:\Windows\System\dtcOuKs.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\ijzpWqs.exe
  C:\Windows\System\ijzpWqs.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\EgNLWNV.exe
  C:\Windows\System\EgNLWNV.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\KBZIoeI.exe
  C:\Windows\System\KBZIoeI.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\tnjGOGm.exe
  C:\Windows\System\tnjGOGm.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\iazJSkB.exe
  C:\Windows\System\iazJSkB.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\wugQoIX.exe
  C:\Windows\System\wugQoIX.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\bGoyIuw.exe
  C:\Windows\System\bGoyIuw.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\kOlIpVt.exe
  C:\Windows\System\kOlIpVt.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\oOrLntJ.exe
  C:\Windows\System\oOrLntJ.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\yDNMjTH.exe
  C:\Windows\System\yDNMjTH.exe
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EgNLWNV.exe

Filesize
5.2MB

MD5
dd83017be869ba43303b841caa76248a

SHA1
d8f4ff85d6fdf24d57fb2c277f9bc427e5b63686

SHA256
bf53df1d43699d7db614ca473887133ed6ae9cf8acb51d9adfa82d6085f1bf23

SHA512
0911944290fed657d9baf9cf563bcea642e0f6ff49974298af111a59aed117a0b8f9e7051333fd1b1ccf9aa7b9fae213b99e42abab04a45c16ab53a07af24708

Download Submit
C:\Windows\System\FtHULwZ.exe

Filesize
5.2MB

MD5
9320379074c9389e59afd9645f3930bd

SHA1
932fc56406ef86132ef8078eb7c4a6c47ed4d20c

SHA256
afb4fb67460e7b972d9378d03a5c148dda1cbc0b144e55401b45f941e8c1cf50

SHA512
1015427749abbd7d63efd51840ed787ce1baec36ddaccc4b65de8bc0deeb8b1db31f57ec503a6419273bb7fc1e952b8659d8f9a73b5092671b40786512ebe135

Download Submit
C:\Windows\System\GYYbKvC.exe

Filesize
5.2MB

MD5
10d58f5f94b0c1844277f335111fcaad

SHA1
7b6f8c2e39544b6e18b5abd5488b82b3c0498e3f

SHA256
04279c22365cc2d2eecae61b46f0838252c3f49a83878d6cf9548e5a8fcadfcf

SHA512
fc8ce6190643233d846c128fd113a3d674000b9a9cc0c54e9f3631829c001ed5e9e6dd1bc5bf12c3df18914ad5ab83083a0ecc4015046cef31343072b55cc379

Download Submit
C:\Windows\System\KBZIoeI.exe

Filesize
5.2MB

MD5
4a1f63dc7049dda4aa385487bcb47e72

SHA1
898e3fe2603bf7db2fba84f03665d737d1fb87c3

SHA256
ee89540e3e77826f21384055911cd7dbf56317a335525812fd29e2836b4d113b

SHA512
65bbfc75a166da84bb355f47ca895855e5c813ba003dc486a3bf8c18f75f84eb870e3dc70a34bfdeb512c893c6bbd5c03e97a975b2d85d5e39c7bd9a2e0695f9

Download Submit
C:\Windows\System\KoCmLzG.exe

Filesize
5.2MB

MD5
8c7677f7cd9925931ee5bda6496ee46f

SHA1
3d38fb5bca55ae7c11a6be5710e11a5246b82444

SHA256
5a7604fbb0fb9459ea69ec4484068be84cc338b00fd21db903ac3b0dfb009e2d

SHA512
b7251a60c9e2c518d1edb354fffc75f26b6f5d2b1b71d3b0e813270f05cdb223e232f0039123f278f60101ed402f09ad6d8dcdbade5de57a88a3eb1c3c56094e

Download Submit
C:\Windows\System\PjgbcFv.exe

Filesize
5.2MB

MD5
0b7a97ed99ec018af99c386c8a117da0

SHA1
2d0d24f0ef9ef9bb852d46c25a98e1afc81a7642

SHA256
b256862cbf2b6f7ff60a514cd20bf682432138ecf794c25a534f074dead836b8

SHA512
288cf56a45b0e063ece6d73fc63c1c88227e0cc84755ca5f2b637a1a0f9c4de5dbcb7d46d203c52a79d6dc9f852912a631edd691189deae1262bef34a44e2733

