cobaltstrike | 8d19cc5138dfa504d97257de734325f78861394eadcb60307c095d2f2d79c514

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3963418b17686b038bd362da1c25404e
SHA1

daf964dfdaa1891078e91855f2f7eb2ab8e967dd
SHA256

8d19cc5138dfa504d97257de734325f78861394eadcb60307c095d2f2d79c514
SHA512

b92589bbb293fdf876403123d1f06fb732dc87d6e90001078d6a86a2a35237c3e82eff03cfef79b49b7e03964bcb8a15035bb896a33b4a5d04b8245d6cbe6921
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023b8d-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b92-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b91-12.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b93-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b94-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b95-35.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b96-45.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b97-51.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b98-59.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b99-70.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b8e-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9a-73.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9b-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9c-87.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9d-93.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b9e-101.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023ba1-115.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ba9-120.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023bb0-127.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023bb9-132.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b9f-121.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2816-68-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp	xmrig
behavioral2/memory/3872-63-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp	xmrig
behavioral2/memory/4468-62-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	xmrig
behavioral2/memory/428-75-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp	xmrig
behavioral2/memory/2004-88-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp	xmrig
behavioral2/memory/3192-106-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp	xmrig
behavioral2/memory/3948-95-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp	xmrig
behavioral2/memory/1668-89-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp	xmrig
behavioral2/memory/4072-82-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	xmrig
behavioral2/memory/3056-137-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp	xmrig
behavioral2/memory/5008-141-0x00007FF732CC0000-0x00007FF733011000-memory.dmp	xmrig
behavioral2/memory/4572-140-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp	xmrig
behavioral2/memory/1664-145-0x00007FF7B65E0000-0x00007FF7B6931000-memory.dmp	xmrig
behavioral2/memory/4496-147-0x00007FF6EB470000-0x00007FF6EB7C1000-memory.dmp	xmrig
behavioral2/memory/2228-148-0x00007FF72A280000-0x00007FF72A5D1000-memory.dmp	xmrig
behavioral2/memory/2820-146-0x00007FF7F1530000-0x00007FF7F1881000-memory.dmp	xmrig
behavioral2/memory/1692-142-0x00007FF78AE60000-0x00007FF78B1B1000-memory.dmp	xmrig
behavioral2/memory/3136-139-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp	xmrig
behavioral2/memory/2736-138-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp	xmrig
behavioral2/memory/3192-152-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp	xmrig
behavioral2/memory/212-151-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp	xmrig
behavioral2/memory/1628-150-0x00007FF729860000-0x00007FF729BB1000-memory.dmp	xmrig
behavioral2/memory/2812-149-0x00007FF621860000-0x00007FF621BB1000-memory.dmp	xmrig
behavioral2/memory/4468-154-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	xmrig
behavioral2/memory/4468-176-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	xmrig
behavioral2/memory/2816-206-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp	xmrig
behavioral2/memory/3872-208-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp	xmrig
behavioral2/memory/428-210-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp	xmrig
behavioral2/memory/4072-219-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	xmrig
behavioral2/memory/2004-221-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp	xmrig
behavioral2/memory/3948-223-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp	xmrig
behavioral2/memory/1668-225-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp	xmrig
behavioral2/memory/3056-227-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp	xmrig
behavioral2/memory/3136-230-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp	xmrig
behavioral2/memory/2736-231-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp	xmrig
behavioral2/memory/4572-233-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp	xmrig
behavioral2/memory/5008-243-0x00007FF732CC0000-0x00007FF733011000-memory.dmp	xmrig
behavioral2/memory/2812-245-0x00007FF621860000-0x00007FF621BB1000-memory.dmp	xmrig
behavioral2/memory/3192-247-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp	xmrig
behavioral2/memory/1628-249-0x00007FF729860000-0x00007FF729BB1000-memory.dmp	xmrig
behavioral2/memory/212-251-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp	xmrig
behavioral2/memory/1664-258-0x00007FF7B65E0000-0x00007FF7B6931000-memory.dmp	xmrig
behavioral2/memory/1692-260-0x00007FF78AE60000-0x00007FF78B1B1000-memory.dmp	xmrig
behavioral2/memory/4496-262-0x00007FF6EB470000-0x00007FF6EB7C1000-memory.dmp	xmrig
behavioral2/memory/2820-265-0x00007FF7F1530000-0x00007FF7F1881000-memory.dmp	xmrig
behavioral2/memory/2228-266-0x00007FF72A280000-0x00007FF72A5D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2816	lHLWfKz.exe
