cobaltstrike | 3f0a9a4c86aa0d46f60b8162934d3832ede261583addcfd955c892c37f5daf40

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5c5329fae83ae83617c5aa58f6f24f7b
SHA1

136821128e727064c48a053070aeaf09bf38fc43
SHA256

3f0a9a4c86aa0d46f60b8162934d3832ede261583addcfd955c892c37f5daf40
SHA512

2c3a876f72dd92b96458300f058b020dc66b6978c0e7f6b59e2fbddad24b6c21f2f001e564dba0c1b97d8d29904278f09a509215b999c15589dc734b15fa16e5
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibf56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000e000000023b73-4.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b79-9.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b7a-18.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-31.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-44.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-55.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-70.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-96.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-94.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-88.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b75-84.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-73.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b7b-61.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b78-20.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-132.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-140.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-138.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3092-101-0x00007FF6FB4F0000-0x00007FF6FB841000-memory.dmp	xmrig
behavioral2/memory/2948-104-0x00007FF7C8800000-0x00007FF7C8B51000-memory.dmp	xmrig
behavioral2/memory/5020-103-0x00007FF6ACEF0000-0x00007FF6AD241000-memory.dmp	xmrig
behavioral2/memory/2452-102-0x00007FF68A600000-0x00007FF68A951000-memory.dmp	xmrig
behavioral2/memory/5108-92-0x00007FF7A7320000-0x00007FF7A7671000-memory.dmp	xmrig
behavioral2/memory/3972-79-0x00007FF6573C0000-0x00007FF657711000-memory.dmp	xmrig
behavioral2/memory/3632-47-0x00007FF63EA40000-0x00007FF63ED91000-memory.dmp	xmrig
behavioral2/memory/224-105-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	xmrig
behavioral2/memory/1532-124-0x00007FF776C20000-0x00007FF776F71000-memory.dmp	xmrig
behavioral2/memory/1512-130-0x00007FF778D40000-0x00007FF779091000-memory.dmp	xmrig
behavioral2/memory/2240-117-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp	xmrig
behavioral2/memory/2704-115-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp	xmrig
behavioral2/memory/4740-113-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp	xmrig
behavioral2/memory/2748-112-0x00007FF708CB0000-0x00007FF709001000-memory.dmp	xmrig
behavioral2/memory/3312-108-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp	xmrig
behavioral2/memory/1964-109-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp	xmrig
behavioral2/memory/3820-106-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp	xmrig
behavioral2/memory/5048-121-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp	xmrig
behavioral2/memory/224-146-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	xmrig
behavioral2/memory/224-147-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	xmrig
behavioral2/memory/1988-165-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp	xmrig
behavioral2/memory/4356-168-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp	xmrig
behavioral2/memory/1968-167-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp	xmrig
behavioral2/memory/1952-166-0x00007FF751DC0000-0x00007FF752111000-memory.dmp	xmrig
behavioral2/memory/224-169-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	xmrig
behavioral2/memory/3820-211-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp	xmrig
behavioral2/memory/3312-213-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp	xmrig
behavioral2/memory/1964-215-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp	xmrig
behavioral2/memory/2748-217-0x00007FF708CB0000-0x00007FF709001000-memory.dmp	xmrig
behavioral2/memory/3632-219-0x00007FF63EA40000-0x00007FF63ED91000-memory.dmp	xmrig
behavioral2/memory/2704-223-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp	xmrig
behavioral2/memory/3092-222-0x00007FF6FB4F0000-0x00007FF6FB841000-memory.dmp	xmrig
behavioral2/memory/2240-235-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp	xmrig
behavioral2/memory/4740-243-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp	xmrig
behavioral2/memory/5108-241-0x00007FF7A7320000-0x00007FF7A7671000-memory.dmp	xmrig
behavioral2/memory/2948-240-0x00007FF7C8800000-0x00007FF7C8B51000-memory.dmp	xmrig
behavioral2/memory/5048-238-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp	xmrig
behavioral2/memory/3972-234-0x00007FF6573C0000-0x00007FF657711000-memory.dmp	xmrig
behavioral2/memory/2452-232-0x00007FF68A600000-0x00007FF68A951000-memory.dmp	xmrig
behavioral2/memory/1532-228-0x00007FF776C20000-0x00007FF776F71000-memory.dmp	xmrig
behavioral2/memory/5020-230-0x00007FF6ACEF0000-0x00007FF6AD241000-memory.dmp	xmrig
behavioral2/memory/1512-226-0x00007FF778D40000-0x00007FF779091000-memory.dmp	xmrig
behavioral2/memory/1988-253-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp	xmrig
behavioral2/memory/4356-255-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp	xmrig
behavioral2/memory/1968-258-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp	xmrig
behavioral2/memory/1952-259-0x00007FF751DC0000-0x00007FF752111000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3820	gUIIRrr.exe
3312	yjbMEUD.exe
1964	dxiNEHc.exe
2748	AcZXNuf.exe
3632	BbjZfUw.exe
2704	tHjDXzb.exe
3092	nCbJTOP.exe
4740	FgpGogj.exe
2240	xcGlAmm.exe
3972	HjEGcns.exe
2452	YOCakFQ.exe
5020	ZQkBetk.exe
5048	mFQfUJg.exe
5108	rsoQWbB.exe
2948	nWgFKBx.exe