Download Submit
C:\Windows\System\aHeLeua.exe

Filesize
5.2MB

MD5
bb0a9352d70bf53bfaddf42c7f5d82c8

SHA1
c5daa2d1cfabd20ab4b034eac2b68781fa041f92

SHA256
c23934841b15fc8a203bad998940c441d525ac014022a64c51ee24d48c705acf

SHA512
1d57e0ab3899a786e06f40e18e65fa42324cb79597caea6d0ab656dcb2da960c7ecb0b227955569721c208bcfef2ef52c5d1ebdfa6bcdecd74d3fe189c0c8fd0

Download Submit
C:\Windows\System\afKFaIq.exe

Filesize
5.2MB

MD5
dc187c101fbb1fbb30717804a9be3e5e

SHA1
c0ce3bf46b7b19f57f3cdec112dded104ae6b476

SHA256
c1320e4917ee00d9f67c796a310ea63fbf8824ebd4915e0fca8a0c90602b0ed7

SHA512
794267419f1d7e371b5ad681e8a9a4e14e9d4a326d58b62dc3278954012603689e063f565e3600f638e13e3af0398c61cd74245f331bcc3ef3b28a10f595df0a

Download Submit
C:\Windows\System\bGoyIuw.exe

Filesize
5.2MB

MD5
f5718c843fc8e0936baf05d53d5d0703

SHA1
b42e58e56431529f5e2cb47b03bb7a2b3ec697bb

SHA256
3a3bca94225ca44e5eed6367e629f68388a95db966b30e06ac0315bbdb60382d

SHA512
dcddfadbf518bfc5c78a58954219fd6f13d66435fd602cde6ba16085357f1f73c7e42a13982fd2a932602b263c1570f4d0802e750043c05071632ba36375fb6f

Download Submit
C:\Windows\System\dtcOuKs.exe

Filesize
5.2MB

MD5
55bdb68f1ac7ed1e6fccd20bdccf87c5

SHA1
b505505bc12c99a462ea3da874a5b0d0bab843bf

SHA256
24b0528aa5581077500ae56939b5b09cdc909c00b9e9ba4e2e39b73d9a9e02a9

SHA512
0ada9bdc1fe5f3998d26f160b28537f4c0cb195b88db65df8cb397b6da14e6fd0466532553425330e799d3aa073644906f653e2249e015d5c67bacc3bf0c7cb7

Download Submit
C:\Windows\System\iazJSkB.exe

Filesize
5.2MB

MD5
ef02b1c2fc74c60b398522ae3000330d

SHA1
ed58320d9ff2fe101d20661653d782cdf53c6c4b

SHA256
044d0cc3b3f53a96cf79a11b30d96ab60e36eff38e7eec1dded7fdbad1182035

SHA512
e83b7584c321734b8748f161669340f9745e0c14dcc4afc09c1f8113a9a1d6711de099691c8d8d6eb7a1c9756bd397168dc1f5e3a79eb2dc3d6be851e230481e

Download Submit
C:\Windows\System\ijzpWqs.exe

Filesize
5.2MB

MD5
472ce7e6dca59b47207371cf66b4b955

SHA1
ac6045253aad6b29620c1b539620322dcb103b44

SHA256
9ff3746e26294558d259104cd8abd77246037dad2420710a2e49bca709298ab5

SHA512
e083b7585ee7cbcb1980763b28fe7d1a5832c705b1232d590d1f55607b486d55e1b9e03ba2a670a1bd478057222592329339acbfcf9afab86706b4fe5a51ba85

Download Submit
C:\Windows\System\kOlIpVt.exe

Filesize
5.2MB

MD5
da57235b46c8bba19c62387b424f225c

SHA1
36572f9fb6a17179deb9786e493eddae7500f47f

SHA256
a92be19163aebdb04cb65e57ee7f433e50a74167737c70b9528c6d1f9501bbf5

SHA512
347d7140be73d3c778ef8517c5c592772f6f94db08554ba6c682a8d00d04cf63334e2adb09a5521439e389fa2b5a79090898ba44663d5e3d2777b1a6a4d99837

Download Submit
C:\Windows\System\kyKoeaK.exe

Filesize
5.2MB

MD5
b77be00ff731b466171e839f5e285bb5

SHA1
c9ecd488e2dc793848aca87f503871ae88ece849

SHA256
ffddb5a9580fa02fddb3ff0e1f08b3770c4812e37e2bf2ad38096575a176a2fb

SHA512
04390a227daa22e74294c9b9e9f8a6bbd9a58f572d9cc3179f34d9a1fc9549af599c05077dc6461d0fe7c014cd90ab2ae6138fbbe3ed2d56d5dc142f47304bc6