3872	micsBry.exe
428	jkgvQfR.exe
4072	uRWvuiM.exe
2004	bNXsCmY.exe
3948	eGPsKoe.exe
1668	XBKhrYq.exe
3056	bDeTZGE.exe
2736	FhgFNDu.exe
3136	YiSTEVL.exe
4572	zjIHKvi.exe
5008	DCnUnXU.exe
2812	ISyZwtW.exe
1628	WSPxUpc.exe
212	PPZGgGZ.exe
3192	DKcfpfQ.exe
1692	BpctBKE.exe
1664	NjFRbmh.exe
2820	rPacMLC.exe
4496	CuNQOSW.exe
2228	QYqowMN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-0-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8d-5.dat	upx
behavioral2/memory/2816-8-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-10.dat	upx
behavioral2/files/0x000a000000023b91-12.dat	upx
behavioral2/files/0x000a000000023b93-23.dat	upx
behavioral2/files/0x000a000000023b94-28.dat	upx
behavioral2/memory/2004-31-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-35.dat	upx
behavioral2/files/0x000a000000023b96-45.dat	upx
behavioral2/memory/3056-48-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-51.dat	upx
behavioral2/files/0x000a000000023b98-59.dat	upx
behavioral2/files/0x000a000000023b99-70.dat	upx
behavioral2/memory/4572-69-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp	upx
behavioral2/memory/2816-68-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp	upx
behavioral2/memory/3136-65-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp	upx
behavioral2/memory/3872-63-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp	upx
behavioral2/memory/4468-62-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	upx
behavioral2/files/0x000b000000023b8e-53.dat	upx
behavioral2/memory/2736-52-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp	upx
behavioral2/memory/1668-42-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp	upx
behavioral2/memory/3948-36-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp	upx
behavioral2/memory/4072-25-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	upx
behavioral2/memory/428-22-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp	upx
behavioral2/memory/3872-13-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-73.dat	upx
behavioral2/memory/5008-76-0x00007FF732CC0000-0x00007FF733011000-memory.dmp	upx
behavioral2/memory/428-75-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-81.dat	upx
behavioral2/files/0x000a000000023b9c-87.dat	upx
behavioral2/memory/2004-88-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-93.dat	upx
behavioral2/memory/3192-106-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-101.dat	upx
behavioral2/memory/212-100-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp	upx
behavioral2/memory/3948-95-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp	upx
behavioral2/memory/1628-94-0x00007FF729860000-0x00007FF729BB1000-memory.dmp	upx
behavioral2/memory/1668-89-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp	upx
behavioral2/memory/2812-83-0x00007FF621860000-0x00007FF621BB1000-memory.dmp	upx
behavioral2/memory/4072-82-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp	upx
behavioral2/files/0x000b000000023ba1-115.dat	upx
behavioral2/files/0x000a000000023ba9-120.dat	upx
behavioral2/files/0x000e000000023bb0-127.dat	upx
behavioral2/files/0x0008000000023bb9-132.dat	upx
behavioral2/files/0x000b000000023b9f-121.dat	upx
behavioral2/memory/3056-137-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp	upx
behavioral2/memory/5008-141-0x00007FF732CC0000-0x00007FF733011000-memory.dmp	upx
behavioral2/memory/4572-140-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp	upx
behavioral2/memory/1664-145-0x00007FF7B65E0000-0x00007FF7B6931000-memory.dmp	upx
behavioral2/memory/4496-147-0x00007FF6EB470000-0x00007FF6EB7C1000-memory.dmp	upx
behavioral2/memory/2228-148-0x00007FF72A280000-0x00007FF72A5D1000-memory.dmp	upx
behavioral2/memory/2820-146-0x00007FF7F1530000-0x00007FF7F1881000-memory.dmp	upx
behavioral2/memory/1692-142-0x00007FF78AE60000-0x00007FF78B1B1000-memory.dmp	upx
behavioral2/memory/3136-139-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp	upx
behavioral2/memory/2736-138-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp	upx
behavioral2/memory/3192-152-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp	upx
behavioral2/memory/212-151-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp	upx
behavioral2/memory/1628-150-0x00007FF729860000-0x00007FF729BB1000-memory.dmp	upx
behavioral2/memory/2812-149-0x00007FF621860000-0x00007FF621BB1000-memory.dmp	upx
behavioral2/memory/4468-154-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	upx
behavioral2/memory/4468-176-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp	upx
behavioral2/memory/2816-206-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp	upx
behavioral2/memory/3872-208-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FhgFNDu.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zjIHKvi.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ISyZwtW.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuNQOSW.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XBKhrYq.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bDeTZGE.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRWvuiM.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eGPsKoe.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCnUnXU.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PPZGgGZ.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\micsBry.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkgvQfR.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKcfpfQ.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BpctBKE.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NjFRbmh.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lHLWfKz.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WSPxUpc.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rPacMLC.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYqowMN.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bNXsCmY.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiSTEVL.exe	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2816	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4468 wrote to memory of 2816	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4468 wrote to memory of 3872	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4468 wrote to memory of 3872	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4468 wrote to memory of 428	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4468 wrote to memory of 428	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4468 wrote to memory of 4072	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4468 wrote to memory of 4072	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4468 wrote to memory of 2004	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4468 wrote to memory of 2004	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4468 wrote to memory of 3948	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4468 wrote to memory of 3948	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4468 wrote to memory of 1668	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4468 wrote to memory of 1668	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4468 wrote to memory of 3056	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4468 wrote to memory of 3056	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4468 wrote to memory of 2736	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4468 wrote to memory of 2736	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4468 wrote to memory of 3136	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4468 wrote to memory of 3136	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4468 wrote to memory of 4572	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4468 wrote to memory of 4572	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4468 wrote to memory of 5008	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4468 wrote to memory of 5008	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4468 wrote to memory of 2812	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4468 wrote to memory of 2812	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4468 wrote to memory of 1628	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4468 wrote to memory of 1628	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4468 wrote to memory of 212	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4468 wrote to memory of 212	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4468 wrote to memory of 3192	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4468 wrote to memory of 3192	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4468 wrote to memory of 1692	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4468 wrote to memory of 1692	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4468 wrote to memory of 1664	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4468 wrote to memory of 1664	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4468 wrote to memory of 2820	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4468 wrote to memory of 2820	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4468 wrote to memory of 4496	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4468 wrote to memory of 4496	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4468 wrote to memory of 2228	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4468 wrote to memory of 2228	4468	2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_3963418b17686b038bd362da1c25404e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\System\lHLWfKz.exe
  C:\Windows\System\lHLWfKz.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\micsBry.exe
  C:\Windows\System\micsBry.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\jkgvQfR.exe
  C:\Windows\System\jkgvQfR.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\uRWvuiM.exe
  C:\Windows\System\uRWvuiM.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\bNXsCmY.exe
  C:\Windows\System\bNXsCmY.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\eGPsKoe.exe
  C:\Windows\System\eGPsKoe.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\XBKhrYq.exe
  C:\Windows\System\XBKhrYq.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\bDeTZGE.exe
  C:\Windows\System\bDeTZGE.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\FhgFNDu.exe
  C:\Windows\System\FhgFNDu.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\YiSTEVL.exe
  C:\Windows\System\YiSTEVL.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\zjIHKvi.exe
  C:\Windows\System\zjIHKvi.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\DCnUnXU.exe
  C:\Windows\System\DCnUnXU.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\ISyZwtW.exe
  C:\Windows\System\ISyZwtW.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\WSPxUpc.exe
  C:\Windows\System\WSPxUpc.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\PPZGgGZ.exe
  C:\Windows\System\PPZGgGZ.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\DKcfpfQ.exe
  C:\Windows\System\DKcfpfQ.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\BpctBKE.exe
  C:\Windows\System\BpctBKE.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\NjFRbmh.exe
  C:\Windows\System\NjFRbmh.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\rPacMLC.exe
  C:\Windows\System\rPacMLC.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\CuNQOSW.exe
  C:\Windows\System\CuNQOSW.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\QYqowMN.exe
  C:\Windows\System\QYqowMN.exe
  2⤵
  - Executes dropped EXE
  PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BpctBKE.exe