1532	SDUnplO.exe
1512	DUgPryK.exe
1988	NGZJvia.exe
1952	PSJYIQK.exe
1968	FetxLmJ.exe
4356	RVGGlYV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/224-0-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	upx
behavioral2/files/0x000e000000023b73-4.dat	upx
behavioral2/files/0x0031000000023b79-9.dat	upx
behavioral2/files/0x0031000000023b7a-18.dat	upx
behavioral2/files/0x000a000000023b7c-31.dat	upx
behavioral2/files/0x000a000000023b7e-39.dat	upx
behavioral2/files/0x000a000000023b80-44.dat	upx
behavioral2/files/0x000a000000023b81-55.dat	upx
behavioral2/files/0x000a000000023b83-70.dat	upx
behavioral2/files/0x000a000000023b86-86.dat	upx
behavioral2/memory/1532-93-0x00007FF776C20000-0x00007FF776F71000-memory.dmp	upx
behavioral2/memory/3092-101-0x00007FF6FB4F0000-0x00007FF6FB841000-memory.dmp	upx
behavioral2/memory/2948-104-0x00007FF7C8800000-0x00007FF7C8B51000-memory.dmp	upx
behavioral2/memory/5020-103-0x00007FF6ACEF0000-0x00007FF6AD241000-memory.dmp	upx
behavioral2/memory/2452-102-0x00007FF68A600000-0x00007FF68A951000-memory.dmp	upx
behavioral2/memory/1512-100-0x00007FF778D40000-0x00007FF779091000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-96.dat	upx
behavioral2/files/0x000a000000023b84-94.dat	upx
behavioral2/memory/5108-92-0x00007FF7A7320000-0x00007FF7A7671000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-88.dat	upx
behavioral2/memory/5048-87-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp	upx
behavioral2/files/0x000b000000023b75-84.dat	upx
behavioral2/memory/3972-79-0x00007FF6573C0000-0x00007FF657711000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-73.dat	upx
behavioral2/files/0x0031000000023b7b-61.dat	upx
behavioral2/memory/4740-60-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp	upx
behavioral2/memory/2240-65-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp	upx
behavioral2/memory/2704-54-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7d-50.dat	upx
behavioral2/memory/3632-47-0x00007FF63EA40000-0x00007FF63ED91000-memory.dmp	upx
behavioral2/memory/2748-27-0x00007FF708CB0000-0x00007FF709001000-memory.dmp	upx
behavioral2/memory/1964-19-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-20.dat	upx
behavioral2/memory/3312-15-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp	upx
behavioral2/memory/3820-7-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp	upx
behavioral2/memory/224-105-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	upx
behavioral2/memory/1532-124-0x00007FF776C20000-0x00007FF776F71000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-132.dat	upx
behavioral2/memory/1968-136-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp	upx
behavioral2/memory/4356-141-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp	upx
behavioral2/memory/1952-143-0x00007FF751DC0000-0x00007FF752111000-memory.dmp	upx
behavioral2/files/0x000a000000023b8b-140.dat	upx
behavioral2/files/0x000a000000023b8a-138.dat	upx
behavioral2/files/0x000a000000023b87-133.dat	upx
behavioral2/memory/1988-131-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp	upx
behavioral2/memory/1512-130-0x00007FF778D40000-0x00007FF779091000-memory.dmp	upx
behavioral2/memory/2240-117-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp	upx
behavioral2/memory/2704-115-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp	upx
behavioral2/memory/4740-113-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp	upx
behavioral2/memory/2748-112-0x00007FF708CB0000-0x00007FF709001000-memory.dmp	upx
behavioral2/memory/3312-108-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp	upx
behavioral2/memory/1964-109-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp	upx
behavioral2/memory/3820-106-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp	upx
behavioral2/memory/5048-121-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp	upx
behavioral2/memory/224-146-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	upx
behavioral2/memory/224-147-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	upx
behavioral2/memory/1988-165-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp	upx
behavioral2/memory/4356-168-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp	upx
behavioral2/memory/1968-167-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp	upx
behavioral2/memory/1952-166-0x00007FF751DC0000-0x00007FF752111000-memory.dmp	upx
behavioral2/memory/224-169-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp	upx
behavioral2/memory/3820-211-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp	upx
behavioral2/memory/3312-213-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp	upx
behavioral2/memory/1964-215-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\PSJYIQK.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVGGlYV.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nCbJTOP.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQkBetk.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mFQfUJg.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NGZJvia.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BbjZfUw.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUgPryK.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjEGcns.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rsoQWbB.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SDUnplO.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yjbMEUD.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxiNEHc.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AcZXNuf.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xcGlAmm.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWgFKBx.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FetxLmJ.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gUIIRrr.