Download Submit
C:\Windows\System\oGYVmZH.exe

Filesize
5.2MB

MD5
fcaf68b002f14cc0732ae132e752fb6f

SHA1
e3951d133192c4def69f75323fe78127d75351c1

SHA256
60c9372c024bd1b2bf6e3fcb0cd2b0d5db0e1932ebee95a110982bbe5e91ed9e

SHA512
aeb77621d7a000ce991b409061a6f5861ef6976d247d94d2b6d34797c5dcf678dc9bc65fc2630e891adc2b40d134b9c2bdbdaf66c409d6654e220a321fef020c

Download Submit
C:\Windows\System\oOrLntJ.exe

Filesize
5.2MB

MD5
8697ca9bf942afcdea5980dcb09a1632

SHA1
b22a2b6cd2a3a6e5dff30594efc7697b7b8abf33

SHA256
b7630c15df2d645e55252dae13fac40611d5825109a8c0e0e35d252530aaf6c2

SHA512
40a7134fc606000e2d15a2b63315d33c4412f08a4e171407e0d9ca91655a3e238145caf8cd9bc0c97c5adfd961e5ac05f29f2cb7a42a99c44d207921891981ad

Download Submit
C:\Windows\System\rYgJOKJ.exe

Filesize
5.2MB

MD5
8e0a583dcca37d666be91d4bee94fcca

SHA1
9c50144d9eebc0ceb7cc4c8466ddbc2f3989fc60

SHA256
6da5d7767badd63424a5cb41d29c2b7f5e4009eb5d34d6885decfa712d716c00

SHA512
c896ee3b29522a2eb06d3d62d27456a9edb7d8a03c6d2e1c65a69143da6173ca73c780144d06df3e2064ea6a76668a815544a66f13ec621782764ed154d00492

Download Submit
C:\Windows\System\tnjGOGm.exe

Filesize
5.2MB

MD5
f0884e514ab93fe8b2b88fecafa907d9

SHA1
6f42fc99475678bd5fc251d492f2e5a38c472841

SHA256
7548b6e19b4f410dedc6372a93ccf298b7f2e2cd8f22cd039ea3a4c2fc4d432e

SHA512
d4e15cbe11ff83a5463264a930c51f70fa161773344f6335b19c4778c59b9f96cc1916a4da9fef47d6e2f72992893672d8ea2f374f335281c4b17e92f9ec68e1

Download Submit
C:\Windows\System\wXAJaGj.exe

Filesize
5.2MB

MD5
a09605473a02bb32ecb0015850c77181

SHA1
03342645e0166f69ae2bff2004676622bcdc5a63

SHA256
3565f6e71e8de7788127623f21b79d18415f6f425cd826d9a2404d9d2becde67

SHA512
65acee7f994f039d683de5df8820dc3ba3ae1d4e2f69cb72fbf8d48358a6179a65023770c5b3bbea20eb3fecc222645ab8b2f1afcde8b0870293d69e250701e1

Download Submit
C:\Windows\System\wugQoIX.exe

Filesize
5.2MB

MD5
e374311ce4b9de1725c54175b7668745

SHA1
e389242d0c1686de1a04a169cc7d2d6d864e1880

SHA256
1497120fd279bd91d703d576f100643cf2e46d3a3b27196986bda76c2a6afca8

SHA512
59b78dfe2a291ba22d4788200122966f5cf29bbb735c501ba477c9ecc606bdb6bb199aef3d426e67aaf065b272e53212f8af302dfd130181634ccd96a7a3fc20

Download Submit
C:\Windows\System\yDNMjTH.exe

Filesize
5.2MB

MD5
5e8910e16e0dcc1b74d4cec2b6b1feb5

SHA1
a8a3ae0af2150d688f89d4ab0e3a03f91407ef5b

SHA256
3ef877cbaa4b0bfcc31dd86a75658e659168c77e5025b7e74552512500974ec6

SHA512
8b66d0dc9aced2bb383b3fe510b5a66c3427124eccb89f649f8394ea9060bcef385805c1998fdee03ebd58c54aa5c06169daa546a2ff3a8f00d6455b120ad015

Download Submit
memory/216-209-0x00007FF664EB0000-0x00007FF665201000-memory.dmp

Filesize
3.3MB

Download
memory/216-129-0x00007FF664EB0000-0x00007FF665201000-memory.dmp

Filesize
3.3MB

Download
memory/216-8-0x00007FF664EB0000-0x00007FF665201000-memory.dmp

Filesize
3.3MB

Download
memory/372-231-0x00007FF661D90000-0x00007FF6620E1000-memory.dmp

Filesize
3.3MB

Download
memory/372-79-0x00007FF661D90000-0x00007FF6620E1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-137-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-236-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-53-0x00007FF70A560000-0x00007FF70A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/1148-249-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1148-147-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1148-113-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-235-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-135-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-52-0x00007FF7A8E60000-0x00007FF7A91B1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-124-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/1792-148-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/1792-258-0x00007FF76B200000-0x00007FF76B551000-memory.dmp