Filesize
5.2MB

MD5
a57dcdc051e7c6d752eb62b93967694c

SHA1
f27ed3a9ebf0088e807697c0b6ba8030555aa3ce

SHA256
d5741529555c38868f9d8e3ac11b9c2c0450b60148d2086774062f3dfdc48acd

SHA512
24201336faa1aa354168e400ca2dc286f0d751898e581d628c7f0ebddc5cfbffc39ab4dad88413a406e1489cf624fbca3fc5a2c1f6dab614a30877bb2827947b

Download Submit
C:\Windows\System\CuNQOSW.exe

Filesize
5.2MB

MD5
b5c5c5e70833d4ba9a0f3baf3408f64b

SHA1
15af99f7f76bc3561d8615f02f99238bce23bb7e

SHA256
e66b5295c98e8e103aee1975ffe4372d46fdb7a2546da643e5415ddd163baaac

SHA512
48cc22d633f93023e52b62e8287daf6dc69bdac54e9fd7ebb300e5278368dbadbee3ff448e1a665c2d7acdf9ca9994b971d09332d5061cd51986a1f7d4adc911

Download Submit
C:\Windows\System\DCnUnXU.exe

Filesize
5.2MB

MD5
088d43f3d12f9e13f78fed90385a3d4e

SHA1
1190b6cd0660768178baddd6e27fc427e92d9e42

SHA256
2798255c1c596f49be5b06fbf99d8c99a29ce0f1769750b271afa7d587fd7a81

SHA512
307275f24a6ebe32a03c53bbc10ff1cf9a0b6200e8d48d2fa2456371089b8b89558c90a29587aed40324c74e76d7e78b4b24433d2895636965078d3c3fdc2ecd

Download Submit
C:\Windows\System\DKcfpfQ.exe

Filesize
5.2MB

MD5
f6c8c029bed6c16064af800a70e74508

SHA1
7606e21011d15e9d97eb711a4d993ee782a9a623

SHA256
2db48cbce4a04c5b17ff4f865ce36033609335d32f0d0606ac022d875e9e09b4

SHA512
614d172c2aeaeca2461b4755525ee12c4f077fca47d6138993ea29800cb8d36c19d969f85fba71399c1bf92ede9478e036b6b5ece02877a0d4131fec61cc931b

Download Submit
C:\Windows\System\FhgFNDu.exe

Filesize
5.2MB

MD5
0545acc69d37416fd8e33b5ae8159322

SHA1
77152a08280a5078779afe14b19d4c46e94c9d37

SHA256
1862625ae83f8da99b34fae362695fafb2133c06e7ea4d9a425d2e405bfe2547

SHA512
b43be0657494a2a52bb3c831edd47bae372bbeb388b405c4c32b48df171413ccc8d764d524060ebeace09de460c02dff80ba66648b6ed2383a8e2ac6da2fbd19

Download Submit
C:\Windows\System\ISyZwtW.exe

Filesize
5.2MB

MD5
897f2a310f0431a316c4fba3d823c6fc

SHA1
715a95ed0ac322a8a9df19b216c1bebe773d47f4

SHA256
80667a8c44867b9b7850b984d46776b0ca4530c2b0ef4d0ac1f13c188e3bb43f

SHA512
18f6a9ad083f9a76d83d584d6b77968cc15679b7a39c376e57341c9146204e48320479f18df4a74a6ca79b54ff2af0cfe6ea98e950cb2d5c919678055e53738b

Download Submit
C:\Windows\System\NjFRbmh.exe

Filesize
5.2MB

MD5
9b64ce29b041c06a4bb0170a8691ef28

SHA1
11a07bab0a450cd1e8ac98418b725385369f5b11

SHA256
1a1acd62c8d953accceff8b216c8557b35aa907a3d075c7ede5c3463b110b47f

SHA512
d9ad50b5c540b6574dac3c2c7890a2fa82e5180fa56a48841517fb1ac66d353ccad440d79488be42e2c9f8264b08ec645ef15e2b0b5174ed2396bdc21b71d3e5