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FgpGogj.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHjDXzb.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YOCakFQ.exe	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3820	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 224 wrote to memory of 3820	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 224 wrote to memory of 3312	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 224 wrote to memory of 3312	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 224 wrote to memory of 1964	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 224 wrote to memory of 1964	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 224 wrote to memory of 2748	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 224 wrote to memory of 2748	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 224 wrote to memory of 4740	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 224 wrote to memory of 4740	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 224 wrote to memory of 3632	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 224 wrote to memory of 3632	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 224 wrote to memory of 2704	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 224 wrote to memory of 2704	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 224 wrote to memory of 3092	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 224 wrote to memory of 3092	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 224 wrote to memory of 2240	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 224 wrote to memory of 2240	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 224 wrote to memory of 3972	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 224 wrote to memory of 3972	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 224 wrote to memory of 2452	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 224 wrote to memory of 2452	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 224 wrote to memory of 5020	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 224 wrote to memory of 5020	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 224 wrote to memory of 5048	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 224 wrote to memory of 5048	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 224 wrote to memory of 5108	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 224 wrote to memory of 5108	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 224 wrote to memory of 2948	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 224 wrote to memory of 2948	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 224 wrote to memory of 1532	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 224 wrote to memory of 1532	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 224 wrote to memory of 1512	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 224 wrote to memory of 1512	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 224 wrote to memory of 1988	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 224 wrote to memory of 1988	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 224 wrote to memory of 1952	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 224 wrote to memory of 1952	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 224 wrote to memory of 1968	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 224 wrote to memory of 1968	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 224 wrote to memory of 4356	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 224 wrote to memory of 4356	224	2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_5c5329fae83ae83617c5aa58f6f24f7b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\System\gUIIRrr.exe
  C:\Windows\System\gUIIRrr.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\yjbMEUD.exe
  C:\Windows\System\yjbMEUD.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\dxiNEHc.exe
  C:\Windows\System\dxiNEHc.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\AcZXNuf.exe
  C:\Windows\System\AcZXNuf.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\FgpGogj.exe
  C:\Windows\System\FgpGogj.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\BbjZfUw.exe
  C:\Windows\System\BbjZfUw.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\tHjDXzb.exe
  C:\Windows\System\tHjDXzb.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\nCbJTOP.exe
  C:\Windows\System\nCbJTOP.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\xcGlAmm.exe
  C:\Windows\System\xcGlAmm.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\HjEGcns.exe
  C:\Windows\System\HjEGcns.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\YOCakFQ.exe
  C:\Windows\System\YOCakFQ.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\ZQkBetk.exe
  C:\Windows\System\ZQkBetk.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\mFQfUJg.exe
  C:\Windows\System\mFQfUJg.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\rsoQWbB.exe
  C:\Windows\System\rsoQWbB.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\nWgFKBx.exe
  C:\Windows\System\nWgFKBx.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\SDUnplO.exe
  C:\Windows\System\SDUnplO.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\DUgPryK.exe
  C:\Windows\System\DUgPryK.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\NGZJvia.exe
  C:\Windows\System\NGZJvia.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\PSJYIQK.exe
  C:\Windows\System\PSJYIQK.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\FetxLmJ.exe
  C:\Windows\System\FetxLmJ.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\RVGGlYV.exe
  C:\Windows\System\RVGGlYV.exe
  2⤵
  - Executes dropped EXE
  PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AcZXNuf.exe