Filesize
3.3MB

Download
memory/2100-245-0x00007FF7B2AC0000-0x00007FF7B2E11000-memory.dmp

Filesize
3.3MB

Download
memory/2100-97-0x00007FF7B2AC0000-0x00007FF7B2E11000-memory.dmp

Filesize
3.3MB

Download
memory/2212-254-0x00007FF76DAB0000-0x00007FF76DE01000-memory.dmp

Filesize
3.3MB

Download
memory/2212-120-0x00007FF76DAB0000-0x00007FF76DE01000-memory.dmp

Filesize
3.3MB

Download
memory/2652-27-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp

Filesize
3.3MB

Download
memory/2652-131-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp

Filesize
3.3MB

Download
memory/2652-213-0x00007FF7A1500000-0x00007FF7A1851000-memory.dmp

Filesize
3.3MB

Download
memory/2656-59-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp

Filesize
3.3MB

Download
memory/2656-219-0x00007FF7CB400000-0x00007FF7CB751000-memory.dmp

Filesize
3.3MB

Download
memory/3132-232-0x00007FF715410000-0x00007FF715761000-memory.dmp

Filesize
3.3MB

Download
memory/3132-73-0x00007FF715410000-0x00007FF715761000-memory.dmp

Filesize
3.3MB

Download
memory/3440-132-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/3440-38-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/3440-215-0x00007FF69B660000-0x00007FF69B9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-149-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-123-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4428-257-0x00007FF779A60000-0x00007FF779DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4444-211-0x00007FF78F610000-0x00007FF78F961000-memory.dmp

Filesize
3.3MB

Download
memory/4444-18-0x00007FF78F610000-0x00007FF78F961000-memory.dmp

Filesize
3.3MB

Download
memory/4496-150-0x00007FF754810000-0x00007FF754B61000-memory.dmp

Filesize
3.3MB

Download
memory/4496-151-0x00007FF754810000-0x00007FF754B61000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1-0x00000253F4460000-0x00000253F4470000-memory.dmp

Filesize
64KB

Download
memory/4496-128-0x00007FF754810000-0x00007FF754B61000-memory.dmp

Filesize
3.3MB

Download
memory/4496-0-0x00007FF754810000-0x00007FF754B61000-memory.dmp

Filesize
3.3MB

Download
memory/4820-118-0x00007FF6B5700000-0x00007FF6B5A51000-memory.dmp

Filesize
3.3MB

Download
memory/4820-247-0x00007FF6B5700000-0x00007FF6B5A51000-memory.dmp

Filesize
3.3MB

Download
memory/4824-136-0x00007FF771240000-0x00007FF771591000-memory.dmp

Filesize
3.3MB

Download
memory/4824-65-0x00007FF771240000-0x00007FF771591000-memory.dmp

Filesize
3.3MB

Download
memory/4824-239-0x00007FF771240000-0x00007FF771591000-memory.dmp

Filesize
3.3MB

Download
memory/4876-144-0x00007FF700380000-0x00007FF7006D1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-103-0x00007FF700380000-0x00007FF7006D1000-memory.dmp

Filesize
3.3MB

Download
memory/4876-252-0x00007FF700380000-0x00007FF7006D1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-141-0x00007FF7113F0000-0x00007FF711741000-memory.dmp

Filesize
3.3MB

Download
memory/4880-80-0x00007FF7113F0000-0x00007FF711741000-memory.dmp

Filesize
3.3MB

Download
memory/4880-243-0x00007FF7113F0000-0x00007FF711741000-memory.dmp

Filesize
3.3MB

Download
memory/4976-240-0x00007FF7483F0000-0x00007FF748741000-memory.dmp

Filesize
3.3MB

Download
memory/4976-89-0x00007FF7483F0000-0x00007FF748741000-memory.dmp

Filesize
3.3MB

Download
memory/4992-121-0x00007FF79ACB0000-0x00007FF79B001000-memory.dmp

Filesize
3.3MB

Download
memory/4992-251-0x00007FF79ACB0000-0x00007FF79B001000-memory.dmp

Filesize
3.3MB

Download
memory/5064-48-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp

Filesize
3.3MB

Download
memory/5064-217-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp

Filesize
3.3MB

Download
memory/5064-133-0x00007FF73CFD0000-0x00007FF73D321000-memory.dmp

Filesize
3.3MB

Download