Download Submit
C:\Windows\System\PPZGgGZ.exe

Filesize
5.2MB

MD5
1938ded42ab493feb5c74078c6787cfa

SHA1
d5dd3973d061e5885c68b58bf9f66806b8394690

SHA256
6156ed5092a57a5eb39377db2da321f5e041b9408faa5e44c48252051d0cb084

SHA512
73f4fa6b339b3c46d3a8fe72cf32368abd2c51fb34752f98e2d54643911682951fac41250fd61a0434b45f33a08fd301c8a4f83ad8eaa793755ba207dff19aa1

Download Submit
C:\Windows\System\QYqowMN.exe

Filesize
5.2MB

MD5
3fc84636e5ba12890914bb03b8b2f8f4

SHA1
aabcb56bd7aaf88fb273a4ca278c2217b6266b46

SHA256
52b91f7524c6d2f446419ffbea05cc16f11e6ad922a240bb4480b2817493a39b

SHA512
1ddb0dea1730f91698407f671a8edd589d7e1bf5564da83c7b602fb9bd8e5391a3c28b5db51a2fe361458c0db4fcf513d62905944fae884b16186f3fa8aa23a5

Download Submit
C:\Windows\System\WSPxUpc.exe

Filesize
5.2MB

MD5
4f3523403b92c893c5ad66d89f976c6a

SHA1
d0358801950caccf9a6b2f0abc85965173140391

SHA256
d2c2c92ad51bd0859a045a31924883c8da8b5c989ae77e3f53f3fa40a199e084

SHA512
546556ee3bc8b68a5357b1e76510bf92026251616b6680f1a42210b47d17c4df53c173ce5d4abf9cbe3ec40cd0d72b29c071561ea9388f1c9c6dd374ac81e99d

Download Submit
C:\Windows\System\XBKhrYq.exe

Filesize
5.2MB

MD5
09ff015c1975a815722d8b72703c0db2

SHA1
947dfefde75ca666b677604a20a450e77b65f730

SHA256
be50c7264367ed8d90828a2f8d3f3f616a3991609e6a8d38c1c843f0a894e6ed

SHA512
96fe839e13277bcceca511b82afda6319dd56dfdd88a84d71e89c1fde5b0ee3b74faf792416ae62a909536bb1b6deda2d9b273e2ffc8fc7a7727d197cb18593e

Download Submit
C:\Windows\System\YiSTEVL.exe

Filesize
5.2MB

MD5
bc40f88353ed1862050fbad142a86326

SHA1
069ff6a45b497631f0ce031ae4dd0f281cc5b8b3

SHA256
8fd06c7f5481c7ad4c4b472f1aea0641bfae7787a9696863a2518f1da288fcbd

SHA512
0f318315fc4cde185dfda89bef7e14e55fa7f38f6bf3c7e9110e30a53bf320eedbfeee5362ae3da37b1d2fc3e2664f9623c37106319aa5d2f05ef1c350ff1a83

Download Submit
C:\Windows\System\bDeTZGE.exe

Filesize
5.2MB

MD5
6e98b226c56f257263b2032ef28c78e8

SHA1
fb135c1941cb4c4d482c2cf5ef210e49c13c6870

SHA256
0b257c2d60133fefce46e01d8c3233eb7c7f083b89632797d2dd864e1d25895a

SHA512
016f01e7aa80858dec162ed772076f7e2115ba4318c3a1353702a9b16a04964192534f054dd0f9d7d311a8cb447de2db8aa869f437216252b3c063986a324770

Download Submit
C:\Windows\System\bNXsCmY.exe

Filesize
5.2MB

MD5
0eac1ca3dcba4ae95679815cb86c9f78

SHA1
589b9b3167496e4ba5140790da7d6669e1096b91

SHA256
d93538cf52471982b9906f96dad08a3cb560ddd6516f93fe8826f91c224e1316

SHA512
98142639dbd0207be30e2581d65e1363527794d872fc85dc2b9bd0d0d280a1927081ac1a5d4552a5eab5bb38f4892bb3645c15481c775740cdaa89f5fbd83c93