Filesize
5.2MB

MD5
3dd253d715f6b6af630fcf1dd15cfe31

SHA1
6674832af9c9ddf4fc65e4bf3330192fad90a4a9

SHA256
152de9b744437f2b76fbecd326e64a1043a6580062a5fb6deaf0acb84ec9ef79

SHA512
73f6a0aadfc2389873d15042c088a23723cae875f51a883d8f2f4ac59280f92e71ca4b925082799711af2d3ba4aff18b953d306364dbf4d44a518194c82be4fa

Download Submit
C:\Windows\System\BbjZfUw.exe

Filesize
5.2MB

MD5
157df62fc4abab60c7cd9f854037fbe0

SHA1
6858cfdad865bbe53ac8786779aeef20c2ff08a8

SHA256
28ee6f3dd1b3178421a95202d962712d92741d118c4d3f5379daab496627d90b

SHA512
e34bb098e10839013e09726ba0519d09b5c9712efdcf9f84ced7c16226d1f055e48ac1f2515fbbdab56515d37f9ad4270cfdb10dae7c90281c88c59a0479782e

Download Submit
C:\Windows\System\DUgPryK.exe

Filesize
5.2MB

MD5
b9605124a3a79f22a0dd925f2a600775

SHA1
4e99e79b0371067ef552d8e9e1b8de9e69680040

SHA256
2d74f3d2f5659d97c8256b2ee70c8a0e327e7653713c40afae8953e890ab931c

SHA512
1a8a214eaf256a47905fd8d86df489004744d269fd188b635d01d10c28eacadad5c4799a406e95fcb2045bfb214c103aa61cf9f76b466e834944aaa1629da7ee

Download Submit
C:\Windows\System\FetxLmJ.exe

Filesize
5.2MB

MD5
66959b6faf4d71f95e1af5617b5a03df

SHA1
7061d7be678f871386d7ab336e46d05e9bf0fb41

SHA256
cb5b4bbfbfc541db2437b3ef16528b9ff5130c7bb66fc357440ff45490d6d81f

SHA512
11a013ea07b602e21c0ecf0676499729e7f3e8134d467b3df727b51b711bd1d6fc9d93227d2eb95f61735367b8c2a2060975746bdf6816c2753a5f415d71ec68

Download Submit
C:\Windows\System\FgpGogj.exe

Filesize
5.2MB

MD5
07cfadca1deb8fda96b34c61034f9bdd

SHA1
eabd18f4a279b5e8b5d222466fa4bc05ecdaa718

SHA256
e801248967d6b1ecfa68fd4038af12585b62d9c5e6c4f867232930cfb3a9fa52

SHA512
cdbd20b5f73aec081494058d325ce1093139d72157e5e75f8350b6e8c880828406ef39ee0ae53ef7d68b85f5a3fbfa1f64ca8bca4d61ba82628d49f8e6940024

Download Submit
C:\Windows\System\HjEGcns.exe

Filesize
5.2MB

MD5
8e05dd3fc7c265aa35b4e5af72347580

SHA1
f6a4224dbe4a08c254928adc004ed7d0fcdb3eb7

SHA256
7d23c5f2fa15c473affe01b641cb9a6bd35a17cae83552bac94b21125e6d987d

SHA512
72b2bdb038994360d561f4a80ca560289a8a226110b82be9b237aacddca179bd7991697c9eff66efbde0359467a77cd6ec7bf0294c0877e116125e02405f1909

Download Submit
C:\Windows\System\NGZJvia.exe

Filesize
5.2MB

MD5
0e71cd1a03084bfea5d83d2ce51e39d7

SHA1
f6610668477cf4683aeb6ba9817bf15419f4c27b

SHA256
d3f430974ddc15679e9b2819cd696311b10def1fa79f40511d23e8589c4dcb33

SHA512
6d4df785da88308482285b70dbea601189e40c825442537406921ec9b85a2f26b52fbe060738116d344cb5c17d8f9296ebb10c55f679d4daaf8ef2530e771ca6

Download Submit
C:\Windows\System\PSJYIQK.exe

Filesize
5.2MB

MD5
b753e64cf292acbd99c8b76986ccb205

SHA1
8969bb50f950ec3806214fb8d18b5f91ddf10e38

SHA256
fd1ca55f3dd0227e7ad02f93ca22d524eccc83d88627d42921c5a09f213cd229

SHA512
974a4141c7f7b3b143dd6ead27272dfac513055b110538934f830b153afb93f2c3c5f001012709019e8a277a14945ee74af49b5e34f21b438957f274ee9e990d

Download Submit
C:\Windows\System\RVGGlYV.exe

Filesize
5.2MB

MD5
ebf127c627d3cb3b5eb7df78584737bc

SHA1
65004ca7956bb2b97568895e338518b4b2345bb1

SHA256
46fa1dd4ca0ee15cf66956b8c46256cf13d186d7d85e028516563fd32e98185a

SHA512
f2e1c9640c4e580a00ca72e8b03123015a9536827d62782f204182c342fe8d1383bd9a9a8316fce27d823dc3af3544e37a71c44b107f5739b28b87d158eefb4f

Download Submit
C:\Windows\System\SDUnplO.exe

Filesize
5.2MB

MD5
a8c33ba41c2570680aa7f025890746df

SHA1
692593626930000a6608b0a55c296083869790d5

SHA256
a74bed8ceb5b9c499d152418d97590a70dead46a384adc2405cc48b911628375

SHA512
dd350eb5864ac4783ab0e986980d1843a8153d082229a640eefafba4f527e6409ba42058e8100e30152c39e1798c35cd7689f88a750b4d9b46f1b33796119ca0

Download Submit
C:\Windows\System\YOCakFQ.exe

Filesize
5.2MB

MD5
db58a167ac0b729e9f1fcf4f23433783

SHA1
5cb8f2e2fafce88168fed0b79762e1b0cfb68ad9

SHA256
0e8bcd69d651d2cf53fe62cf3979bc5e13e918c80406b52d62ea56fc9568e8d3

SHA512
2a183ed3ffadb7b9a3693b9e2f506f7dfeba163ffa3a510be2df75d28b2d4693a0f7fbc5e1007da0def3fd0b2127984ed97150a311f30c756e80d5e2fb6f5aa3