Download Submit
C:\Windows\System\eGPsKoe.exe

Filesize
5.2MB

MD5
861326e579558c462b46c13bc46cc7d2

SHA1
d2abea55accfda0c373c76d7b3c799e3430386b1

SHA256
a1c1d62fa9ce3a1b31396ece4f451c5415d1986db1f56d23555b3e8de75474a3

SHA512
0694143591fbaf7fba2ee833e50989cf4788b19bec3e305e773c833af457d9f770942bbb21ce0f0746fb08335fc724bfef0630b804c02d86c43a5bb9437935d3

Download Submit
C:\Windows\System\jkgvQfR.exe

Filesize
5.2MB

MD5
40955afc7e34d207d32a7a0547c16adb

SHA1
5ba43b1eb06260dce2f94ce5d77d763604499b0c

SHA256
24657b093574e7f1f3400c758ca1772475d1fe164f1988190acba3260b739bca

SHA512
6439ec47a799959465ec709cfea19c9a2be89d4d425e14184f042b40b50b8ef58fe8ae0eafbcdf62a6ca0f2101cedd2e662e5cf8c0c76307760fda9617668a0f

Download Submit
C:\Windows\System\lHLWfKz.exe

Filesize
5.2MB

MD5
5a79628c9374cf2a03008b3f8a377db5

SHA1
03c57a6b8b5bb1f8e96ad8781acf40d76bb25de4

SHA256
022295a0b3dda12805434f86ab4ca7b6ce3cfe584a15d2b200804e86c6e2f17d

SHA512
2bed4c0f918cf3cabc471ac131e65068cd8c66585ce4c3aaab9a2e105eec0ba230a875e565426358cfaccef001b6e8ac2b2e53e83236dd2e15b080ba373d522b

Download Submit
C:\Windows\System\micsBry.exe

Filesize
5.2MB

MD5
be23b622c3a9bb7c2ed3074ee4e832ff

SHA1
3707e60216d49e67f20f7e940a8364ef9a225865

SHA256
3d94178bd12cd27b8627f7570e09f237ee635b6982ca160400e5f9ad6789e765

SHA512
7cd303e303a17705dd0eeb5d8c931b947d472dc659fb6786912b1029378e2ddf305b8d224e8ceb66ddaea75b8dc991f5c9683603be8e76c8c3522b12e2a398af

Download Submit
C:\Windows\System\rPacMLC.exe

Filesize
5.2MB

MD5
9830d94b2aa39e464907652e27327997

SHA1
ed4e3df613d3787c439ddc5bb985745dc21c0926

SHA256
6417a0618d835533650356104bde7f915e5cf3eef85747d7b55cf509f89141e5

SHA512
285acec04bb5b5c63bd8eb30bbe2aed1643189e3750c027f848e7c8d3e9932e59111f6b12861a75d4d80e5ac2ee157638e0332f8adfa225a043614dcddc2bd71

Download Submit
C:\Windows\System\uRWvuiM.exe

Filesize
5.2MB

MD5
76e8bbc6ca2989549ca3eb6ed284c05a

SHA1
0ff134d16fff444ead9958dc8a73b4cf1bb5c027

SHA256
ef8e242600118abe65a1ba3ae51d9cffd51408345d37c59bc27bd4c3b3bc9212

SHA512
039ddfcbca681e100e22f6a62fce8bd82ac2b6f5990c2c93e6ebe4ba74b1f79f828032b19ae145a84834f4548c1f6509ab9a373b8a0a3145bd84500a770d7bd4

Download Submit
C:\Windows\System\zjIHKvi.exe

Filesize
5.2MB

MD5
ff3fd993bad31a96867e9ded20ebd241

SHA1
d9045be7357a4f1a50fe9094a6eec11d61a9fac7

SHA256
07901b67414ae0400d22bcbdb493bfd7cf1be375fc131392f7c6a6e16f942a60

SHA512
91ab0ef40d738ab1e23a429fec5a849e5dc930d7500fada381c56b9f0e44363727db871fef48fd5a77a05681f51dc7c899eb4b712c07f8736322cd91095700dd