Download Submit
C:\Windows\System\ZQkBetk.exe

Filesize
5.2MB

MD5
953eb7d75fb536c1ba3c2345184b9d0d

SHA1
b5c3ae630754face680052b10d79dddc223a04e6

SHA256
8d76a4484b466d5e01ee9a8206d1e1c7da41b5e3a39f3ab56108a394bae7b37c

SHA512
3ff4a9327daafb360c01a01f46028debca7258a28b4553bae78585939e8ab1b3e2d52d3daa9237e6f1ec8355c7cadf14cb863b4636cc16f0e710aeeb1040984e

Download Submit
C:\Windows\System\dxiNEHc.exe

Filesize
5.2MB

MD5
983e8bd1c7675869eb423afd574038c5

SHA1
e2347d6e2db785ac84c853884736795c3188db00

SHA256
829b3e76b4f41ff38190b77e76ca7f41580113e017ae45e2834c48704247d4fa

SHA512
d8478fe1b7c7a26d94bbdfa78bdc9137904e48fda7f09f2693b310d81d077b026051e44f89951b9a640d0740ef1019e783e1fecd719a916d87da8e883b8eac56

Download Submit
C:\Windows\System\gUIIRrr.exe

Filesize
5.2MB

MD5
d2a81880f1bbf38b3a8ec4d54008456c

SHA1
b052316b0bfd545ebfe16b01131ee8789a1f7178

SHA256
aede13751cfa90f45ccc6c32a709dd54cc9c8efa86a8920fdcfc9aea03555d61

SHA512
4a4ef2a5aae6cd49063d3da3c5356259d850f1f7c122cefd3c3c0c7e033ea5d0de3951dc62676cd84e62a23641c2b7a1a71863f3f344f6c3ea8b922e2ff50b3c

Download Submit
C:\Windows\System\mFQfUJg.exe

Filesize
5.2MB

MD5
8013d06d2802b3980c3ee9fa4699d615

SHA1
e73a679fc3e6d0c6df11a338b6567a38f44aebb4

SHA256
dd8cf011f763f744f632ad1dedaa01d99a893c7855e0a372d9a2f8ea4df6ffbf

SHA512
eca8f9822866448045b7507daa3e8b50ee5735eee82cf3efae0d3e2c39c95fbabe272195fa194699356a9f4e37a788bbcff41bf27f9be562b3d9b8cb37586775

Download Submit
C:\Windows\System\nCbJTOP.exe

Filesize
5.2MB

MD5
e7f19d398e1b3735749ddda44a2d75e0

SHA1
79f5f992a3741b3a578999b41ca5b1cb7fe7d66a

SHA256
0414d0a40468d51c7bac11d77691687943a6e67b220c8e145b0edf20f71ab7de

SHA512
34b9f501929b7e4486c3003b31bb110d3c7f883b71b093dae30fae9bc0295608c49397fdaf51325e37d223be76094355ae18bbef348552a609a7fed8ebcaa445

Download Submit
C:\Windows\System\nWgFKBx.exe

Filesize
5.2MB

MD5
762a7afa8f9ad6b7ac02f52b892deb8d

SHA1
47e61235412517a06964a183046fa9393ced8946

SHA256
a7d635d79f092989402e11a8a59caeb272786c08a530c8aa7d06e3330b748d80

SHA512
31e08cb2766f32867455ec7047fabba7adb77a17c634e8419d27e0c4322cee0952424ccc5453fd5d11f9c93ab8c30fa7d7b3fa7298c53519e3ef195967ef35b8

Download Submit
C:\Windows\System\rsoQWbB.exe

Filesize
5.2MB

MD5
23b13dcf5aa6190c8b7106105c7df7fa

SHA1
1ee43a2bfa9293d8d3312e850a5b118ace0ebc4a

SHA256
271b411b760ef88416d5c5cbab21a05344f30b1842093d316cb6664d220f7590

SHA512
2af8166e72e81597f68e499a524e9d36e7ff4f61489b6609106352b9c2c9c8a75229b9c01ff4c51b59c5b0e24f86bf761c2d27698d1eada65916450257804315

Download Submit
C:\Windows\System\tHjDXzb.exe

Filesize
5.2MB

MD5
53ebd3ac197694fbe427dee1070775bb

SHA1
a9bbcc01faab8741023ddaa94f89bf0054b13fa0

SHA256
b6fde6a16c73e1acf4ce529fc2dadba9f0b158f502bc72543875650ca90877fb

SHA512
b52c7a74289ec1e4c4fd1e16e4bae878a19f4919cc7dff1e7851646f762a29d99f621535d5e775511b012d3d6d0103200ec43a2e29442447b0201aa23a49808a

Download Submit
C:\Windows\System\xcGlAmm.exe

Filesize
5.2MB

MD5
da10fcd36621dc67afe42d7850eeb12e

SHA1
833d2858c28355e78ea3f00d04d463d7cf542372

SHA256
801a90c53dd6a42a8f0d302f4f1ac261e239eefcd39071a5f0a79038ae0323da

SHA512
642e2d3c8f89da35be58a27356df0615b4a8b880699edd64aeeaceb18f955b02c31b2e887a5b694f2ce4bfc8e8d9309f8302c6f724bd7998cac40174a225b479

Download Submit
C:\Windows\System\yjbMEUD.exe

Filesize
5.2MB

MD5
36542481235fef8d4ced655146f7264a

SHA1
2537d1e3cb6b0a3a3e89cff17be8dabcb08b35d8

SHA256
2efeebcff4ff94a87b6e4ccad9b50a6a4b43c063989f8d46804ef6820c5693d3

SHA512
9468ef5e5e7b3f202c35d4a3cbd3606d723251638641df6a9448ac1324bc23bb29da5d11b1befe5e07b8c81e295697ce4c6a33d5bf8e745db5b7133bfd45877c

Download Submit
memory/224-147-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/224-1-0x0000028020BE0000-0x0000028020BF0000-memory.dmp

Filesize
64KB

Download
memory/224-169-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/224-105-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/224-146-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/224-0-0x00007FF75C970000-0x00007FF75CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-226-0x00007FF778D40000-0x00007FF779091000-memory.dmp