Download Submit
memory/212-151-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-251-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/212-100-0x00007FF6EE170000-0x00007FF6EE4C1000-memory.dmp

Filesize
3.3MB

Download
memory/428-75-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/428-210-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/428-22-0x00007FF60FB70000-0x00007FF60FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-249-0x00007FF729860000-0x00007FF729BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-94-0x00007FF729860000-0x00007FF729BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-150-0x00007FF729860000-0x00007FF729BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-145-0x00007FF7B65E0000-0x00007FF7B6931000-memory.dmp

Filesize
3.3MB

Download
memory/1664-258-0x00007FF7B65E0000-0x00007FF7B6931000-memory.dmp

Filesize
3.3MB

Download
memory/1668-42-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-89-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1668-225-0x00007FF798A50000-0x00007FF798DA1000-memory.dmp

Filesize
3.3MB

Download
memory/1692-142-0x00007FF78AE60000-0x00007FF78B1B1000-memory.dmp

Filesize
3.3MB

Download
memory/1692-260-0x00007FF78AE60000-0x00007FF78B1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-88-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-221-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-31-0x00007FF64B880000-0x00007FF64BBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-148-0x00007FF72A280000-0x00007FF72A5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-266-0x00007FF72A280000-0x00007FF72A5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-231-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2736-138-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2736-52-0x00007FF7EFA40000-0x00007FF7EFD91000-memory.dmp

Filesize
3.3MB

Download
memory/2812-245-0x00007FF621860000-0x00007FF621BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-149-0x00007FF621860000-0x00007FF621BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-83-0x00007FF621860000-0x00007FF621BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-206-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2816-68-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2816-8-0x00007FF7FD7E0000-0x00007FF7FDB31000-memory.dmp

Filesize
3.3MB

Download
memory/2820-265-0x00007FF7F1530000-0x00007FF7F1881000-memory.dmp

Filesize
3.3MB

Download
memory/2820-146-0x00007FF7F1530000-0x00007FF7F1881000-memory.dmp

Filesize
3.3MB

Download
memory/3056-227-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp

Filesize
3.3MB

Download
memory/3056-137-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp

Filesize
3.3MB

Download
memory/3056-48-0x00007FF72EAB0000-0x00007FF72EE01000-memory.dmp

Filesize
3.3MB

Download
memory/3136-139-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-65-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3136-230-0x00007FF644C60000-0x00007FF644FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-152-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-247-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp

Filesize
3.3MB

Download
memory/3192-106-0x00007FF7463A0000-0x00007FF7466F1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-13-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-208-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3872-63-0x00007FF660A50000-0x00007FF660DA1000-memory.dmp

Filesize
3.3MB

Download
memory/3948-95-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp

Filesize
3.3MB

Download
memory/3948-36-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp

Filesize
3.3MB

Download
memory/3948-223-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp

Filesize
3.3MB

Download
memory/4072-82-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-219-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4072-25-0x00007FF6CCF50000-0x00007FF6CD2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-154-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-0-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-176-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-1-0x0000021A66010000-0x0000021A66020000-memory.dmp

Filesize
64KB

Download
memory/4468-62-0x00007FF628BA0000-0x00007FF628EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-147-0x00007FF6EB470000-0x00007FF6EB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4496-262-0x00007FF6EB470000-0x00007FF6EB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-233-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp

Filesize
3.3MB

Download
memory/4572-69-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp

Filesize
3.3MB

Download
memory/4572-140-0x00007FF69A710000-0x00007FF69AA61000-memory.dmp

Filesize
3.3MB

Download
memory/5008-243-0x00007FF732CC0000-0x00007FF733011000-memory.dmp

Filesize
3.3MB

Download
memory/5008-141-0x00007FF732CC0000-0x00007FF733011000-memory.dmp

Filesize
3.3MB

Download
memory/5008-76-0x00007FF732CC0000-0x00007FF733011000-memory.dmp

Filesize
3.3MB

Download