Filesize
3.3MB

Download
memory/1512-100-0x00007FF778D40000-0x00007FF779091000-memory.dmp

Filesize
3.3MB

Download
memory/1512-130-0x00007FF778D40000-0x00007FF779091000-memory.dmp

Filesize
3.3MB

Download
memory/1532-228-0x00007FF776C20000-0x00007FF776F71000-memory.dmp

Filesize
3.3MB

Download
memory/1532-124-0x00007FF776C20000-0x00007FF776F71000-memory.dmp

Filesize
3.3MB

Download
memory/1532-93-0x00007FF776C20000-0x00007FF776F71000-memory.dmp

Filesize
3.3MB

Download
memory/1952-259-0x00007FF751DC0000-0x00007FF752111000-memory.dmp

Filesize
3.3MB

Download
memory/1952-166-0x00007FF751DC0000-0x00007FF752111000-memory.dmp

Filesize
3.3MB

Download
memory/1952-143-0x00007FF751DC0000-0x00007FF752111000-memory.dmp

Filesize
3.3MB

Download
memory/1964-109-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp

Filesize
3.3MB

Download
memory/1964-19-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp

Filesize
3.3MB

Download
memory/1964-215-0x00007FF7ACD40000-0x00007FF7AD091000-memory.dmp

Filesize
3.3MB

Download
memory/1968-136-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp

Filesize
3.3MB

Download
memory/1968-167-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp

Filesize
3.3MB

Download
memory/1968-258-0x00007FF78C2D0000-0x00007FF78C621000-memory.dmp

Filesize
3.3MB

Download
memory/1988-253-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp

Filesize
3.3MB

Download
memory/1988-131-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp

Filesize
3.3MB

Download
memory/1988-165-0x00007FF71BCF0000-0x00007FF71C041000-memory.dmp

Filesize
3.3MB

Download
memory/2240-65-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp

Filesize
3.3MB

Download
memory/2240-235-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp

Filesize
3.3MB

Download
memory/2240-117-0x00007FF6D6810000-0x00007FF6D6B61000-memory.dmp

Filesize
3.3MB

Download
memory/2452-232-0x00007FF68A600000-0x00007FF68A951000-memory.dmp

Filesize
3.3MB

Download
memory/2452-102-0x00007FF68A600000-0x00007FF68A951000-memory.dmp

Filesize
3.3MB

Download
memory/2704-115-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-223-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-54-0x00007FF7E9570000-0x00007FF7E98C1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-112-0x00007FF708CB0000-0x00007FF709001000-memory.dmp

Filesize
3.3MB

Download
memory/2748-217-0x00007FF708CB0000-0x00007FF709001000-memory.dmp

Filesize
3.3MB

Download
memory/2748-27-0x00007FF708CB0000-0x00007FF709001000-memory.dmp

Filesize
3.3MB

Download
memory/2948-240-0x00007FF7C8800000-0x00007FF7C8B51000-memory.dmp

Filesize
3.3MB

Download
memory/2948-104-0x00007FF7C8800000-0x00007FF7C8B51000-memory.dmp

Filesize
3.3MB

Download
memory/3092-101-0x00007FF6FB4F0000-0x00007FF6FB841000-memory.dmp

Filesize
3.3MB

Download
memory/3092-222-0x00007FF6FB4F0000-0x00007FF6FB841000-memory.dmp

Filesize
3.3MB

Download
memory/3312-213-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp

Filesize
3.3MB

Download
memory/3312-15-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp

Filesize
3.3MB

Download
memory/3312-108-0x00007FF6C9320000-0x00007FF6C9671000-memory.dmp

Filesize
3.3MB

Download
memory/3632-219-0x00007FF63EA40000-0x00007FF63ED91000-memory.dmp

Filesize
3.3MB

Download
memory/3632-47-0x00007FF63EA40000-0x00007FF63ED91000-memory.dmp

Filesize
3.3MB

Download
memory/3820-211-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-7-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp

Filesize
3.3MB

Download
memory/3820-106-0x00007FF6923A0000-0x00007FF6926F1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-234-0x00007FF6573C0000-0x00007FF657711000-memory.dmp

Filesize
3.3MB

Download
memory/3972-79-0x00007FF6573C0000-0x00007FF657711000-memory.dmp

Filesize
3.3MB

Download
memory/4356-168-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp

Filesize
3.3MB

Download
memory/4356-255-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp

Filesize
3.3MB

Download
memory/4356-141-0x00007FF7A2700000-0x00007FF7A2A51000-memory.dmp

Filesize
3.3MB

Download
memory/4740-243-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp

Filesize
3.3MB

Download
memory/4740-60-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp

Filesize
3.3MB

Download
memory/4740-113-0x00007FF70EEE0000-0x00007FF70F231000-memory.dmp

Filesize
3.3MB

Download
memory/5020-103-0x00007FF6ACEF0000-0x00007FF6AD241000-memory.dmp

Filesize
3.3MB

Download
memory/5020-230-0x00007FF6ACEF0000-0x00007FF6AD241000-memory.dmp

Filesize
3.3MB

Download
memory/5048-238-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp

Filesize
3.3MB

Download
memory/5048-87-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp

Filesize
3.3MB

Download
memory/5048-121-0x00007FF73CCE0000-0x00007FF73D031000-memory.dmp

Filesize
3.3MB

Download
memory/5108-241-0x00007FF7A7320000-0x00007FF7A7671000-memory.dmp

Filesize
3.3MB

Download
memory/5108-92-0x00007FF7A7320000-0x00007FF7A7671000-memory.dmp

Filesize
3.3MB

Download